diff options
-rw-r--r-- | dom/events/DataTransfer.cpp | 8 | ||||
-rw-r--r-- | toolkit/components/places/PlacesUtils.jsm | 10 |
2 files changed, 14 insertions, 4 deletions
diff --git a/dom/events/DataTransfer.cpp b/dom/events/DataTransfer.cpp index 40a0f42e6..35e80fea4 100644 --- a/dom/events/DataTransfer.cpp +++ b/dom/events/DataTransfer.cpp @@ -39,6 +39,7 @@ #include "mozilla/dom/OSFileSystem.h" #include "mozilla/dom/Promise.h" #include "nsNetUtil.h" +#include "nsReadableUtils.h" namespace mozilla { namespace dom { @@ -644,6 +645,13 @@ DataTransfer::PrincipalMaySetData(const nsAString& aType, NS_WARNING("Disallowing adding x-moz-file or x-moz-file-promize types to DataTransfer"); return false; } + + // Disallow content from creating x-moz-place flavors, so that it cannot + // create fake Places smart queries exposing user data. + if (StringBeginsWith(aType, NS_LITERAL_STRING("text/x-moz-place"))) { + NS_WARNING("Disallowing adding moz-place types to DataTransfer"); + return false; + } } return true; } diff --git a/toolkit/components/places/PlacesUtils.jsm b/toolkit/components/places/PlacesUtils.jsm index fc303ca8a..323fa41a1 100644 --- a/toolkit/components/places/PlacesUtils.jsm +++ b/toolkit/components/places/PlacesUtils.jsm @@ -908,6 +908,7 @@ this.PlacesUtils = { * @param type * The content type of the blob. * @returns An array of objects representing each item contained by the source. + * @throws if the blob contains invalid data. */ unwrapNodes: function PU_unwrapNodes(blob, type) { // We split on "\n" because the transferable system converts "\r\n" to "\n" @@ -939,7 +940,7 @@ this.PlacesUtils = { catch (e) {} } // note: this._uri() will throw if uriString is not a valid URI - if (this._uri(uriString)) { + if (this._uri(uriString) && this._uri(uriString).scheme != "place") { nodes.push({ uri: uriString, title: titleString ? titleString : uriString, type: this.TYPE_X_MOZ_URL }); @@ -952,11 +953,12 @@ this.PlacesUtils = { for (let i = 0; i < parts.length; i++) { let uriString = parts[i]; // text/uri-list is converted to TYPE_UNICODE but it could contain - // comments line prepended by #, we should skip them - if (uriString.substr(0, 1) == '\x23') + // comments line prepended by #, we should skip them, as well as + // empty URIs + if (uriString.substr(0, 1) == '\x23' || uriString == "") continue; // note: this._uri() will throw if uriString is not a valid URI - if (uriString != "" && this._uri(uriString)) + if (this._uri(uriString).scheme != "place") nodes.push({ uri: uriString, title: uriString, type: this.TYPE_X_MOZ_URL }); |