Fixing security bug 134315. Make sure we clear the JS scope in cases where it's needed. r=mstoltz@netscape.com, sr=brendan@mozilla.org

content/base/src/nsDocumentViewer.cpp

@@ -1463,7 +1463,7 @@ DocumentViewerImpl::InitInternal(nsIWidget* aParentWidget,
         nsCOMPtr<nsIDOMDocument> domdoc(do_QueryInterface(mDocument));
 
         if (domdoc) {
-          global->SetNewDocument(domdoc, PR_TRUE);
+          global->SetNewDocument(domdoc, PR_TRUE, PR_TRUE);
         }
       }
     }
@@ -1634,7 +1634,7 @@ DocumentViewerImpl::Close()
     mDocument->GetScriptGlobalObject(getter_AddRefs(globalObject));
 
     if (globalObject) {
-      globalObject->SetNewDocument(nsnull, PR_TRUE);
+      globalObject->SetNewDocument(nsnull, PR_TRUE, PR_TRUE);
     }
 
     // out of band cleanup of webshell
@@ -1786,7 +1786,7 @@ DocumentViewerImpl::SetDOMDocument(nsIDOMDocument *aDocument)
 
   if (global) {
     mDocument->SetScriptGlobalObject(global);
-    global->SetNewDocument(aDocument, PR_TRUE);
+    global->SetNewDocument(aDocument, PR_TRUE, PR_TRUE);
 
     rv = SyncParentSubDocMap();
     NS_ENSURE_SUCCESS(rv, rv);

content/html/document/src/nsHTMLDocument.cpp

@@ -2399,7 +2399,8 @@ nsHTMLDocument::OpenCommon(nsIURI* aSourceURL)
     nsCOMPtr<nsIDOMDocument> kungFuDeathGrip =
       do_QueryInterface((nsIHTMLDocument*)this);
 
-    result = mScriptGlobalObject->SetNewDocument(kungFuDeathGrip, PR_FALSE);
+    result = mScriptGlobalObject->SetNewDocument(kungFuDeathGrip, PR_FALSE,
+                                                 PR_FALSE);
 
     if (NS_FAILED(result))
       return result;

content/xbl/src/nsXBLDocumentInfo.cpp

@@ -1,3 +1,41 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: NPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Netscape Public License
+ * Version 1.1 (the "License"); you may not use this file except in
+ * compliance with the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/NPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Mozilla Communicator client code.
+ *
+ * The Initial Developer of the Original Code is 
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the NPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the NPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
 #include "nsXBLDocumentInfo.h"
 #include "nsHashtable.h"
 #include "nsIDocument.h"
@@ -28,7 +66,8 @@ public:
   NS_IMETHOD SetContext(nsIScriptContext *aContext);
   NS_IMETHOD GetContext(nsIScriptContext **aContext);
   NS_IMETHOD SetNewDocument(nsIDOMDocument *aDocument,
-                            PRBool removeEventListeners);
+                            PRBool aRemoveEventListeners,
+                            PRBool aClearScope);
   NS_IMETHOD SetDocShell(nsIDocShell *aDocShell);
   NS_IMETHOD GetDocShell(nsIDocShell **aDocShell);
   NS_IMETHOD SetOpenerWindow(nsIDOMWindowInternal *aOpener);
@@ -183,7 +222,8 @@ nsXBLDocGlobalObject::GetContext(nsIScriptContext **aContext)
 
 NS_IMETHODIMP
 nsXBLDocGlobalObject::SetNewDocument(nsIDOMDocument *aDocument,
-                                     PRBool removeEventListeners)
+                                     PRBool aRemoveEventListeners,
+                                     PRBool aClearScope)
 {
   NS_NOTREACHED("waaah!");
   return NS_ERROR_UNEXPECTED;

dom/public/nsIScriptGlobalObject.h

@@ -64,12 +64,13 @@ class nsIScriptGlobalObject : public nsISupports {
 public:
   NS_DEFINE_STATIC_IID_ACCESSOR(NS_ISCRIPTGLOBALOBJECT_IID)
 
-  NS_IMETHOD       SetContext(nsIScriptContext *aContext)=0;
-  NS_IMETHOD       GetContext(nsIScriptContext **aContext)=0;
+  NS_IMETHOD       SetContext(nsIScriptContext *aContext) = 0;
+  NS_IMETHOD       GetContext(nsIScriptContext **aContext) = 0;
   NS_IMETHOD       SetNewDocument(nsIDOMDocument *aDocument,
-                                  PRBool removeEventListeners)=0;
-  NS_IMETHOD       SetDocShell(nsIDocShell *aDocShell)=0;
-  NS_IMETHOD       GetDocShell(nsIDocShell **aDocShell)=0;
+                                  PRBool aRemoveEventListeners,
+                                  PRBool aClearScope) = 0;
+  NS_IMETHOD       SetDocShell(nsIDocShell *aDocShell) = 0;
+  NS_IMETHOD       GetDocShell(nsIDocShell **aDocShell) = 0;
   NS_IMETHOD       SetOpenerWindow(nsIDOMWindowInternal *aOpener)=0;
 
     /**

dom/src/base/nsGlobalWindow.cpp

@@ -349,7 +349,8 @@ GlobalWindowImpl::GetContext(nsIScriptContext ** aContext)
 
 NS_IMETHODIMP
 GlobalWindowImpl::SetNewDocument(nsIDOMDocument* aDocument,
-                                 PRBool removeEventListeners)
+                                 PRBool aRemoveEventListeners,
+                                 PRBool aClearScopeHint)
 {
   if (!aDocument) {
     if (mDocument) {
@@ -388,6 +389,11 @@ GlobalWindowImpl::SetNewDocument(nsIDOMDocument* aDocument,
     NS_RELEASE(mNavigator);
   }
 
+  if (mSidebar) {
+    mSidebar->SetWindow(nsnull);
+    mSidebar = nsnull;
+  }
+
   if (mFirstDocumentLoad) {
     if (aDocument) {
       mFirstDocumentLoad = PR_FALSE;
@@ -446,7 +452,7 @@ GlobalWindowImpl::SetNewDocument(nsIDOMDocument* aDocument,
       doc = nsnull;             // Forces release now
     }
 
-    if (removeEventListeners && mListenerManager) {
+    if (aRemoveEventListeners && mListenerManager) {
       mListenerManager->RemoveAllListeners(PR_FALSE);
       mListenerManager = nsnull;
     }
@@ -454,23 +460,16 @@ GlobalWindowImpl::SetNewDocument(nsIDOMDocument* aDocument,
     if (docURL) {
       nsCAutoString url;
 
-      docURL->GetSpec(url);
+      if (!aClearScopeHint) {
+        docURL->GetSpec(url);
+      }
 
-      //about:blank URL's do not have ClearScope called on page change.
-      if (strcmp(url.get(), "about:blank") != 0) {
+      if (aClearScopeHint || !url.Equals(NS_LITERAL_CSTRING("about:blank"))) {
+        // aClearScopeHint is true, or the current document is *not*
+        // about:blank, clear timeouts and clear the scope.
         ClearAllTimeouts();
 
-        if (mSidebar) {
-          mSidebar->SetWindow(nsnull);
-          mSidebar = nsnull;
-        }
-
         if (mContext && mJSObject) {
-//      if (mContext && mJSObject && aDocument) {
-//      not doing this unless there's a new document prevents a closed window's
-//      JS properties from going away (that's good) and causes everything,
-//      and I mean everything, to be leaked (that's bad)
-
           ::JS_ClearScope((JSContext *)mContext->GetNativeContext(),
                           mJSObject);
 
@@ -478,9 +477,6 @@ GlobalWindowImpl::SetNewDocument(nsIDOMDocument* aDocument,
         }
       }
     }
-
-    //XXX Should this be outside the about:blank clearscope exception?
-    mDocument = nsnull;         // Forces Release
   }
 
   if (mContext && aDocument) {
@@ -5680,7 +5676,6 @@ NavigatorImpl::Preference()
       STRING_TO_JSVAL(::JS_InternString(cx, "preferenceinternal"));
   }
 
-  NS_ENSURE_SUCCESS(rv, rv);
   PRUint32 action;
   if (argc == 1) {
       action = nsIXPCSecurityManager::ACCESS_GET_PROPERTY;

dom/src/base/nsGlobalWindow.h

@@ -129,7 +129,8 @@ public:
   NS_IMETHOD SetContext(nsIScriptContext *aContext);
   NS_IMETHOD GetContext(nsIScriptContext **aContext);
   NS_IMETHOD SetNewDocument(nsIDOMDocument *aDocument,
-                            PRBool removeEventListeners);
+                            PRBool aRemoveEventListeners,
+                            PRBool aClearScopeHint);
   NS_IMETHOD SetDocShell(nsIDocShell* aDocShell);
   NS_IMETHOD GetDocShell(nsIDocShell** aDocShell);
   NS_IMETHOD SetOpenerWindow(nsIDOMWindowInternal *aOpener);

layout/base/nsDocumentViewer.cpp

@@ -1463,7 +1463,7 @@ DocumentViewerImpl::InitInternal(nsIWidget* aParentWidget,
         nsCOMPtr<nsIDOMDocument> domdoc(do_QueryInterface(mDocument));
 
         if (domdoc) {
-          global->SetNewDocument(domdoc, PR_TRUE);
+          global->SetNewDocument(domdoc, PR_TRUE, PR_TRUE);
         }
       }
     }
@@ -1634,7 +1634,7 @@ DocumentViewerImpl::Close()
     mDocument->GetScriptGlobalObject(getter_AddRefs(globalObject));
 
     if (globalObject) {
-      globalObject->SetNewDocument(nsnull, PR_TRUE);
+      globalObject->SetNewDocument(nsnull, PR_TRUE, PR_TRUE);
     }
 
     // out of band cleanup of webshell
@@ -1786,7 +1786,7 @@ DocumentViewerImpl::SetDOMDocument(nsIDOMDocument *aDocument)
 
   if (global) {
     mDocument->SetScriptGlobalObject(global);
-    global->SetNewDocument(aDocument, PR_TRUE);
+    global->SetNewDocument(aDocument, PR_TRUE, PR_TRUE);
 
     rv = SyncParentSubDocMap();
     NS_ENSURE_SUCCESS(rv, rv);

modules/plugin/base/src/nsPluginViewer.cpp

@@ -334,7 +334,7 @@ PluginViewerImpl::StartLoad(nsIRequest* request, nsIStreamListener*& aResult)
         mDocument->SetScriptGlobalObject(global);
         nsCOMPtr<nsIDOMDocument> domdoc(do_QueryInterface(mDocument));
         if (domdoc)
-          global->SetNewDocument(domdoc, PR_TRUE);
+          global->SetNewDocument(domdoc, PR_TRUE, PR_TRUE);
       }
 
     }