Backed out 5 changesets (bug 1427726) for failing linux asan at modules/libjar/test/unit/test_bug407303.js on a CLOSED TREE

Backed out changeset ee9abd6f1ba5 (bug 1427726) Backed out changeset b1b76f9dff73 (bug 1427726) Backed out changeset f41cf7811770 (bug 1427726) Backed out changeset cb35e7b10235 (bug 1427726) Backed out changeset 753ece6c9f1b (bug 1427726)
2018-04-11 12:46:20 +03:00
parent 64fae76bf6
commit 7f039f8dd4
29 changed files with 546 additions and 45 deletions
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -1609,6 +1609,24 @@ nsDocShell::GetParentCharset(const Encoding*& aCharset,
  NS_IF_ADDREF(*aPrincipal = mParentCharsetPrincipal);
 }

+NS_IMETHODIMP
+nsDocShell::GetChannelIsUnsafe(bool* aUnsafe)
+{
+  *aUnsafe = false;
+
+  nsIChannel* channel = GetCurrentDocChannel();
+  if (!channel) {
+    return NS_OK;
+  }
+
+  nsCOMPtr<nsIJARChannel> jarChannel = do_QueryInterface(channel);
+  if (!jarChannel) {
+    return NS_OK;
+  }
+
+  return jarChannel->GetIsUnsafe(aUnsafe);
+}
+
 NS_IMETHODIMP
 nsDocShell::GetHasMixedActiveContentLoaded(bool* aHasMixedActiveContentLoaded)
 {
@@ -1667,6 +1685,12 @@ nsDocShell::GetAllowPlugins(bool* aAllowPlugins)
  NS_ENSURE_ARG_POINTER(aAllowPlugins);

  *aAllowPlugins = mAllowPlugins;
+  if (!mAllowPlugins) {
+    return NS_OK;
+  }
+
+  bool unsafe;
+  *aAllowPlugins = NS_SUCCEEDED(GetChannelIsUnsafe(&unsafe)) && !unsafe;
  return NS_OK;
 }

@@ -1880,6 +1904,12 @@ nsDocShell::GetAllowMetaRedirects(bool* aReturn)
  NS_ENSURE_ARG_POINTER(aReturn);

  *aReturn = mAllowMetaRedirects;
+  if (!mAllowMetaRedirects) {
+    return NS_OK;
+  }
+
+  bool unsafe;
+  *aReturn = NS_SUCCEEDED(GetChannelIsUnsafe(&unsafe)) && !unsafe;
  return NS_OK;
 }

@@ -9551,6 +9581,34 @@ nsDocShell::InternalLoad(nsIURI* aURI,
    }
  }

+  // Don't allow loads that would inherit our security context
+  // if this document came from an unsafe channel.
+  {
+    bool willInherit;
+    // This condition needs to match the one in
+    // nsContentUtils::ChannelShouldInheritPrincipal.
+    // Except we reverse the rv check to be safe in case
+    // nsContentUtils::URIInheritsSecurityContext fails here and
+    // succeeds there.
+    rv = nsContentUtils::URIInheritsSecurityContext(aURI, &willInherit);
+    if (NS_FAILED(rv) || willInherit || NS_IsAboutBlank(aURI)) {
+      nsCOMPtr<nsIDocShellTreeItem> treeItem = this;
+      do {
+        nsCOMPtr<nsIDocShell> itemDocShell = do_QueryInterface(treeItem);
+        bool isUnsafe;
+        if (itemDocShell &&
+            NS_SUCCEEDED(itemDocShell->GetChannelIsUnsafe(&isUnsafe)) &&
+            isUnsafe) {
+          return NS_ERROR_DOM_SECURITY_ERR;
+        }
+
+        nsCOMPtr<nsIDocShellTreeItem> parent;
+        treeItem->GetSameTypeParent(getter_AddRefs(parent));
+        parent.swap(treeItem);
+      } while (treeItem);
+    }
+  }
+
  nsIDocument* doc = mContentViewer ? mContentViewer->GetDocument()
                                    : nullptr;