Closed Bug 316931 Opened 19 years ago Closed 19 years ago

Allow chrome:// xforms to submit anywhere

Categories

(Core Graveyard :: XForms, defect)

Product:
Core Graveyard
Component:
XForms
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: surkov, Assigned: doronr)

Details

(Keywords: fixed1.8.0.2, fixed1.8.1)

Attachments

(2 files)

patch
856 bytes, patch
doronr
: review+
aaronr
: review+
Details | Diff | Splinter Review
use nsIPrincipal
15.29 KB, patch
allan
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051116 Firefox/1.6a1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051116 Firefox/1.6a1

The bug like bug 296231. If you set up application then you trust it almost extremely. There is a question what is "the instance replacing" as it is mentioned in a patch for bug 296231?

Reproducible: Always
Attached patch patchSplinter Review 

        Attachment #203490 -
        Flags: review?(doronr)

    
    

    
  
Comment on attachment 203490 [details] [diff] [review]
patch

Looks ok.

        Attachment #203490 -
        Flags: review?(doronr) → review+

    
  
Assignee: aaronr → surkov
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
  

        Attachment #203490 -
        Flags: review?(aaronr)

    
  

        Attachment #203490 -
        Flags: review?(aaronr) → review+

    
    

    
  
Checked into trunk.
Whiteboard: xf-to-branch

    
    

    
  
Er... WHY are we doing a protocol check, not a real security check?

    
    

    
  
(In reply to comment #4)
> Er... WHY are we doing a protocol check, not a real security check?
> 

Don't you need a JSContext for real security checks to work?

    
    

    
  
No.  As long as you have the nsIPrincipal involved (which you had better!), you can just call IsCapabilityEnabled() on it with whatever capability it is you have here.  You'll have to pass null for the annotation, and at the moment that will make things equivalent to checking for the system principal, but that's what you want here, I assume.  I certainly _hope_ that non-system chrome (eg themes) is not meant to get extra privileges here.

    
    

    
  
I guess we'll have to figure how to get a nsIPrincipal.

cc: some more people.  Perhaps we can use nsIScriptSecurityManager to get at it, not sure.

    
    

    
  
nsIDocument::GetPrincipal() should do what you want, I suspect.

Also, imo, nsXFormsUtils::CheckSameOrigin should take an nsIPrincipal for the first arg and call checkSameOriginPrincipal, not checkSameOriginURI.

In general any time you're working with URIs directly for security purposes you have a bug.

    
    

    
  
(In reply to comment #8)
> nsIDocument::GetPrincipal() should do what you want, I suspect.
> 
> Also, imo, nsXFormsUtils::CheckSameOrigin should take an nsIPrincipal for the
> first arg and call checkSameOriginPrincipal, not checkSameOriginURI.
> 
> In general any time you're working with URIs directly for security purposes you
> have a bug.
> 

Ouch. I was feeling a bit uneasy about this... but apparently it did not stop me from checking it in. We have some security issues then...

    
    

    
  
Yeah, I usually ask darin to review such changes, made a mistake by not doing this  this time.  Going to take a look.

    
    

    
  
(In reply to comment #8)
> nsIDocument::GetPrincipal() should do what you want, I suspect.
> 
> Also, imo, nsXFormsUtils::CheckSameOrigin should take an nsIPrincipal for the
> first arg and call checkSameOriginPrincipal, not checkSameOriginURI.
> 
> In general any time you're working with URIs directly for security purposes you
> have a bug.
> 

Shouldn't I use checkLoadURIWithPrincipal and pass in the principal of the document and the URI I want to load?  Wouldn't that allow "true" chrome to access anything?  Which would mean I can skip the IsCapabilityEnabled() check and just use nsXFormsUtils::CheckSameOrigin?


    
    

    
  
> Shouldn't I use checkLoadURIWithPrincipal and pass in the principal of the
> document and the URI I want to load?

Depends on the model you want.  checkLoadURIWithPrincipal allows any http: page to load any other http: page, which is not what you want here, last I checked.


    
    

    
  
(In reply to comment #12)
> > Shouldn't I use checkLoadURIWithPrincipal and pass in the principal of the
> > document and the URI I want to load?
> 
> Depends on the model you want.  checkLoadURIWithPrincipal allows any http: page
> to load any other http: page, which is not what you want here, last I checked.
> 

I got it mostly working, what is the correct way to allow file:// to load anything?

    
    

    
  
Um....  There's no such way via the security manager that I know of.  If we need one (and I suspect we do), file a bug?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        use nsIPrincipalSplinter Review
      

    


  
This seems to work.

I haven't tried chrome://, can you try with this Alexander?  I am checking for the "UniversalBrowserRead" capability, which should work.

    
    

    
  
Comment on attachment 204376 [details] [diff] [review]
use nsIPrincipal

bz, do you have time to sr?

        Attachment #204376 -
        Flags: superreview?(bzbarsky)

    
    

    
  
Comment on attachment 204376 [details] [diff] [review]
use nsIPrincipal

>Index: extensions/xforms/nsXFormsSubmissionElement.cpp
>+nsXFormsSubmissionElement::CheckSameOrigin(nsIDocument 
>+      baseURI->SchemeIs("file", &allowSubmission);

For what it's worth, this should be checking the rv -- any extension can add new protocols, and you can't trust them to not throw on SchemeIs.

>Index: extensions/xforms/nsXFormsUtils.cpp
>+    // check the security manager and do a same original check on the principal

s/original/origin/

>+        rv = secMan->CheckSameOriginPrincipal(aBaseDocument->GetPrincipal(),

Just pass in basePrincipal?

sr=bzbarsky with those fixed.

        Attachment #204376 -
        Flags: superreview?(bzbarsky) → superreview+

    
    

    
  
Comment on attachment 204376 [details] [diff] [review]
use nsIPrincipal

allan, care to review the XForms changes?

        Attachment #204376 -
        Flags: review?(allan)

    
  
Assignee: surkov → doronr

    
    

    
  
Comment on attachment 204376 [details] [diff] [review]
use nsIPrincipal

(In reply to comment #18)
> (From update of attachment 204376 [details] [diff] [review] [edit])
> allan, care to review the XForms changes?

Yes, sorry that it took so long.

r=me

        Attachment #204376 -
        Flags: review?(allan) → review+

    
    

    
  
checked in the nsIPrincipal patch.
Status: NEW → ASSIGNED

    
    

    
  
checked into MOZILLA_1_8_BRANCH via bug 323691.  Leaving open for now until it gets into 1.8.0

    
  
Whiteboard: xf-to-branch

    
  
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8.0.2
Resolution: --- → FIXED

    
  
Keywords: fixed1.8.1
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: