Bug 825070 - systemXHR loads should be subject to checkLoadURI checks…

…. r=sicking
iaxat · Dec 29, 2012 · 74ea0e5 · 74ea0e5
1 parent 2efc4c5
commit 74ea0e5
Show file tree

Hide file tree

Showing 5 changed files with 90 additions and 19 deletions.
diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp
@@ -1636,8 +1636,17 @@ nsXMLHttpRequest::IsSystemXHR()
 nsresult
 nsXMLHttpRequest::CheckChannelForCrossSiteRequest(nsIChannel* aChannel)
 {
-  // First check if cross-site requests are enabled...
+  // A system XHR (chrome code or a web app with the right permission) can
+  // always perform cross-site requests. In the web app case, however, we
+  // must still check for protected URIs like file:///.
   if (IsSystemXHR()) {
+    if (!nsContentUtils::IsSystemPrincipal(mPrincipal)) {
+      nsIScriptSecurityManager *secMan = nsContentUtils::GetSecurityManager();
+      nsCOMPtr<nsIURI> uri;
+      aChannel->GetOriginalURI(getter_AddRefs(uri));
+      return secMan->CheckLoadURIWithPrincipal(
+        mPrincipal, uri, nsIScriptSecurityManager::STANDARD);
+    }
     return NS_OK;
   }
 

diff --git a/content/base/test/Makefile.in b/content/base/test/Makefile.in
@@ -586,6 +586,8 @@ MOCHITEST_FILES_B = \
 		test_XHR_onuploadprogress.html \
 		test_XHR_anon.html \
 		file_XHR_anon.sjs \
+		file_XHR_system_redirect.html \
+		file_XHR_system_redirect.html^headers^ \
 		test_XHR_system.html \
 		test_XHR_parameters.html \
 		test_ipc_messagemanager_blob.html \

diff --git a/content/base/test/file_XHR_system_redirect.html b/content/base/test/file_XHR_system_redirect.html
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<html>
+<body>
+</body>
+</html>
diff --git a/content/base/test/file_XHR_system_redirect.html^headers^ b/content/base/test/file_XHR_system_redirect.html^headers^
@@ -0,0 +1,2 @@
+HTTP 302 Found
+Location: file:///etc/passwd
diff --git a/content/base/test/test_XHR_system.html b/content/base/test/test_XHR_system.html
@@ -15,35 +15,88 @@
 <pre id="test">
 <script class="testbody" type="application/javascript;version=1.8">
 
-function runTests() {
-  var comp = SpecialPowers.wrap(SpecialPowers.Components);
-  SimpleTest.waitForExplicitFinish();
-  SpecialPowers.addPermission("systemXHR", true, document);
+let tests = [];
 
-  function tearDown() {
-    SpecialPowers.removePermission("systemXHR", document);
-    SimpleTest.finish();
+const PROTECTED_URL = "file:///etc/passwd";
+const REDIRECT_URL = window.location.protocol + "//" + window.location.host + "/tests/content/base/test/file_XHR_system_redirect.html";
+const CROSSSITE_URL = "http://example.com/tests/content/base/test/test_XHR_system.html";
+
+tests.push(function test_cross_origin() {
+  // System XHR can load cross-origin resources.
+
+  is(window.location.hostname, "mochi.test", "correct origin");
+
+  let xhr = new XMLHttpRequest({mozSystem: true});
+  is(xhr.mozSystem, true, ".mozSystem == true");
+  xhr.open("GET", CROSSSITE_URL);
+  xhr.onload = function onload() {
+    is(xhr.status, 200, "correct HTTP status");
+    ok(xhr.responseText != null, "HTTP response non-null");
+    ok(xhr.responseText.length, "HTTP response not empty");
+    runNextTest();
+  };
+  xhr.onerror = function onerror(event) {
+    ok(false, "Got an error event: " + event);
+    runNextTest();
+  }
+  xhr.send();
+});
+
+tests.push(function test_file_uri() {
+  // System XHR is not permitted to access file:/// URIs.
+
+  let xhr = new XMLHttpRequest({mozSystem: true});
+  is(xhr.mozSystem, true, ".mozSystem == true");
+  xhr.open("GET", PROTECTED_URL);
+  let error;
+  try {
+    xhr.send();
+  } catch (ex) {
+    error = ex;
   }
+  ok(!!error, "got exception");
+  is(error.name, "NS_ERROR_DOM_BAD_URI");
+  is(error.message, "Access to restricted URI denied");
 
-  // An XHR with system privileges will be able to do cross-site calls.
+  runNextTest();
+});
 
-  const TEST_URL = "http://example.com/tests/content/base/test/test_XHR_system.html";
-  is(window.location.hostname, "mochi.test");
+tests.push(function test_redirect_to_file_uri() {
+  // System XHR won't load file:/// URIs even if an HTTP resource redirects there.
 
   let xhr = new XMLHttpRequest({mozSystem: true});
   is(xhr.mozSystem, true, ".mozSystem == true");
-  xhr.open("GET", TEST_URL);
+  xhr.open("GET", REDIRECT_URL);
   xhr.onload = function onload() {
-    is(xhr.status, 200);
-    ok(xhr.responseText != null);
-    ok(xhr.responseText.length);
-    tearDown();
+    ok(false, "Should not have loaded");
+    runNextTest();
   };
-  xhr.onerror = function onerror() {
-    ok(false, "Got an error event!");
-    tearDown();
+  xhr.onerror = function onerror(event) {
+    ok(true, "Got an error event: " + event);
+    is(xhr.status, 0, "HTTP status is 0");
+    runNextTest();
   }
   xhr.send();
+});
+
+
+function runNextTest() {
+  if (!tests.length) {
+    return;
+  }
+  tests.shift()();
+}
+
+function runTests() {
+  SimpleTest.waitForExplicitFinish();
+  SpecialPowers.addPermission("systemXHR", true, document);
+
+  tests.push(function tearDown() {
+    SpecialPowers.removePermission("systemXHR", document);
+    SimpleTest.finish();
+  });
+
+  runNextTest();
 }
 
 </script>