roytam1/UXP
1
0
Fork 0
mirror of https://github.com/roytam1/UXP.git synced 2026-05-26 13:58:49 +00:00
Code Issues Projects Releases Wiki Activity

[DOM] Don't allow internal MIME types to be assigned to DataTransfer

Browse Source 
We already blocked x-moz-file(-promise) and x-moz-place* but of course people
would find ways to abuse other internal types. This change now blocks everything
except x-moz-url types which are harmless. (i.e. whitelist instead of blacklist)
This commit is contained in:
Moonchild
2022-02-10 22:21:40 +00:00
committed by roytam1
parent 7f3a7225af
commit 3bcd2ee360
2 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
dom/events/DataTransfer.cpp
+5 -10
View File
@@ -639,16 +639,11 @@ DataTransfer::PrincipalMaySetData(const nsAString& aType,
return false;
}
if (aType.EqualsASCII(kFileMime) ||
aType.EqualsASCII(kFilePromiseMime)) {
NS_WARNING("Disallowing adding x-moz-file or x-moz-file-promize types to DataTransfer");
return false;
}
// Disallow content from creating x-moz-place flavors, so that it cannot
// create fake Places smart queries exposing user data.
if (StringBeginsWith(aType, NS_LITERAL_STRING("text/x-moz-place"))) {
NS_WARNING("Disallowing adding moz-place types to DataTransfer");
// Don't allow adding internal types of the form */x-moz-*, but
// special-case the url types as they are simple variations of urls.
if (FindInReadable(NS_LITERAL_STRING(kInternal_Mimetype_Prefix), aType) &&
!StringBeginsWith(aType, NS_LITERAL_STRING("text/x-moz-url"))) {
NS_WARNING("Disallowing adding requested internal type to DataTransfer");
return false;
}
}
widget/nsITransferable.idl
+6 -1
View File
@@ -13,12 +13,17 @@ interface nsIPrincipal;
%{ C++
// Internal formats must have their second part starting with 'x-moz-',
// for example text/x-moz-internaltype. These cannot be assigned by
// unprivileged content but all other types can.
#define kInternal_Mimetype_Prefix "/x-moz-"
// these probably shouldn't live here, but in some central repository shared
// by the entire app.
#define kTextMime "text/plain"
#define kRTFMime "text/rtf"
#define kUnicodeMime "text/unicode"
#define kMozTextInternal "text/x-moz-text-internal" // text data which isn't suppoed to be parsed by other apps.
#define kMozTextInternal "text/x-moz-text-internal" // text data which isn't suppoed to be parsed by other apps.
#define kHTMLMime "text/html"
#define kAOLMailMime "AOLMAIL"
#define kPNGImageMime "image/png"