Bug 1354308 - Entries API must support patches containing '..'. r=froydnj, a=ritu
authorAndrea Marchesini <amarchesini@mozilla.com>
Thu, 27 Apr 2017 08:19:56 +0200
changeset 578487 c8ba3f911eb1fdd4f763f7dbeb96fca09b22eca4
parent 578486 3a80d48a9249c162868272af23fa09c5c556bb0c
child 578488 d8031f89261994b5dc020ddf526adb5773068c6a
push id58939
push userbmo:cku@mozilla.com
push dateTue, 16 May 2017 04:17:59 +0000
reviewersfroydnj, ritu
bugs1354308
milestone52.1.2
Bug 1354308 - Entries API must support patches containing '..'. r=froydnj, a=ritu
dom/filesystem/FileSystemSecurity.cpp
dom/filesystem/compat/tests/script_entries.js
dom/filesystem/compat/tests/test_basic.html
--- a/dom/filesystem/FileSystemSecurity.cpp
+++ b/dom/filesystem/FileSystemSecurity.cpp
@@ -84,19 +84,27 @@ FileSystemSecurity::Forget(ContentParent
 
 bool
 FileSystemSecurity::ContentProcessHasAccessTo(ContentParentId aId,
                                               const nsAString& aPath)
 {
   MOZ_ASSERT(NS_IsMainThread());
   AssertIsInMainProcess();
 
-  if (FindInReadable(NS_LITERAL_STRING(".."), aPath)) {
+#if defined(XP_WIN)
+  if (StringBeginsWith(aPath, NS_LITERAL_STRING("..\\")) ||
+      FindInReadable(NS_LITERAL_STRING("\\..\\"), aPath)) {
     return false;
   }
+#elif defined(XP_UNIX)
+  if (StringBeginsWith(aPath, NS_LITERAL_STRING("../")) ||
+      FindInReadable(NS_LITERAL_STRING("/../"), aPath)) {
+    return false;
+  }
+#endif
 
   nsTArray<nsString>* paths;
   if (!mPaths.Get(aId, &paths)) {
     return false;
   }
 
   for (uint32_t i = 0, len = paths->Length(); i < len; ++i) {
     if (FileSystemUtils::IsDescendantPath(paths->ElementAt(i), aPath)) {
--- a/dom/filesystem/compat/tests/script_entries.js
+++ b/dom/filesystem/compat/tests/script_entries.js
@@ -23,17 +23,17 @@ addMessageListener("entries.open", funct
   file1.append('foo.txt');
   file1.create(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0o600);
 
   var dir1 = tmpDir.clone();
   dir1.append('subdir');
   dir1.create(Components.interfaces.nsIFile.DIRECTORY_TYPE, 0o700);
 
   var file2 = dir1.clone();
-  file2.append('bar.txt');
+  file2.append('bar..txt'); // Note the double ..
   file2.create(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0o600);
 
   var dir2 = dir1.clone();
   dir2.append('subsubdir');
   dir2.create(Components.interfaces.nsIFile.DIRECTORY_TYPE, 0o700);
 
   sendAsyncMessage("entries.opened", {
     data: [ new Directory(tmpDir.path), File.createFromNsIFile(tmpFile) ]
--- a/dom/filesystem/compat/tests/test_basic.html
+++ b/dom/filesystem/compat/tests/test_basic.html
@@ -171,19 +171,19 @@ function test_directoryEntry_getFile_sim
     is(e.name, "foo.txt", "We have the right FileEntry.");
     test_getParent(e, directoryEntry, /* nested */ false);
   }, function(e) {
     ok(false, "This should not happen.");
   });
 }
 
 function test_directoryEntry_getFile_deep() {
-  directoryEntry.getFile("subdir/bar.txt", {},
+  directoryEntry.getFile("subdir/bar..txt", {},
   function(e) {
-    is(e.name, "bar.txt", "We have the right FileEntry.");
+    is(e.name, "bar..txt", "We have the right FileEntry.");
     test_getParent(e, directoryEntry, /* nested */ true);
   }, function(e) {
     ok(false, "This should not happen.");
   });
 }
 
 function test_directoryEntry_getDirectory_securityError() {
   directoryEntry.getDirectory("foo", { create: true },
@@ -311,19 +311,19 @@ function test_root_getFile_simple() {
     is(e.name, fileEntry.name, "We have the right FileEntry.");
     next();
   }, function(e) {
     ok(false, "This should not happen.");
   });
 }
 
 function test_root_getFile_deep() {
-  fileEntry.filesystem.root.getFile(directoryEntry.name + "/subdir/bar.txt", {},
+  fileEntry.filesystem.root.getFile(directoryEntry.name + "/subdir/bar..txt", {},
   function(e) {
-    is(e.name, "bar.txt", "We have the right FileEntry.");
+    is(e.name, "bar..txt", "We have the right FileEntry.");
     next();
   }, function(e) {
     ok(false, "This should not happen.");
   });
 }
 
 function test_root_getDirectory_securityError() {
   fileEntry.filesystem.root.getDirectory("foo", { create: true },