Bug 620773 - java.security.AccessControlException when calling privileged Java methods from chrome. r=bz,jst a=dveditz
authorSteven Michaud <smichaud@pobox.com>
Fri, 14 Jan 2011 15:36:58 -0600
changeset 27294 9377dc78515955761dff0e507aa514c429eafaf5
parent 27293 de9d2e224dbe1df90f12722046577da167aaa16a
child 27295 5873543f363cb27d812f4a5494b87d0a271afc7a
push id2634
push usersmichaud@pobox.com
push dateFri, 14 Jan 2011 21:37:32 +0000
reviewersbz, jst, dveditz
bugs620773
milestone1.9.1.17pre
Bug 620773 - java.security.AccessControlException when calling privileged Java methods from chrome. r=bz,jst a=dveditz
modules/oji/src/nsCSecurityContext.cpp
modules/plugin/base/src/nsNPAPIPlugin.cpp
netwerk/base/public/nsNetUtil.h
--- a/modules/oji/src/nsCSecurityContext.cpp
+++ b/modules/oji/src/nsCSecurityContext.cpp
@@ -134,17 +134,17 @@ nsCSecurityContext::GetOriginImpl(nsXPID
 // and only then do an error return.
 NS_METHOD
 nsCSecurityContext::GetOrigin(char* buf, int buflen)
 {
     nsXPIDLCString origin;
     PRBool javaCompatible = PR_FALSE;
 
     if (NS_SUCCEEDED(GetOriginImpl(origin))) {
-        if (NS_FAILED(NS_CheckIsJavaCompatibleURLString(origin, &javaCompatible)))
+        if (NS_FAILED(NS_CheckIsJavaCompatibleURLString(origin, PR_TRUE, &javaCompatible)))
             javaCompatible = PR_FALSE;
     } else {
         javaCompatible = PR_FALSE;
     }
 
     PRInt32 originlen = origin.Length();
 
     // Don't pass back a value that Java won't be able to understand or
--- a/modules/plugin/base/src/nsNPAPIPlugin.cpp
+++ b/modules/plugin/base/src/nsNPAPIPlugin.cpp
@@ -1765,17 +1765,17 @@ bool NP_CALLBACK
   if (document_obj != npobj)
     return true;
 
   NPString urlnp = NPVARIANT_TO_STRING(*result);
   nsXPIDLCString url;
   url.Assign(urlnp.utf8characters, urlnp.utf8length);
 
   PRBool javaCompatible = PR_FALSE;
-  if (NS_FAILED(NS_CheckIsJavaCompatibleURLString(url, &javaCompatible)))
+  if (NS_FAILED(NS_CheckIsJavaCompatibleURLString(url, PR_FALSE, &javaCompatible)))
     javaCompatible = PR_FALSE;
   if (javaCompatible)
     return true;
 
   // If Java won't be able to interpret the original value of document.URL or
   // document.documentURI, or is likely to mishandle it, pass back something
   // that Java will understand but won't be able to use to access the network,
   // and for which same-origin checks will always fail.
--- a/netwerk/base/public/nsNetUtil.h
+++ b/netwerk/base/public/nsNetUtil.h
@@ -1657,20 +1657,23 @@ NS_MakeRandomInvalidURLString(nsCString&
 }
 #undef NS_FAKE_SCHEME
 #undef NS_FAKE_TLD
 
 /**
  * Helper function to determine whether urlString is Java-compatible --
  * whether it can be passed to the Java URL(String) constructor without the
  * latter throwing a MalformedURLException, or without Java otherwise
- * mishandling it.
+ * mishandling it.  This function (in effect) implements a scheme whitelist
+ * for Java.
  */  
 inline nsresult
-NS_CheckIsJavaCompatibleURLString(nsCString& urlString, PRBool *result)
+NS_CheckIsJavaCompatibleURLString(nsCString& urlString,
+                                  PRBool isOJIPlugin,
+                                  PRBool *result)
 {
   *result = PR_FALSE; // Default to "no"
 
   nsresult rv = NS_OK;
   nsCOMPtr<nsIURLParser> urlParser =
     do_GetService(NS_STDURLPARSER_CONTRACTID, &rv);
   if (NS_FAILED(rv) || !urlParser)
     return NS_ERROR_FAILURE;
@@ -1679,27 +1682,46 @@ NS_CheckIsJavaCompatibleURLString(nsCStr
   PRUint32 schemePos = 0;
   PRInt32 schemeLen = 0;
   urlParser->ParseURL(urlString.get(), -1, &schemePos, &schemeLen,
                       nsnull, nsnull, nsnull, nsnull);
   if (schemeLen != -1) {
     nsCString scheme;
     scheme.Assign(urlString.get() + schemePos, schemeLen);
     // By default Java only understands a small number of URL schemes, and of
-    // these only some are likely to represent user input (for example from a
-    // link or the location bar) that Java can legitimately be expected to
-    // handle.  (Besides those listed below, Java also understands the "jar",
-    // "mailto" and "netdoc" schemes.  But it probably doesn't expect these
-    // from a browser, and is therefore likely to mishandle them.)
+    // these only some can legitimately represent a browser page's "origin"
+    // (and be something we can legitimately expect Java to handle ... or not
+    // to mishandle).
+    //
+    // Besides those listed below, the OJI plugin understands the "jar",
+    // "mailto", "netdoc", "javascript" and "rmi" schemes, and Java Plugin2
+    // also understands the "about" scheme.  We actually pass "about" URLs
+    // to Java ("about:blank" when processing a javascript: URL (one that
+    // calls Java) from the location bar of a blank page, and (in FF4 and up)
+    // "about:home" when processing a javascript: URL from the home page).
+    // And Java doesn't appear to mishandle them (for example it doesn't allow
+    // connections to "about" URLs).  But it doesn't make any sense to do
+    // same-origin checks on "about" URLs, so we don't include them in our
+    // scheme whitelist.
+    //
+    // The OJI plugin doesn't understand "chrome" URLs (only Java Plugin2
+    // does) -- so we mustn't pass them to the OJI plugin.  But we do need to
+    // pass "chrome" URLs to Java Plugin2:  Java Plugin2 grants additional
+    // privileges to chrome "origins", and some extensions take advantage of
+    // this.  For more information see bug 620773.
     if (PL_strcasecmp(scheme.get(), "http") &&
         PL_strcasecmp(scheme.get(), "https") &&
         PL_strcasecmp(scheme.get(), "file") &&
         PL_strcasecmp(scheme.get(), "ftp") &&
         PL_strcasecmp(scheme.get(), "gopher"))
       compatible = PR_FALSE;
+    if (!compatible && !isOJIPlugin) {
+      if (!PL_strcasecmp(scheme.get(), "chrome"))
+        compatible = PR_TRUE;
+    }
   } else {
     compatible = PR_FALSE;
   }
 
   *result = compatible;
 
   return NS_OK;
 }