Bug 940684 - Don't allow unsafe paths when constructing DeviceStorageFile object. r=bent, a=Preeti
--- a/dom/devicestorage/nsDeviceStorage.cpp
+++ b/dom/devicestorage/nsDeviceStorage.cpp
@@ -799,16 +799,26 @@ DeviceStorageFile::NormalizeFilePath() {
#endif
}
void
DeviceStorageFile::AppendRelativePath(const nsAString& aPath) {
if (!mFile) {
return;
}
+ if (!IsSafePath(aPath)) {
+ // All of the APIs (in the child) do checks to verify that the path is
+ // valid and return PERMISSION_DENIED if a non-safe path is entered.
+ // This check is done in the parent and prevents a compromised
+ // child from bypassing the check. It shouldn't be possible for this
+ // code path to be taken with a non-compromised child.
+ NS_WARNING("Unsafe path detected - ignoring");
+ NS_WARNING(NS_LossyConvertUTF16toASCII(aPath).get());
+ return;
+ }
#if defined(XP_WIN)
// replace forward slashes with backslashes,
// since nsLocalFileWin chokes on them
nsString temp;
temp.Assign(aPath);
PRUnichar* cur = temp.BeginWriting();
PRUnichar* end = temp.EndWriting();