Bug 940684 - Don't allow unsafe paths when constructing DeviceStorageFile object. r=bent, a=Preeti
authorDave Hylands <dhylands@mozilla.com>
Thu, 16 Jan 2014 15:11:24 -0800
changeset 119995 aa0ceb07a73ea73ba3954662ca58a2e032582457
parent 119994 5b69cc75ecbe2646e7324f386ddd072221576903
child 119996 1f6e89d119a95c2e13169b8f33c1ab7684b75fa4
push id1127
push userryanvm@gmail.com
push dateWed, 22 Jan 2014 21:21:19 +0000
reviewersbent, Preeti
bugs940684
milestone18.1
Bug 940684 - Don't allow unsafe paths when constructing DeviceStorageFile object. r=bent, a=Preeti
dom/devicestorage/nsDeviceStorage.cpp
--- a/dom/devicestorage/nsDeviceStorage.cpp
+++ b/dom/devicestorage/nsDeviceStorage.cpp
@@ -799,16 +799,26 @@ DeviceStorageFile::NormalizeFilePath() {
 #endif
 }
 
 void
 DeviceStorageFile::AppendRelativePath(const nsAString& aPath) {
   if (!mFile) {
     return;
   }
+  if (!IsSafePath(aPath)) {
+    // All of the APIs (in the child) do checks to verify that the path is
+    // valid and return PERMISSION_DENIED if a non-safe path is entered.
+    // This check is done in the parent and prevents a compromised
+    // child from bypassing the check. It shouldn't be possible for this
+    // code path to be taken with a non-compromised child.
+    NS_WARNING("Unsafe path detected - ignoring");
+    NS_WARNING(NS_LossyConvertUTF16toASCII(aPath).get());
+    return;
+  }
 #if defined(XP_WIN)
   // replace forward slashes with backslashes,
   // since nsLocalFileWin chokes on them
   nsString temp;
   temp.Assign(aPath);
 
   PRUnichar* cur = temp.BeginWriting();
   PRUnichar* end = temp.EndWriting();