Bug 665209: Disable recursive image loads in content(). r=bz
authorDaniel Holbert <dholbert@cs.stanford.edu>
Wed, 22 Jun 2011 22:21:47 -0700
changeset 71876 bd7c4c011201f55c6600a12e4258907bbcc1e946
parent 71859 a4f5da9a1dc0b6711f01cf227cd9319f164432ba
child 71877 49932c605933140c3ca3b73c4263d6b6d30b12df
push idunknown
push userunknown
push dateunknown
reviewersbz
bugs665209
milestone7.0a1
Bug 665209: Disable recursive image loads in content(). r=bz
content/base/src/nsDataDocumentContentPolicy.cpp
layout/style/crashtests/665209-1.html
layout/style/crashtests/crashtests.list
--- a/content/base/src/nsDataDocumentContentPolicy.cpp
+++ b/content/base/src/nsDataDocumentContentPolicy.cpp
@@ -81,19 +81,19 @@ nsDataDocumentContentPolicy::ShouldLoad(
   }
 
   // Nothing else is OK to load for data documents
   if (doc->IsLoadedAsData()) {
     *aDecision = nsIContentPolicy::REJECT_TYPE;
     return NS_OK;
   }
 
-  // Allow local resources for SVG-as-an-image documents, but disallow
-  // everything else, to prevent data leakage
   if (doc->IsBeingUsedAsImage()) {
+    // Allow local resources for SVG-as-an-image documents, but disallow
+    // everything else, to prevent data leakage
     PRBool hasFlags;
     nsresult rv = NS_URIChainHasFlags(aContentLocation,
                                       nsIProtocolHandler::URI_IS_LOCAL_RESOURCE,
                                       &hasFlags);
     if (NS_FAILED(rv) || !hasFlags) {
       // resource is not local (or we couldn't tell) - reject!
       *aDecision = nsIContentPolicy::REJECT_TYPE;
 
@@ -103,16 +103,26 @@ nsDataDocumentContentPolicy::ShouldLoad(
         nsRefPtr<nsIURI> principalURI;
         rv = requestingPrincipal->GetURI(getter_AddRefs(principalURI));
         if (NS_SUCCEEDED(rv) && principalURI) {
           nsScriptSecurityManager::ReportError(
             nsnull, NS_LITERAL_STRING("CheckSameOriginError"), principalURI,
             aContentLocation);
         }
       }
+    } else if (aContentType == nsIContentPolicy::TYPE_IMAGE &&
+               doc->GetDocumentURI()) {
+      // Check for (& disallow) recursive image-loads
+      PRBool isRecursiveLoad;
+      rv = aContentLocation->EqualsExceptRef(doc->GetDocumentURI(),
+                                             &isRecursiveLoad);
+      if (NS_FAILED(rv) || isRecursiveLoad) {
+        NS_WARNING("Refusing to recursively load image");
+        *aDecision = nsIContentPolicy::REJECT_TYPE;
+      }
     }
     return NS_OK;
   }
 
   // Allow all loads for non-external-resource documents
   if (!doc->GetDisplayDocument()) {
     return NS_OK;
   }
new file mode 100644
--- /dev/null
+++ b/layout/style/crashtests/665209-1.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html class="reftest-wait">
+<head>
+<script>
+function boom()
+{
+  var w = '<div xmlns="http://www.w3.org/1999/xhtml" style="content: url(#);" />';
+  var v = 'url("data:image/svg+xml,' + encodeURIComponent(w) + '")';
+  document.documentElement.style.content = v;
+  document.documentElement.className = "";
+}
+</script>
+</head>
+
+<body onload="boom();"></body>
+</html>
--- a/layout/style/crashtests/crashtests.list
+++ b/layout/style/crashtests/crashtests.list
@@ -63,8 +63,9 @@ load 573127-1.html
 load 580685.html
 load 592698-1.html
 load 601437-1.html
 load 601439-1.html
 load 605689-1.html
 load 645142.html
 load 611922-1.html
 == 645951-1.html 645951-1-ref.html
+load 665209-1.html