Bug 1000514. r=dao, a=sledru
authorGijs Kruitbosch <gijskruitbosch@gmail.com>
Tue, 24 Jun 2014 15:52:28 +0100
changeset 207515 ee6dc0c0c2d754aaabf1fc0dfe2d491f163f78ef
parent 207514 f571f0ec2ad31168db990a6f154a8017020b244f
child 207516 9052bf4c9948a0bb9a82f052629a0986e8411d47
push id3741
push userasasaki@mozilla.com
push dateMon, 21 Jul 2014 20:25:18 +0000
treeherdermozilla-beta@4d6f46f5af68 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdao, sledru
bugs1000514
milestone32.0a2
Bug 1000514. r=dao, a=sledru
toolkit/content/customizeToolbar.js
--- a/toolkit/content/customizeToolbar.js
+++ b/toolkit/content/customizeToolbar.js
@@ -617,16 +617,20 @@ function isToolbarItem(aElt)
          aElt.localName == "toolbarspacer";
 }
 
 ///////////////////////////////////////////////////////////////////////////
 //// Drag and Drop observers
 
 function onToolbarDragExit(aEvent)
 {
+  if (isUnwantedDragEvent(aEvent)) {
+    return;
+  }
+
   if (gCurrentDragOverItem)
     setDragActive(gCurrentDragOverItem, false);
 }
 
 function onToolbarDragStart(aEvent)
 {
   var item = aEvent.target;
   while (item && item.localName != "toolbarpaletteitem") {
@@ -640,16 +644,20 @@ function onToolbarDragStart(aEvent)
   var dt = aEvent.dataTransfer;
   var documentId = gToolboxDocument.documentElement.id;
   dt.setData("text/toolbarwrapper-id/" + documentId, item.firstChild.id);
   dt.effectAllowed = "move";
 }
 
 function onToolbarDragOver(aEvent)
 {
+  if (isUnwantedDragEvent(aEvent)) {
+    return;
+  }
+
   var documentId = gToolboxDocument.documentElement.id;
   if (!aEvent.dataTransfer.types.contains("text/toolbarwrapper-id/" + documentId.toLowerCase()))
     return;
 
   var toolbar = aEvent.target;
   var dropTarget = aEvent.target;
   while (toolbar && toolbar.localName != "toolbar") {
     dropTarget = toolbar;
@@ -692,16 +700,20 @@ function onToolbarDragOver(aEvent)
   setDragActive(gCurrentDragOverItem, true);
 
   aEvent.preventDefault();
   aEvent.stopPropagation();
 }
 
 function onToolbarDrop(aEvent)
 {
+  if (isUnwantedDragEvent(aEvent)) {
+    return;
+  }
+
   if (!gCurrentDragOverItem)
     return;
 
   setDragActive(gCurrentDragOverItem, false);
 
   var documentId = gToolboxDocument.documentElement.id;
   var draggedItemId = aEvent.dataTransfer.getData("text/toolbarwrapper-id/" + documentId);
   if (gCurrentDragOverItem.id == draggedItemId)
@@ -762,23 +774,29 @@ function onToolbarDrop(aEvent)
 
   gCurrentDragOverItem = null;
 
   toolboxChanged();
 };
 
 function onPaletteDragOver(aEvent)
 {
+  if (isUnwantedDragEvent(aEvent)) {
+    return;
+  }
   var documentId = gToolboxDocument.documentElement.id;
   if (aEvent.dataTransfer.types.contains("text/toolbarwrapper-id/" + documentId.toLowerCase()))
     aEvent.preventDefault();
 }
 
 function onPaletteDrop(aEvent)
- {
+{
+  if (isUnwantedDragEvent(aEvent)) {
+    return;
+  }
   var documentId = gToolboxDocument.documentElement.id;
   var itemId = aEvent.dataTransfer.getData("text/toolbarwrapper-id/" + documentId);
 
   var wrapper = gToolboxDocument.getElementById("wrapper-"+itemId);
   if (wrapper) {
     // Don't allow non-removable kids (e.g., the menubar) to move.
     if (wrapper.firstChild.getAttribute("removable") != "true")
       return;
@@ -793,8 +811,23 @@ function onPaletteDrop(aEvent)
     }
 
     // The item was dragged out of the toolbar.
     wrapper.parentNode.removeChild(wrapper);
   }
 
   toolboxChanged();
 }
+
+
+function isUnwantedDragEvent(aEvent) {
+  /* Discard drag events that originated from a separate window to
+     prevent content->chrome privilege escalations. */
+  let mozSourceNode = aEvent.dataTransfer.mozSourceNode;
+  // mozSourceNode is null in the dragStart event handler or if
+  // the drag event originated in an external application.
+  if (!mozSourceNode) {
+    return true;
+  }
+  let sourceWindow = mozSourceNode.ownerDocument.defaultView;
+  return sourceWindow != window && sourceWindow != gToolboxDocument.defaultView;
+}
+