Bug 1480757 - [2.0] Block unsafe URI intent load requests. r=snorp a=lizzard
☠☠ backed out by 7bcf460f41d7 ☠ ☠
authorEugen Sawin <esawin@mozilla.com>
Fri, 03 Aug 2018 15:13:59 +0200
changeset 480928 2ab9b526843574440ec3451fbe09c714d0c5c257
parent 480927 3e579ac0cc19de9bed955b044a9397da74cd8ad8
child 480929 534eacbf0b87ba223b6237cba6337f4aca733d36
push id1757
push userffxbld-merge
push dateFri, 24 Aug 2018 17:02:43 +0000
treeherdermozilla-release@736023aebdb1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssnorp, lizzard
bugs1480757
milestone62.0
Bug 1480757 - [2.0] Block unsafe URI intent load requests. r=snorp a=lizzard
mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java
--- a/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java
+++ b/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java
@@ -19,16 +19,17 @@ import org.mozilla.gecko.gfx.LayerSessio
 import org.mozilla.gecko.GeckoEditableChild;
 import org.mozilla.gecko.GeckoThread;
 import org.mozilla.gecko.IGeckoEditableParent;
 import org.mozilla.gecko.mozglue.JNIObject;
 import org.mozilla.gecko.NativeQueue;
 import org.mozilla.gecko.util.BundleEventListener;
 import org.mozilla.gecko.util.EventCallback;
 import org.mozilla.gecko.util.GeckoBundle;
+import org.mozilla.gecko.util.IntentUtils;
 import org.mozilla.gecko.util.ThreadUtils;
 
 import android.content.ContentResolver;
 import android.content.Context;
 import android.content.res.Resources;
 import android.database.Cursor;
 import android.graphics.RectF;
 import android.net.Uri;
@@ -197,18 +198,23 @@ public class GeckoSession extends LayerS
                                          message.getBoolean("canGoBack"));
                     delegate.onCanGoForward(GeckoSession.this,
                                             message.getBoolean("canGoForward"));
                 } else if ("GeckoView:OnLoadRequest".equals(event)) {
                     final String uri = message.getString("uri");
                     final int where = convertGeckoTarget(message.getInt("where"));
                     final int flags = filterFlags(message.getInt("flags"));
 
-                    final GeckoResult<Boolean> result = delegate.onLoadRequest(GeckoSession.this,
-                            uri, where, flags);
+                    if (!IntentUtils.isUriSafeForScheme(uri)) {
+                        callback.sendError("Blocked unsafe intent URI");
+                        return;
+                    }
+
+                    final GeckoResult<Boolean> result =
+                        delegate.onLoadRequest(GeckoSession.this, uri, where, flags);
 
                     if (result == null) {
                         callback.sendSuccess(null);
                         return;
                     }
 
                     result.then(new GeckoResult.OnValueListener<Boolean, Void>() {
                         @Override