From 6ee2be9efaae3ca33e0c1284966ee0a142026089 Mon Sep 17 00:00:00 2001 From: s30028044 Date: Sat, 9 Mar 2024 22:00:16 +0800 Subject: [PATCH] CVE-2023-23601 --- dom/base/ContentAreaDropListener.jsm | 25 +++++++------------------ dom/events/DataTransfer.cpp | 12 ++++++++++++ dom/events/DataTransfer.h | 3 +++ dom/webidl/DataTransfer.webidl | 7 +++++++ 4 files changed, 29 insertions(+), 18 deletions(-) diff --git a/dom/base/ContentAreaDropListener.jsm b/dom/base/ContentAreaDropListener.jsm index d3d64d9a81..e812c96656 100644 --- a/dom/base/ContentAreaDropListener.jsm +++ b/dom/base/ContentAreaDropListener.jsm @@ -261,30 +261,19 @@ ContentAreaDropListener.prototype = { return true; } - let sourceNode = dataTransfer.mozSourceNode; - if (!sourceNode) { + // If this is an external drag, allow drop. + let sourceWC = dataTransfer.sourceWindowContext; + if (!sourceWC) { return true; } - // don't allow a drop of a node from the same document onto this one - let sourceDocument = sourceNode.ownerDocument; - let eventDocument = aEvent.originalTarget.ownerDocument; - if (sourceDocument == eventDocument) { + // If drag source and drop target are in the same top window, don't allow. + let eventWC = + aEvent.originalTarget.ownerGlobal.browsingContext.currentWindowContext; + if (eventWC && sourceWC.topWindowContext == eventWC.topWindowContext) { return false; } - // also check for nodes in other child or sibling frames by checking - // if both have the same top window. - if (sourceDocument && eventDocument) { - if (sourceDocument.defaultView == null) { - return true; - } - let sourceRoot = sourceDocument.defaultView.top; - if (sourceRoot && sourceRoot == eventDocument.defaultView.top) { - return false; - } - } - return true; }, diff --git a/dom/events/DataTransfer.cpp b/dom/events/DataTransfer.cpp index 243b102d43..82a5a99a17 100644 --- a/dom/events/DataTransfer.cpp +++ b/dom/events/DataTransfer.cpp @@ -40,6 +40,7 @@ #include "mozilla/dom/FileList.h" #include "mozilla/dom/BindingUtils.h" #include "mozilla/dom/OSFileSystem.h" +#include "mozilla/dom/WindowContext.h" #include "mozilla/dom/Promise.h" #include "nsComponentManagerUtils.h" #include "nsNetUtil.h" @@ -436,6 +437,17 @@ already_AddRefed DataTransfer::GetMozSourceNode() { return sourceNode.forget(); } +already_AddRefed DataTransfer::GetSourceWindowContext() { + nsCOMPtr dragSession = nsContentUtils::GetDragSession(); + if (!dragSession) { + return nullptr; + } + + RefPtr sourceWindowContext; + dragSession->GetSourceWindowContext(getter_AddRefs(sourceWindowContext)); + return sourceWindowContext.forget(); +} + already_AddRefed DataTransfer::MozTypesAt( uint32_t aIndex, CallerType aCallerType, ErrorResult& aRv) const { // Only the first item is valid for clipboard events diff --git a/dom/events/DataTransfer.h b/dom/events/DataTransfer.h index a091f2069f..614b33ed25 100644 --- a/dom/events/DataTransfer.h +++ b/dom/events/DataTransfer.h @@ -41,6 +41,7 @@ class FileList; class Promise; template class Optional; +class WindowContext; #define NS_DATATRANSFER_IID \ { \ @@ -261,6 +262,8 @@ class DataTransfer final : public nsISupports, public nsWrapperCache { already_AddRefed GetMozSourceNode(); + already_AddRefed GetSourceWindowContext(); + /* * Integer version of dropEffect, set to one of the constants in * nsIDragService. diff --git a/dom/webidl/DataTransfer.webidl b/dom/webidl/DataTransfer.webidl index 7f7528d9c0..da89243b6f 100644 --- a/dom/webidl/DataTransfer.webidl +++ b/dom/webidl/DataTransfer.webidl @@ -159,6 +159,13 @@ partial interface DataTransfer { [UseCounter] readonly attribute Node? mozSourceNode; + /** + * The window context that mouse was pressed over to begin the drag. For + * external drags, this will be null. + */ + [ChromeOnly] + readonly attribute WindowContext? sourceWindowContext; + /** * The URI spec of the triggering principal. This may be different than * sourceNode's principal when sourceNode is xul:browser and the drag is -- 2.27.0