127 lines
4.3 KiB
Diff
127 lines
4.3 KiB
Diff
From 6ee2be9efaae3ca33e0c1284966ee0a142026089 Mon Sep 17 00:00:00 2001
|
|
From: s30028044 <sunhai10@huawei.com>
|
|
Date: Sat, 9 Mar 2024 22:00:16 +0800
|
|
Subject: [PATCH] CVE-2023-23601
|
|
|
|
---
|
|
dom/base/ContentAreaDropListener.jsm | 25 +++++++------------------
|
|
dom/events/DataTransfer.cpp | 12 ++++++++++++
|
|
dom/events/DataTransfer.h | 3 +++
|
|
dom/webidl/DataTransfer.webidl | 7 +++++++
|
|
4 files changed, 29 insertions(+), 18 deletions(-)
|
|
|
|
diff --git a/dom/base/ContentAreaDropListener.jsm b/dom/base/ContentAreaDropListener.jsm
|
|
index d3d64d9a81..e812c96656 100644
|
|
--- a/dom/base/ContentAreaDropListener.jsm
|
|
+++ b/dom/base/ContentAreaDropListener.jsm
|
|
@@ -261,30 +261,19 @@ ContentAreaDropListener.prototype = {
|
|
return true;
|
|
}
|
|
|
|
- let sourceNode = dataTransfer.mozSourceNode;
|
|
- if (!sourceNode) {
|
|
+ // If this is an external drag, allow drop.
|
|
+ let sourceWC = dataTransfer.sourceWindowContext;
|
|
+ if (!sourceWC) {
|
|
return true;
|
|
}
|
|
|
|
- // don't allow a drop of a node from the same document onto this one
|
|
- let sourceDocument = sourceNode.ownerDocument;
|
|
- let eventDocument = aEvent.originalTarget.ownerDocument;
|
|
- if (sourceDocument == eventDocument) {
|
|
+ // If drag source and drop target are in the same top window, don't allow.
|
|
+ let eventWC =
|
|
+ aEvent.originalTarget.ownerGlobal.browsingContext.currentWindowContext;
|
|
+ if (eventWC && sourceWC.topWindowContext == eventWC.topWindowContext) {
|
|
return false;
|
|
}
|
|
|
|
- // also check for nodes in other child or sibling frames by checking
|
|
- // if both have the same top window.
|
|
- if (sourceDocument && eventDocument) {
|
|
- if (sourceDocument.defaultView == null) {
|
|
- return true;
|
|
- }
|
|
- let sourceRoot = sourceDocument.defaultView.top;
|
|
- if (sourceRoot && sourceRoot == eventDocument.defaultView.top) {
|
|
- return false;
|
|
- }
|
|
- }
|
|
-
|
|
return true;
|
|
},
|
|
|
|
diff --git a/dom/events/DataTransfer.cpp b/dom/events/DataTransfer.cpp
|
|
index 243b102d43..82a5a99a17 100644
|
|
--- a/dom/events/DataTransfer.cpp
|
|
+++ b/dom/events/DataTransfer.cpp
|
|
@@ -40,6 +40,7 @@
|
|
#include "mozilla/dom/FileList.h"
|
|
#include "mozilla/dom/BindingUtils.h"
|
|
#include "mozilla/dom/OSFileSystem.h"
|
|
+#include "mozilla/dom/WindowContext.h"
|
|
#include "mozilla/dom/Promise.h"
|
|
#include "nsComponentManagerUtils.h"
|
|
#include "nsNetUtil.h"
|
|
@@ -436,6 +437,17 @@ already_AddRefed<nsINode> DataTransfer::GetMozSourceNode() {
|
|
return sourceNode.forget();
|
|
}
|
|
|
|
+already_AddRefed<WindowContext> DataTransfer::GetSourceWindowContext() {
|
|
+ nsCOMPtr<nsIDragSession> dragSession = nsContentUtils::GetDragSession();
|
|
+ if (!dragSession) {
|
|
+ return nullptr;
|
|
+ }
|
|
+
|
|
+ RefPtr<WindowContext> sourceWindowContext;
|
|
+ dragSession->GetSourceWindowContext(getter_AddRefs(sourceWindowContext));
|
|
+ return sourceWindowContext.forget();
|
|
+}
|
|
+
|
|
already_AddRefed<DOMStringList> DataTransfer::MozTypesAt(
|
|
uint32_t aIndex, CallerType aCallerType, ErrorResult& aRv) const {
|
|
// Only the first item is valid for clipboard events
|
|
diff --git a/dom/events/DataTransfer.h b/dom/events/DataTransfer.h
|
|
index a091f2069f..614b33ed25 100644
|
|
--- a/dom/events/DataTransfer.h
|
|
+++ b/dom/events/DataTransfer.h
|
|
@@ -41,6 +41,7 @@ class FileList;
|
|
class Promise;
|
|
template <typename T>
|
|
class Optional;
|
|
+class WindowContext;
|
|
|
|
#define NS_DATATRANSFER_IID \
|
|
{ \
|
|
@@ -261,6 +262,8 @@ class DataTransfer final : public nsISupports, public nsWrapperCache {
|
|
|
|
already_AddRefed<nsINode> GetMozSourceNode();
|
|
|
|
+ already_AddRefed<WindowContext> GetSourceWindowContext();
|
|
+
|
|
/*
|
|
* Integer version of dropEffect, set to one of the constants in
|
|
* nsIDragService.
|
|
diff --git a/dom/webidl/DataTransfer.webidl b/dom/webidl/DataTransfer.webidl
|
|
index 7f7528d9c0..da89243b6f 100644
|
|
--- a/dom/webidl/DataTransfer.webidl
|
|
+++ b/dom/webidl/DataTransfer.webidl
|
|
@@ -159,6 +159,13 @@ partial interface DataTransfer {
|
|
[UseCounter]
|
|
readonly attribute Node? mozSourceNode;
|
|
|
|
+ /**
|
|
+ * The window context that mouse was pressed over to begin the drag. For
|
|
+ * external drags, this will be null.
|
|
+ */
|
|
+ [ChromeOnly]
|
|
+ readonly attribute WindowContext? sourceWindowContext;
|
|
+
|
|
/**
|
|
* The URI spec of the triggering principal. This may be different than
|
|
* sourceNode's principal when sourceNode is xul:browser and the drag is
|
|
--
|
|
2.27.0
|
|
|