packages/mozjs78
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mozjs78/backport-CVE-2023-23601.patch
Jiayi Yin ebbb360b11 init
2025-03-17 06:18:47 +00:00

119 lines
4.0 KiB
Diff
Raw Blame History

From 5d3ed1e2012322bff7593b7a508f89203d9cd3f9 Mon Sep 17 00:00:00 2001
From: s30028044 <sunhai10@huawei.com>
Date: Mon, 8 Apr 2024 19:50:07 +0800
Subject: [PATCH] CVE-2023-23601
---
dom/base/ContentAreaDropListener.jsm | 25 +++++++------------------
dom/events/DataTransfer.cpp | 11 +++++++++++
dom/events/DataTransfer.h | 3 +++
dom/webidl/DataTransfer.webidl | 7 +++++++
4 files changed, 28 insertions(+), 18 deletions(-)
diff --git a/dom/base/ContentAreaDropListener.jsm b/dom/base/ContentAreaDropListener.jsm
index 26764ac..adce0e1 100644
--- a/dom/base/ContentAreaDropListener.jsm
+++ b/dom/base/ContentAreaDropListener.jsm
@@ -261,30 +261,19 @@ ContentAreaDropListener.prototype = {
return true;
}
- let sourceNode = dataTransfer.mozSourceNode;
- if (!sourceNode) {
+ // If this is an external drag, allow drop.
+ let sourceWC = dataTransfer.sourceWindowContext;
+ if (!sourceWC) {
return true;
}
- // don't allow a drop of a node from the same document onto this one
- let sourceDocument = sourceNode.ownerDocument;
- let eventDocument = aEvent.originalTarget.ownerDocument;
- if (sourceDocument == eventDocument) {
+ // If drag source and drop target are in the same top window, don't allow.
+ let eventWC =
+ aEvent.originalTarget.ownerGlobal.browsingContext.currentWindowContext;
+ if (eventWC && sourceWC.topWindowContext == eventWC.topWindowContext) {
return false;
}
- // also check for nodes in other child or sibling frames by checking
- // if both have the same top window.
- if (sourceDocument && eventDocument) {
- if (sourceDocument.defaultView == null) {
- return true;
- }
- let sourceRoot = sourceDocument.defaultView.top;
- if (sourceRoot && sourceRoot == eventDocument.defaultView.top) {
- return false;
- }
- }
-
return true;
},
diff --git a/dom/events/DataTransfer.cpp b/dom/events/DataTransfer.cpp
index 4c623a2..e725e8d 100644
--- a/dom/events/DataTransfer.cpp
+++ b/dom/events/DataTransfer.cpp
@@ -435,6 +435,17 @@ already_AddRefed<nsINode> DataTransfer::GetMozSourceNode() {
return sourceNode.forget();
}
+already_AddRefed<WindowContext> DataTransfer::GetSourceWindowContext() {
+ nsCOMPtr<nsIDragSession> dragSession = nsContentUtils::GetDragSession();
+ if (!dragSession) {
+ return nullptr;
+ }
+
+ RefPtr<WindowContext> sourceWindowContext;
+ dragSession->GetSourceWindowContext(getter_AddRefs(sourceWindowContext));
+ return sourceWindowContext.forget();
+}
+
already_AddRefed<DOMStringList> DataTransfer::MozTypesAt(
uint32_t aIndex, CallerType aCallerType, ErrorResult& aRv) const {
// Only the first item is valid for clipboard events
diff --git a/dom/events/DataTransfer.h b/dom/events/DataTransfer.h
index 1d3305e..c086e02 100644
--- a/dom/events/DataTransfer.h
+++ b/dom/events/DataTransfer.h
@@ -40,6 +40,7 @@ class FileList;
class Promise;
template <typename T>
class Optional;
+class WindowContext;
#define NS_DATATRANSFER_IID \
{ \
@@ -257,6 +258,8 @@ class DataTransfer final : public nsISupports, public nsWrapperCache {
already_AddRefed<nsINode> GetMozSourceNode();
+ already_AddRefed<WindowContext> GetSourceWindowContext();
+
/*
* Integer version of dropEffect, set to one of the constants in
* nsIDragService.
diff --git a/dom/webidl/DataTransfer.webidl b/dom/webidl/DataTransfer.webidl
index f37bcf7..ac019a5 100644
--- a/dom/webidl/DataTransfer.webidl
+++ b/dom/webidl/DataTransfer.webidl
@@ -159,6 +159,13 @@ partial interface DataTransfer {
[UseCounter]
readonly attribute Node? mozSourceNode;
+ /**
+ * The window context that mouse was pressed over to begin the drag. For
+ * external drags, this will be null.
+ */
+ [ChromeOnly]
+ readonly attribute WindowContext? sourceWindowContext;
+
/**
* The URI spec of the triggering principal. This may be different than
* sourceNode's principal when sourceNode is xul:browser and the drag is
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink