ma1 pushed to branch mullvad-browser-115.14.0esr-13.5-1 at The Tor Project / Applications / Mullvad Browser Commits: 56186dd9 by hackademix at 2024-08-22T00:37:37+02:00 fixup! Bug 42835: Create an actor to filter file data transfers Bug 43064: Make file filtering more specific - - - - - 1 changed file: - toolkit/actors/FilesFilterChild.sys.mjs Changes: ===================================== toolkit/actors/FilesFilterChild.sys.mjs ===================================== @@ -12,11 +12,14 @@ ChromeUtils.defineLazyGetter(lazy, "console", () => { export class FilesFilterChild extends JSWindowActorChild { handleEvent(event) { + if (!Services.prefs.getBoolPref("browser.filesfilter.enabled", true)) { + return; + } // drop or paste const { composedTarget } = event; const dt = event.clipboardData || event.dataTransfer; - if (dt.files.length) { + if ([...dt.files].some(f => f.mozFullPath)) { if ( ["HTMLInputElement", "HTMLTextAreaElement"].includes( ChromeUtils.getClassName(composedTarget) @@ -25,7 +28,7 @@ export class FilesFilterChild extends JSWindowActorChild { event.preventDefault(); lazy.console.log( `Preventing path leak on ${event.type} for ${[...dt.files] - .map(f => f.name) + .map(f => `${f.name} (${f.mozFullPath})`) .join(", ")}.` ); } @@ -33,7 +36,7 @@ export class FilesFilterChild extends JSWindowActorChild { } // "Paste Without Formatting" (ctrl+shift+V) in HTML editors coerces files into paths - if (!(event.clipboardData && dt.getData("text"))) { + if (!(event.clipboardData && /[\/\\]/.test(dt.getData("text")))) { return; } View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/5618... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/5618... You're receiving this email because of your account on gitlab.torproject.org.