ma1 pushed to branch base-browser-128.1.0esr-14.0-1 at The Tor Project / Applications / Tor Browser
Commits: ac2dbd4d by hackademix at 2024-08-02T22:23:38+02:00 Bug 42835: Create an actor to filter file data transfers
- - - - -
4 changed files:
- + toolkit/actors/FilesFilterChild.sys.mjs - + toolkit/actors/FilesFilterParent.sys.mjs - toolkit/actors/moz.build - toolkit/modules/ActorManagerParent.sys.mjs
Changes:
===================================== toolkit/actors/FilesFilterChild.sys.mjs ===================================== @@ -0,0 +1,61 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +const lazy = {}; + +ChromeUtils.defineLazyGetter(lazy, "console", () => { + return console.createInstance({ + prefix: "FilesFilter", + }); +}); + +export class FilesFilterChild extends JSWindowActorChild { + handleEvent(event) { + // drop or paste + const { composedTarget } = event; + const dt = event.clipboardData || event.dataTransfer; + + if (dt.files.length) { + if ( + ["HTMLInputElement", "HTMLTextAreaElement"].includes( + ChromeUtils.getClassName(composedTarget) + ) + ) { + event.preventDefault(); + lazy.console.log( + `Preventing path leak on ${event.type} for ${[...dt.files] + .map(f => f.name) + .join(", ")}.` + ); + } + return; + } + + // "Paste Without Formatting" (ctrl+shift+V) in HTML editors coerces files into paths + if (!(event.clipboardData && dt.getData("text"))) { + return; + } + + // check wether the clipboard contains a file + const { clipboard } = Services; + if ( + [clipboard.kSelectionClipboard, clipboard.kGlobalClipboard].some( + clipboardType => + clipboard.isClipboardTypeSupported(clipboardType) && + clipboard.hasDataMatchingFlavors( + ["application/x-moz-file"], + clipboardType + ) + ) + ) { + event.preventDefault(); + event.stopPropagation(); + lazy.console.log( + `Preventing path leak on "Paste Without Formatting" for ${dt.getData( + "text" + )}.` + ); + } + } +}
===================================== toolkit/actors/FilesFilterParent.sys.mjs ===================================== @@ -0,0 +1,7 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +export class FilesFilterParent extends JSWindowActorParent { + // just a stub for now +}
===================================== toolkit/actors/moz.build ===================================== @@ -53,6 +53,8 @@ FINAL_TARGET_FILES.actors += [ "DateTimePickerChild.sys.mjs", "DateTimePickerParent.sys.mjs", "ExtFindChild.sys.mjs", + "FilesFilterChild.sys.mjs", + "FilesFilterParent.sys.mjs", "FindBarChild.sys.mjs", "FindBarParent.sys.mjs", "FinderChild.sys.mjs",
===================================== toolkit/modules/ActorManagerParent.sys.mjs ===================================== @@ -285,6 +285,22 @@ let JSWINDOWACTORS = { allFrames: true, },
+ FilesFilter: { + parent: { + esModuleURI: "resource://gre/actors/FilesFilterParent.sys.mjs", + }, + + child: { + esModuleURI: "resource://gre/actors/FilesFilterChild.sys.mjs", + events: { + drop: {}, + paste: { capture: true }, + }, + }, + + allFrames: true, + }, + FindBar: { parent: { esModuleURI: "resource://gre/actors/FindBarParent.sys.mjs",
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/ac2dbd4d...