[or-cvs] r12084: Fix bug 522: block plugins from loading if user directly cli (in torbutton/trunk/src: . chrome/content components)
mikeperry at seul.org
mikeperry at seul.org
Sun Oct 21 21:08:40 UTC 2007
Author: mikeperry
Date: 2007-10-21 17:08:40 -0400 (Sun, 21 Oct 2007)
New Revision: 12084
Modified:
torbutton/trunk/src/CHANGELOG
torbutton/trunk/src/chrome/content/torbutton.js
torbutton/trunk/src/components/cssblocker.js
torbutton/trunk/src/install.rdf
Log:
Fix bug 522: block plugins from loading if user directly
clicks on plugin-handled mime-type via Tor. Bug discovered by
goldy. Updated changelog. Updated install.rdf to point to
https page
Modified: torbutton/trunk/src/CHANGELOG
===================================================================
--- torbutton/trunk/src/CHANGELOG 2007-10-21 10:42:21 UTC (rev 12083)
+++ torbutton/trunk/src/CHANGELOG 2007-10-21 21:08:40 UTC (rev 12084)
@@ -1,3 +1,9 @@
+1.1.9
+ 21 Oct 2007
+ * bugfix: bug 521: Fix yet more false positive popups introduced in 1.1.8
+ * bugfix: bug 522: Block loading of direct clicks of plugin-handled content
+ (discovered by goldy).
+
1.1.8
01 Oct 2007
* bugfix: bug 503: Prevent sessionstore from writing Tor tabs to disk
Modified: torbutton/trunk/src/chrome/content/torbutton.js
===================================================================
--- torbutton/trunk/src/chrome/content/torbutton.js 2007-10-21 10:42:21 UTC (rev 12083)
+++ torbutton/trunk/src/chrome/content/torbutton.js 2007-10-21 21:08:40 UTC (rev 12084)
@@ -6,6 +6,7 @@
var m_tb_wasinited = false;
var m_tb_prefs = false;
var m_tb_jshooks = false;
+var m_tb_plugin_mimetypes = false;
var torbutton_pref_observer =
{
@@ -928,6 +929,8 @@
getService(Components.interfaces.nsIWebProgress);
progress.addProgressListener(torbutton_weblistener,
+// Components.interfaces.nsIWebProgress.NOTIFY_STATE_ALL|
+// Components.interfaces.nsIWebProgress.NOTIFY_ALL);
Components.interfaces.nsIWebProgress.NOTIFY_STATE_DOCUMENT|
Components.interfaces.nsIWebProgress.NOTIFY_LOCATION);
@@ -936,6 +939,17 @@
}
}
+function torbutton_get_plugin_mimetypes()
+{
+ m_tb_plugin_mimetypes = { null : null };
+ for(var i = 0; i < window.navigator.mimeTypes.length; ++i) {
+ var mime = window.navigator.mimeTypes.item(i);
+ if(mime && mime.enabledPlugin) {
+ m_tb_plugin_mimetypes[mime.type] = true;
+ }
+ }
+}
+
function torbutton_new_tab(event)
{
// listening for new tabs
@@ -962,6 +976,8 @@
torbutton_do_onetime_startup();
torbutton_crash_recover();
+ torbutton_get_plugin_mimetypes();
+
torbutton_tag_new_browser(browser.browsers[0],
!m_tb_prefs.getBoolPref("extensions.torbutton.tor_enabled"),
m_tb_prefs.getBoolPref("extensions.torbutton.no_tor_plugins"));
@@ -1157,14 +1173,26 @@
return;
}
-function torbutton_check_progress(aProgress) {
- // This fires when the location bar changes i.e load event is confirmed
- // or when the user switches tabs
+function torbutton_check_progress(aProgress, aRequest) {
+ // This noise is a workaround for the fact that docShell.allowPlugins
+ // is ignored when you directly click on a link
+ if(aRequest instanceof Components.interfaces.nsIChannel
+ && aRequest.isPending()
+ && m_tb_prefs.getBoolPref("extensions.torbutton.tor_enabled")
+ && m_tb_prefs.getBoolPref("extensions.torbutton.no_tor_plugins")) {
+ try {
+ torbutton_eclog(2, 'LocChange: '+aRequest.contentType);
- // XXX: Warning! this can also fire when the 'debuglogger' extension
- // updates its window. Typically for this, doc.domain is null. Do not
- // log in this case (until we find a better way to filter those
- // events out). Use torbutton_eclog for common-path stuff.
+ if (aRequest.contentType in m_tb_plugin_mimetypes) {
+ aRequest.cancel(0x804b0002);
+ window.alert("Torbutton blocked direct Tor load of plugin content.\n\nUse Save-As instead.\n\n");
+ return 0;
+ }
+ } catch(e) {
+ torbutton_eclog(3, 'Exception on request cancel');
+ }
+ }
+
if(aProgress) {
var doc = aProgress.DOMWindow.document;
try {
@@ -1179,6 +1207,10 @@
return 0;
}
+// Warning: These can also fire when the 'debuglogger' extension
+// updates its window. Typically for this, doc.domain is null. Do not
+// log in this case (until we find a better way to filter those
+// events out). Use torbutton_eclog for common-path stuff.
var torbutton_weblistener =
{
QueryInterface: function(aIID)
@@ -1193,25 +1225,25 @@
onStateChange: function(aProgress, aRequest, aFlag, aStatus)
{
torbutton_eclog(1, 'State change()');
- return torbutton_check_progress(aProgress);
+ return torbutton_check_progress(aProgress, aRequest);
},
onLocationChange: function(aProgress, aRequest, aURI)
{
torbutton_eclog(1, 'onLocationChange: '+aURI.asciiSpec);
- return torbutton_check_progress(aProgress);
+ return torbutton_check_progress(aProgress, aRequest);
},
- onProgressChange: function(aProgress, request, curSelfProgress, maxSelfProgress, curTotalProgress, maxTotalProgress)
+ onProgressChange: function(aProgress, aRequest, curSelfProgress, maxSelfProgress, curTotalProgress, maxTotalProgress)
{
torbutton_eclog(1, 'called progressChange');
- return torbutton_check_progress(aProgress);
+ return torbutton_check_progress(aProgress, aRequest);
},
- onStatusChange: function(aProgress, request, stat, message)
+ onStatusChange: function(aProgress, aRequest, stat, message)
{
torbutton_eclog(1, 'called progressChange');
- return torbutton_check_progress(aProgress);
+ return torbutton_check_progress(aProgress, aRequest);
},
onSecurityChange: function() {return 0;},
Modified: torbutton/trunk/src/components/cssblocker.js
===================================================================
--- torbutton/trunk/src/components/cssblocker.js 2007-10-21 10:42:21 UTC (rev 12083)
+++ torbutton/trunk/src/components/cssblocker.js 2007-10-21 21:08:40 UTC (rev 12084)
@@ -148,6 +148,18 @@
wind = node;
}
+ if (contentType == 5) { // Object
+ // Never seems to happen.. But it would be nice if we
+ // could handle it either here or shouldProcess, instead of in
+ // the webprogresslistener
+ if(!torTag) {
+ if(this._prefs.getBoolPref("extensions.torbutton.no_tor_plugins")) {
+ this.log("Blocking object at "+contentLocation.spec+"\n");
+ return block;
+ }
+ }
+ }
+
if (!wind || !wind.top.location || !wind.top.location.href) {
this.log("Skipping no location: "+contentLocation.spec+"\n");
return ok;
@@ -175,6 +187,7 @@
return block;
}
+
if(browser.__tb_js_state == torTag)
return ok;
else {
@@ -185,8 +198,12 @@
},
shouldProcess: function(contentType, contentLocation, requestOrigin, insecNode, mimeType, extra) {
- return ok;
- }
+ // Were this actually ever called, it might be useful :(
+ // Instead, related functionality has been grafted onto the
+ // webprogresslistener :(
+ // See mozilla bugs 380556, 305699, 309524
+ return ok;
+ },
};
/*
Modified: torbutton/trunk/src/install.rdf
===================================================================
--- torbutton/trunk/src/install.rdf 2007-10-21 10:42:21 UTC (rev 12083)
+++ torbutton/trunk/src/install.rdf 2007-10-21 21:08:40 UTC (rev 12084)
@@ -7,7 +7,7 @@
<em:creator>Scott Squires & Mike Perry</em:creator>
<em:id>{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}</em:id>
<em:version>1.1.8-alpha-dev</em:version>
- <em:homepageURL>http://torbutton.torproject.org/dev/</em:homepageURL>
+ <em:homepageURL>https://torbutton.torproject.org/dev/</em:homepageURL>
<em:optionsURL>chrome://torbutton/content/preferences.xul</em:optionsURL>
<em:iconURL>chrome://torbutton/skin/tor.png</em:iconURL>
More information about the tor-commits
mailing list