[tor-commits] [tor-browser/tor-browser-31.4.0esr-4.5-1] fixup! Bug 12430: Disable external jar: via preference

[mikeperry at torproject.org]

commit cc60be8eee7b39138adb44c09d0905f8fb7fb0c9
Author: Mike Perry <mikeperry-git at torproject.org>
Date:   Wed Feb 11 14:52:15 2015 -0800

    fixup! Bug 12430: Disable external jar: via preference
    
    Actually, we should block remote JARs before the load.
---
 modules/libjar/nsJARChannel.cpp |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/libjar/nsJARChannel.cpp b/modules/libjar/nsJARChannel.cpp
index f958554..6fcdac8 100644
--- a/modules/libjar/nsJARChannel.cpp
+++ b/modules/libjar/nsJARChannel.cpp
@@ -764,6 +764,12 @@ nsJARChannel::AsyncOpen(nsIStreamListener *listener, nsISupports *ctx)
     if (NS_FAILED(rv))
         return rv;
 
+    // Check preferences to see if all remote jar support should be disabled
+    if (!mJarFile && Preferences::GetBool("network.jar.block-remote-files", true)) {
+        mIsUnsafe = true;
+        return NS_ERROR_UNSAFE_CONTENT_TYPE;
+    }
+
     // These variables must only be set if we're going to trigger an
     // OnStartRequest, either from AsyncRead or OnDownloadComplete.
     // 
@@ -898,7 +904,8 @@ nsJARChannel::OnDownloadComplete(nsIDownloader *downloader,
         mContentDisposition = NS_GetContentDispositionFromHeader(mContentDispositionHeader, this);
     }
 
-    // here we check preferences to see if all remote jar support should be disabled
+    // This is a defense-in-depth check for the preferences to see if all remote jar
+    // support should be disabled. This check may not be needed.
     if (Preferences::GetBool("network.jar.block-remote-files", true)) {
         mIsUnsafe = true;
         status = NS_ERROR_UNSAFE_CONTENT_TYPE;