summaryrefslogtreecommitdiff
path: root/netwerk/test/unit/test_bug337744.js
blob: bcf8cdb74967040dd598c3395496f84189a497d8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
/* verify that certain invalid URIs are not parsed by the resource
   protocol handler */

Cu.import("resource://gre/modules/NetUtil.jsm");
Cu.import("resource://gre/modules/Services.jsm");

const specs = [
  "resource://res-test//",
  "resource://res-test/?foo=http:",
  "resource://res-test/?foo=" + encodeURIComponent("http://example.com/"),
  "resource://res-test/?foo=" + encodeURIComponent("x\\y"),
  "resource://res-test/..%2F",
  "resource://res-test/..%2f",
  "resource://res-test/..%2F..",
  "resource://res-test/..%2f..",
  "resource://res-test/../../",
  "resource://res-test/http://www.mozilla.org/",
  "resource://res-test/file:///",
];

const error_specs = [
  "resource://res-test/..\\",
  "resource://res-test/..\\..\\",
  "resource://res-test/..%5C",
  "resource://res-test/..%5c",
];

// Create some fake principal that has not enough
// privileges to access any resource: uri.
var uri = NetUtil.newURI("http://www.example.com", null, null);
var principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});

function get_channel(spec)
{
  var channelURI = NetUtil.newURI(spec, null, null);

  var channel = NetUtil.newChannel({
    uri: NetUtil.newURI(spec, null, null),
    loadingPrincipal: principal,
    securityFlags: Ci.nsILoadInfo.SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
    contentPolicyType: Ci.nsIContentPolicy.TYPE_OTHER
  });

  try {
    channel.asyncOpen2(null);
    ok(false, "asyncOpen2() of URI: " + spec + "should throw");
  }
  catch (e) {
    // make sure we get the right error code in the exception
    // ERROR code for NS_ERROR_DOM_BAD_URI is 1012
    equal(e.code, 1012);
  }

  try {
    channel.open2();
    ok(false, "Open2() of uri: " + spec + "should throw");
  }
  catch (e) {
    // make sure we get the right error code in the exception
    // ERROR code for NS_ERROR_DOM_BAD_URI is 1012
    equal(e.code, 1012);
  }

  return channel;
}

function check_safe_resolution(spec, rootURI)
{
  do_print(`Testing URL "${spec}"`);

  let channel = get_channel(spec);

  ok(channel.name.startsWith(rootURI), `URL resolved safely to ${channel.name}`);
  ok(!/%2f/i.test(channel.name), `URL contains no escaped / characters`);
}

function check_resolution_error(spec)
{
  try {
    get_channel(spec);
    ok(false, "Expected an error");
  } catch (e) {
    equal(e.result, Components.results.NS_ERROR_MALFORMED_URI,
          "Expected a malformed URI error");
  }
}

function run_test() {
  // resource:/// and resource://gre/ are resolved specially, so we need
  // to create a temporary resource package to test the standard logic
  // with.

  let resProto = Cc['@mozilla.org/network/protocol;1?name=resource'].getService(Ci.nsIResProtocolHandler);
  let rootFile = Services.dirsvc.get("GreD", Ci.nsIFile);
  let rootURI = Services.io.newFileURI(rootFile);

  resProto.setSubstitution("res-test", rootURI);
  do_register_cleanup(() => {
    resProto.setSubstitution("res-test", null);
  });

  let baseRoot = resProto.resolveURI(Services.io.newURI("resource:///", null, null));
  let greRoot = resProto.resolveURI(Services.io.newURI("resource://gre/", null, null));

  for (var spec of specs) {
    check_safe_resolution(spec, rootURI.spec);
    check_safe_resolution(spec.replace("res-test", ""), baseRoot);
    check_safe_resolution(spec.replace("res-test", "gre"), greRoot);
  }

  for (var spec of error_specs) {
    check_resolution_error(spec);
  }
}