/src/mozilla-central/dom/cache/PrincipalVerifier.cpp

Source (jump to first uncovered line)
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "mozilla/dom/cache/PrincipalVerifier.h"

#include "mozilla/dom/ContentParent.h"
#include "mozilla/dom/cache/ManagerId.h"
#include "mozilla/ipc/BackgroundParent.h"
#include "mozilla/ipc/PBackgroundParent.h"
#include "mozilla/ipc/BackgroundUtils.h"
#include "nsContentUtils.h"
#include "nsIPrincipal.h"
#include "nsIScriptSecurityManager.h"
#include "nsNetUtil.h"

namespace mozilla {
namespace dom {
namespace cache {

using mozilla::ipc::AssertIsOnBackgroundThread;
using mozilla::ipc::BackgroundParent;
using mozilla::ipc::PBackgroundParent;
using mozilla::ipc::PrincipalInfo;
using mozilla::ipc::PrincipalInfoToPrincipal;

// static
already_AddRefed<PrincipalVerifier>
PrincipalVerifier::CreateAndDispatch(Listener* aListener,
                                     PBackgroundParent* aActor,
                                     const PrincipalInfo& aPrincipalInfo)
{
  // We must get the ContentParent actor from the PBackgroundParent.  This
  // only works on the PBackground thread.
  AssertIsOnBackgroundThread();

  RefPtr<PrincipalVerifier> verifier = new PrincipalVerifier(aListener,
                                                               aActor,
                                                               aPrincipalInfo);

  MOZ_ALWAYS_SUCCEEDS(NS_DispatchToMainThread(verifier));

  return verifier.forget();
}

void
PrincipalVerifier::AddListener(Listener* aListener)
{
  AssertIsOnBackgroundThread();
  MOZ_DIAGNOSTIC_ASSERT(aListener);
  MOZ_ASSERT(!mListenerList.Contains(aListener));
  mListenerList.AppendElement(aListener);
}

void
PrincipalVerifier::RemoveListener(Listener* aListener)
{
  AssertIsOnBackgroundThread();
  MOZ_DIAGNOSTIC_ASSERT(aListener);
  MOZ_ALWAYS_TRUE(mListenerList.RemoveElement(aListener));
}

PrincipalVerifier::PrincipalVerifier(Listener* aListener,
                                     PBackgroundParent* aActor,
                                     const PrincipalInfo& aPrincipalInfo)
  : Runnable("dom::cache::PrincipalVerifier")
  , mActor(BackgroundParent::GetContentParent(aActor))
  , mPrincipalInfo(aPrincipalInfo)
  , mInitiatingEventTarget(GetCurrentThreadSerialEventTarget())
  , mResult(NS_OK)
{
  AssertIsOnBackgroundThread();
  MOZ_DIAGNOSTIC_ASSERT(mInitiatingEventTarget);
  MOZ_DIAGNOSTIC_ASSERT(aListener);

  mListenerList.AppendElement(aListener);
}

PrincipalVerifier::~PrincipalVerifier()
{
  // Since the PrincipalVerifier is a Runnable that executes on multiple
  // threads, its a race to see which thread de-refs us last.  Therefore
  // we cannot guarantee which thread we destruct on.

  MOZ_DIAGNOSTIC_ASSERT(mListenerList.IsEmpty());

  // We should always be able to explicitly release the actor on the main
  // thread.
  MOZ_DIAGNOSTIC_ASSERT(!mActor);
}

NS_IMETHODIMP
PrincipalVerifier::Run()
{
  // Executed twice.  First, on the main thread and then back on the
  // originating thread.

  if (NS_IsMainThread()) {
    VerifyOnMainThread();
    return NS_OK;
  }

  CompleteOnInitiatingThread();
  return NS_OK;
}

void
PrincipalVerifier::VerifyOnMainThread()
{
  MOZ_ASSERT(NS_IsMainThread());

  // No matter what happens, we need to release the actor before leaving
  // this method.
  RefPtr<ContentParent> actor;
  actor.swap(mActor);

  nsresult rv;
  RefPtr<nsIPrincipal> principal = PrincipalInfoToPrincipal(mPrincipalInfo,
                                                              &rv);
  if (NS_WARN_IF(NS_FAILED(rv))) {
    DispatchToInitiatingThread(rv);
    return;
  }

  // We disallow null principal on the client side, but double-check here.
  if (NS_WARN_IF(principal->GetIsNullPrincipal())) {
    DispatchToInitiatingThread(NS_ERROR_FAILURE);
    return;
  }

  nsCOMPtr<nsIScriptSecurityManager> ssm = nsContentUtils::GetSecurityManager();
  if (NS_WARN_IF(!ssm)) {
    DispatchToInitiatingThread(NS_ERROR_ILLEGAL_DURING_SHUTDOWN);
    return;
  }

  // Verify if a child process uses system principal, which is not allowed
  // to prevent system principal is spoofed.
  if (NS_WARN_IF(actor && ssm->IsSystemPrincipal(principal))) {
    DispatchToInitiatingThread(NS_ERROR_FAILURE);
    return;
  }

  actor = nullptr;

#ifdef DEBUG
  // Sanity check principal origin by using it to construct a URI and security
  // checking it.  Don't do this for the system principal, though, as its origin
  // is a synthetic [System Principal] string.
  if (!ssm->IsSystemPrincipal(principal)) {
    nsAutoCString origin;
    rv = principal->GetOriginNoSuffix(origin);
    if (NS_WARN_IF(NS_FAILED(rv))) {
      DispatchToInitiatingThread(rv);
      return;
    }
    nsCOMPtr<nsIURI> uri;
    rv = NS_NewURI(getter_AddRefs(uri), origin);
    if (NS_WARN_IF(NS_FAILED(rv))) {
      DispatchToInitiatingThread(rv);
      return;
    }
    rv = principal->CheckMayLoad(uri, false, false);
    if (NS_WARN_IF(NS_FAILED(rv))) {
      DispatchToInitiatingThread(rv);
      return;
    }
  }
#endif

  rv = ManagerId::Create(principal, getter_AddRefs(mManagerId));
  if (NS_WARN_IF(NS_FAILED(rv))) {
    DispatchToInitiatingThread(rv);
    return;
  }

  DispatchToInitiatingThread(NS_OK);
}

void
PrincipalVerifier::CompleteOnInitiatingThread()
{
  AssertIsOnBackgroundThread();
  ListenerList::ForwardIterator iter(mListenerList);
  while (iter.HasMore()) {
    iter.GetNext()->OnPrincipalVerified(mResult, mManagerId);
  }

  // The listener must clear its reference in OnPrincipalVerified()
  MOZ_DIAGNOSTIC_ASSERT(mListenerList.IsEmpty());
}

void
PrincipalVerifier::DispatchToInitiatingThread(nsresult aRv)
{
  MOZ_ASSERT(NS_IsMainThread());

  mResult = aRv;

  // The Cache ShutdownObserver does not track all principal verifiers, so we
  // cannot ensure this always succeeds.  Instead, simply warn on failures.
  // This will result in a new CacheStorage object delaying operations until
  // shutdown completes and the browser goes away.  This is as graceful as
  // we can get here.
  nsresult rv = mInitiatingEventTarget->Dispatch(this, nsIThread::DISPATCH_NORMAL);
  if (NS_FAILED(rv)) {
    NS_WARNING("Cache unable to complete principal verification due to shutdown.");
  }
}

} // namespace cache
} // namespace dom
} // namespace mozilla

Coverage Report

Created: 2018-09-25 14:53

Line	Count	Source (jump to first uncovered line)
1		/* -- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -- */
2		/* vim: set ts=8 sts=2 et sw=2 tw=80: */
3		/* This Source Code Form is subject to the terms of the Mozilla Public
4		* License, v. 2.0. If a copy of the MPL was not distributed with this
5		* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7		#include "mozilla/dom/cache/PrincipalVerifier.h"
8
9		#include "mozilla/dom/ContentParent.h"
10		#include "mozilla/dom/cache/ManagerId.h"
11		#include "mozilla/ipc/BackgroundParent.h"
12		#include "mozilla/ipc/PBackgroundParent.h"
13		#include "mozilla/ipc/BackgroundUtils.h"
14		#include "nsContentUtils.h"
15		#include "nsIPrincipal.h"
16		#include "nsIScriptSecurityManager.h"
17		#include "nsNetUtil.h"
18
19		namespace mozilla {
20		namespace dom {
21		namespace cache {
22
23		using mozilla::ipc::AssertIsOnBackgroundThread;
24		using mozilla::ipc::BackgroundParent;
25		using mozilla::ipc::PBackgroundParent;
26		using mozilla::ipc::PrincipalInfo;
27		using mozilla::ipc::PrincipalInfoToPrincipal;
28
29		// static
30		already_AddRefed<PrincipalVerifier>
31		PrincipalVerifier::CreateAndDispatch(Listener* aListener,
32		PBackgroundParent* aActor,
33		const PrincipalInfo& aPrincipalInfo)
34	0	{
35	0	// We must get the ContentParent actor from the PBackgroundParent. This
36	0	// only works on the PBackground thread.
37	0	AssertIsOnBackgroundThread();
38	0
39	0	RefPtr<PrincipalVerifier> verifier = new PrincipalVerifier(aListener,
40	0	aActor,
41	0	aPrincipalInfo);
42	0
43	0	MOZ_ALWAYS_SUCCEEDS(NS_DispatchToMainThread(verifier));
44	0
45	0	return verifier.forget();
46	0	}
47
48		void
49		PrincipalVerifier::AddListener(Listener* aListener)
50	0	{
51	0	AssertIsOnBackgroundThread();
52	0	MOZ_DIAGNOSTIC_ASSERT(aListener);
53	0	MOZ_ASSERT(!mListenerList.Contains(aListener));
54	0	mListenerList.AppendElement(aListener);
55	0	}
56
57		void
58		PrincipalVerifier::RemoveListener(Listener* aListener)
59	0	{
60	0	AssertIsOnBackgroundThread();
61	0	MOZ_DIAGNOSTIC_ASSERT(aListener);
62	0	MOZ_ALWAYS_TRUE(mListenerList.RemoveElement(aListener));
63	0	}
64
65		PrincipalVerifier::PrincipalVerifier(Listener* aListener,
66		PBackgroundParent* aActor,
67		const PrincipalInfo& aPrincipalInfo)
68		: Runnable("dom::cache::PrincipalVerifier")
69		, mActor(BackgroundParent::GetContentParent(aActor))
70		, mPrincipalInfo(aPrincipalInfo)
71		, mInitiatingEventTarget(GetCurrentThreadSerialEventTarget())
72		, mResult(NS_OK)
73	0	{
74	0	AssertIsOnBackgroundThread();
75	0	MOZ_DIAGNOSTIC_ASSERT(mInitiatingEventTarget);
76	0	MOZ_DIAGNOSTIC_ASSERT(aListener);
77	0
78	0	mListenerList.AppendElement(aListener);
79	0	}
80
81		PrincipalVerifier::~PrincipalVerifier()
82	0	{
83	0	// Since the PrincipalVerifier is a Runnable that executes on multiple
84	0	// threads, its a race to see which thread de-refs us last. Therefore
85	0	// we cannot guarantee which thread we destruct on.
86	0
87	0	MOZ_DIAGNOSTIC_ASSERT(mListenerList.IsEmpty());
88	0
89	0	// We should always be able to explicitly release the actor on the main
90	0	// thread.
91	0	MOZ_DIAGNOSTIC_ASSERT(!mActor);
92	0	}
93
94		NS_IMETHODIMP
95		PrincipalVerifier::Run()
96	0	{
97	0	// Executed twice. First, on the main thread and then back on the
98	0	// originating thread.
99	0
100	0	if (NS_IsMainThread()) {
101	0	VerifyOnMainThread();
102	0	return NS_OK;
103	0	}
104	0
105	0	CompleteOnInitiatingThread();
106	0	return NS_OK;
107	0	}
108
109		void
110		PrincipalVerifier::VerifyOnMainThread()
111	0	{
112	0	MOZ_ASSERT(NS_IsMainThread());
113	0
114	0	// No matter what happens, we need to release the actor before leaving
115	0	// this method.
116	0	RefPtr<ContentParent> actor;
117	0	actor.swap(mActor);
118	0
119	0	nsresult rv;
120	0	RefPtr<nsIPrincipal> principal = PrincipalInfoToPrincipal(mPrincipalInfo,
121	0	&rv);
122	0	if (NS_WARN_IF(NS_FAILED(rv))) {
123	0	DispatchToInitiatingThread(rv);
124	0	return;
125	0	}
126	0
127	0	// We disallow null principal on the client side, but double-check here.
128	0	if (NS_WARN_IF(principal->GetIsNullPrincipal())) {
129	0	DispatchToInitiatingThread(NS_ERROR_FAILURE);
130	0	return;
131	0	}
132	0
133	0	nsCOMPtr<nsIScriptSecurityManager> ssm = nsContentUtils::GetSecurityManager();
134	0	if (NS_WARN_IF(!ssm)) {
135	0	DispatchToInitiatingThread(NS_ERROR_ILLEGAL_DURING_SHUTDOWN);
136	0	return;
137	0	}
138	0
139	0	// Verify if a child process uses system principal, which is not allowed
140	0	// to prevent system principal is spoofed.
141	0	if (NS_WARN_IF(actor && ssm->IsSystemPrincipal(principal))) {
142	0	DispatchToInitiatingThread(NS_ERROR_FAILURE);
143	0	return;
144	0	}
145	0
146	0	actor = nullptr;
147	0
148		#ifdef DEBUG
149		// Sanity check principal origin by using it to construct a URI and security
150		// checking it. Don't do this for the system principal, though, as its origin
151		// is a synthetic [System Principal] string.
152		if (!ssm->IsSystemPrincipal(principal)) {
153		nsAutoCString origin;
154		rv = principal->GetOriginNoSuffix(origin);
155		if (NS_WARN_IF(NS_FAILED(rv))) {
156		DispatchToInitiatingThread(rv);
157		return;
158		}
159		nsCOMPtr<nsIURI> uri;
160		rv = NS_NewURI(getter_AddRefs(uri), origin);
161		if (NS_WARN_IF(NS_FAILED(rv))) {
162		DispatchToInitiatingThread(rv);
163		return;
164		}
165		rv = principal->CheckMayLoad(uri, false, false);
166		if (NS_WARN_IF(NS_FAILED(rv))) {
167		DispatchToInitiatingThread(rv);
168		return;
169		}
170		}
171		#endif
172
173	0	rv = ManagerId::Create(principal, getter_AddRefs(mManagerId));
174	0	if (NS_WARN_IF(NS_FAILED(rv))) {
175	0	DispatchToInitiatingThread(rv);
176	0	return;
177	0	}
178	0
179	0	DispatchToInitiatingThread(NS_OK);
180	0	}
181
182		void
183		PrincipalVerifier::CompleteOnInitiatingThread()
184	0	{
185	0	AssertIsOnBackgroundThread();
186	0	ListenerList::ForwardIterator iter(mListenerList);
187	0	while (iter.HasMore()) {
188	0	iter.GetNext()->OnPrincipalVerified(mResult, mManagerId);
189	0	}
190	0
191	0	// The listener must clear its reference in OnPrincipalVerified()
192	0	MOZ_DIAGNOSTIC_ASSERT(mListenerList.IsEmpty());
193	0	}
194
195		void
196		PrincipalVerifier::DispatchToInitiatingThread(nsresult aRv)
197	0	{
198	0	MOZ_ASSERT(NS_IsMainThread());
199	0
200	0	mResult = aRv;
201	0
202	0	// The Cache ShutdownObserver does not track all principal verifiers, so we
203	0	// cannot ensure this always succeeds. Instead, simply warn on failures.
204	0	// This will result in a new CacheStorage object delaying operations until
205	0	// shutdown completes and the browser goes away. This is as graceful as
206	0	// we can get here.
207	0	nsresult rv = mInitiatingEventTarget->Dispatch(this, nsIThread::DISPATCH_NORMAL);
208	0	if (NS_FAILED(rv)) {
209	0	NS_WARNING("Cache unable to complete principal verification due to shutdown.");
210	0	}
211	0	}
212
213		} // namespace cache
214		} // namespace dom
215		} // namespace mozilla