[Pkg-mozext-commits] [greasemonkey] 14/21: Prevent content from detecting/interfering with menu commands.
David Prévot
taffit at moszumanska.debian.org
Sun Sep 13 21:27:16 UTC 2015
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to branch master
in repository greasemonkey.
commit 7683e430a58b67a368ff5c51747e6aa61d31f17c
Author: Anthony Lieuallen <arantius at gmail.com>
Date: Wed Jul 15 16:32:17 2015 -0400
Prevent content from detecting/interfering with menu commands.
Prevent event propagation when appropriate. Add a random suffix to the event names, so content cannot predict the event name, and thus cannot listen for it.
---
modules/menucommand.js | 57 ++++++++++++++++++++++++++++++++++++--------------
modules/sandbox.js | 2 +-
2 files changed, 42 insertions(+), 17 deletions(-)
diff --git a/modules/menucommand.js b/modules/menucommand.js
index d24f8ec..92a5406 100644
--- a/modules/menucommand.js
+++ b/modules/menucommand.js
@@ -1,4 +1,5 @@
var EXPORTED_SYMBOLS = [
+ 'MenuCommandEventNameSuffix',
'MenuCommandListRequest', 'MenuCommandRespond',
'MenuCommandRun', 'MenuCommandSandbox',
];
@@ -9,10 +10,25 @@ var Ci = Components.interfaces;
var Cu = Components.utils;
+Components.utils.import('chrome://greasemonkey-modules/content/prefmanager.js');
+
+
+var MenuCommandEventNameSuffix = (function() {
+ var suffix = GM_prefRoot.getValue('menuCommanderEventNameSuffix');
+ if (!suffix) {
+ Cu.import("resource://services-crypto/utils.js");
+ suffix = CryptoUtils.sha1Base32(CryptoUtils.generateRandomBytes(128));
+ GM_prefRoot.setValue('menuCommanderEventNameSuffix', suffix);
+ }
+ return suffix;
+})();
+
+
// Frame scope: Pass "list menu commands" message into sandbox as event.
function MenuCommandListRequest(aContent, aMessage) {
var e = new aContent.CustomEvent(
- 'greasemonkey-menu-command-list', {'detail': aMessage.data.cookie});
+ 'greasemonkey-menu-command-list-' + MenuCommandEventNameSuffix,
+ {'detail': aMessage.data.cookie});
aContent.dispatchEvent(e);
}
@@ -32,7 +48,7 @@ function MenuCommandRespond(aCookie, aData) {
// from the parent, pass it into the sandbox.
function MenuCommandRun(aContent, aMessage) {
var e = new aContent.CustomEvent(
- 'greasemonkey-menu-command-run',
+ 'greasemonkey-menu-command-run-' + MenuCommandEventNameSuffix,
{'detail': JSON.stringify(aMessage.data)});
aContent.dispatchEvent(e);
}
@@ -41,26 +57,35 @@ function MenuCommandRun(aContent, aMessage) {
// This function is injected into the sandbox, in a private scope wrapper, BY
// SOURCE. Data and sensitive references are wrapped up inside its closure.
function MenuCommandSandbox(
- aScriptUuid, aScriptName, aCommandResponder, aInvalidAccesskeyErrorStr) {
+ aScriptUuid, aScriptName, aCommandResponder, aInvalidAccesskeyErrorStr,
+ aMenuCommandEventNameSuffix) {
// 1) Internally to this function's private scope, maintain a set of
// registered menu commands.
var commands = {};
var commandCookie = 0;
// 2) Respond to requests to list those registered commands.
- addEventListener('greasemonkey-menu-command-list', function(e) {
- aCommandResponder(e.detail, commands);
- }, true);
+ addEventListener(
+ 'greasemonkey-menu-command-list-' + aMenuCommandEventNameSuffix,
+ function(e) {
+ e.stopPropagation();
+ aCommandResponder(e.detail, commands);
+ }, true);
// 3) Respond to requests to run those registered commands.
- addEventListener('greasemonkey-menu-command-run', function(e) {
- var detail = JSON.parse(e.detail);
- if (aScriptUuid != detail.scriptUuid) return;
- var command = commands[detail.cookie];
- if (!command) {
- throw new Error('Could not run requested menu command!');
- } else {
- command.commandFunc.call();
- }
- }, true);
+ addEventListener(
+ 'greasemonkey-menu-command-run-' + aMenuCommandEventNameSuffix,
+ function(e) {
+ e.stopPropagation();
+ var detail = JSON.parse(e.detail);
+ if (aScriptUuid != detail.scriptUuid) return;
+ // This event is for this script; stop propagating to other scripts.
+ e.stopImmediatePropagation();
+ var command = commands[detail.cookie];
+ if (!command) {
+ throw new Error('Could not run requested menu command!');
+ } else {
+ command.commandFunc.call();
+ }
+ }, true);
// 4) Export the "register a command" API function to the sandbox scope.
this.GM_registerMenuCommand = function(
commandName, commandFunc, accessKey, unused, accessKey2) {
diff --git a/modules/sandbox.js b/modules/sandbox.js
index a6b8ac3..ebcd87f 100644
--- a/modules/sandbox.js
+++ b/modules/sandbox.js
@@ -75,7 +75,7 @@ function createSandbox(aScript, aContentWin, aUrl, aFrameScope) {
'this._MenuCommandSandbox = ' + MenuCommandSandbox.toSource(), sandbox);
sandbox._MenuCommandSandbox(
aScript.uuid, aScript.name, MenuCommandRespond,
- gInvalidAccesskeyErrorStr);
+ gInvalidAccesskeyErrorStr, MenuCommandEventNameSuffix);
Components.utils.evalInSandbox(
'delete this._MenuCommandSandbox;', sandbox);
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-mozext/greasemonkey.git
More information about the Pkg-mozext-commits
mailing list