[tbb-commits] [Git][tpo/applications/tor-browser][tor-browser-128.1.0esr-14.0-1] Bug 42835: Create an actor to filter file data transfers
ma1 (@ma1)
git at gitlab.torproject.org
Fri Aug 2 20:22:32 UTC 2024
ma1 pushed to branch tor-browser-128.1.0esr-14.0-1 at The Tor Project / Applications / Tor Browser
Commits:
693e125e by hackademix at 2024-08-01T16:28:30+02:00
Bug 42835: Create an actor to filter file data transfers
- - - - -
4 changed files:
- + toolkit/actors/FilesFilterChild.sys.mjs
- + toolkit/actors/FilesFilterParent.sys.mjs
- toolkit/actors/moz.build
- toolkit/modules/ActorManagerParent.sys.mjs
Changes:
=====================================
toolkit/actors/FilesFilterChild.sys.mjs
=====================================
@@ -0,0 +1,61 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+const lazy = {};
+
+ChromeUtils.defineLazyGetter(lazy, "console", () => {
+ return console.createInstance({
+ prefix: "FilesFilter",
+ });
+});
+
+export class FilesFilterChild extends JSWindowActorChild {
+ handleEvent(event) {
+ // drop or paste
+ const { composedTarget } = event;
+ const dt = event.clipboardData || event.dataTransfer;
+
+ if (dt.files.length) {
+ if (
+ ["HTMLInputElement", "HTMLTextAreaElement"].includes(
+ ChromeUtils.getClassName(composedTarget)
+ )
+ ) {
+ event.preventDefault();
+ lazy.console.log(
+ `Preventing path leak on ${event.type} for ${[...dt.files]
+ .map(f => f.name)
+ .join(", ")}.`
+ );
+ }
+ return;
+ }
+
+ // "Paste Without Formatting" (ctrl+shift+V) in HTML editors coerces files into paths
+ if (!(event.clipboardData && dt.getData("text"))) {
+ return;
+ }
+
+ // check wether the clipboard contains a file
+ const { clipboard } = Services;
+ if (
+ [clipboard.kSelectionClipboard, clipboard.kGlobalClipboard].some(
+ clipboardType =>
+ clipboard.isClipboardTypeSupported(clipboardType) &&
+ clipboard.hasDataMatchingFlavors(
+ ["application/x-moz-file"],
+ clipboardType
+ )
+ )
+ ) {
+ event.preventDefault();
+ event.stopPropagation();
+ lazy.console.log(
+ `Preventing path leak on "Paste Without Formatting" for ${dt.getData(
+ "text"
+ )}.`
+ );
+ }
+ }
+}
=====================================
toolkit/actors/FilesFilterParent.sys.mjs
=====================================
@@ -0,0 +1,7 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+export class FilesFilterParent extends JSWindowActorParent {
+ // just a stub for now
+}
=====================================
toolkit/actors/moz.build
=====================================
@@ -53,6 +53,8 @@ FINAL_TARGET_FILES.actors += [
"DateTimePickerChild.sys.mjs",
"DateTimePickerParent.sys.mjs",
"ExtFindChild.sys.mjs",
+ "FilesFilterChild.sys.mjs",
+ "FilesFilterParent.sys.mjs",
"FindBarChild.sys.mjs",
"FindBarParent.sys.mjs",
"FinderChild.sys.mjs",
=====================================
toolkit/modules/ActorManagerParent.sys.mjs
=====================================
@@ -285,6 +285,22 @@ let JSWINDOWACTORS = {
allFrames: true,
},
+ FilesFilter: {
+ parent: {
+ esModuleURI: "resource://gre/actors/FilesFilterParent.sys.mjs",
+ },
+
+ child: {
+ esModuleURI: "resource://gre/actors/FilesFilterChild.sys.mjs",
+ events: {
+ drop: {},
+ paste: { capture: true },
+ },
+ },
+
+ allFrames: true,
+ },
+
FindBar: {
parent: {
esModuleURI: "resource://gre/actors/FindBarParent.sys.mjs",
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/693e125ea60ae5a9a46b2ad0f8a92fd9885ce7bb
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/693e125ea60ae5a9a46b2ad0f8a92fd9885ce7bb
You're receiving this email because of your account on gitlab.torproject.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20240802/d7d22f6e/attachment-0001.htm>
More information about the tbb-commits
mailing list