Bug 1338637 - Ask user for confirmation before folder upload. r=Gijs,geckoview-reviewers,agi,baku

Trikolon · Trikolon · commit 574bf717586e · 2020-11-16T09:33:43.000Z
Differential Revision: https://phabricator.services.mozilla.com/D95324
diff --git a/browser/components/prompts/PromptCollection.jsm b/browser/components/prompts/PromptCollection.jsm
@@ -131,6 +131,48 @@ class PromptCollection {
       result.QueryInterface(Ci.nsIPropertyBag2).get("buttonNumClicked") == 0
     );
   }
+
+  confirmFolderUpload(browsingContext, directoryName) {
+    let title;
+    let message;
+    let acceptLabel;
+
+    try {
+      title = this.stringBundles.dom.GetStringFromName(
+        "FolderUploadPrompt.title"
+      );
+      message = this.stringBundles.dom.formatStringFromName(
+        "FolderUploadPrompt.message",
+        [directoryName]
+      );
+      acceptLabel = this.stringBundles.dom.GetStringFromName(
+        "FolderUploadPrompt.acceptButtonLabel"
+      );
+    } catch (exception) {
+      Cu.reportError("Failed to get strings from dom.properties");
+      return false;
+    }
+
+    let buttonFlags =
+      Services.prompt.BUTTON_TITLE_IS_STRING * Services.prompt.BUTTON_POS_0 +
+      Services.prompt.BUTTON_TITLE_CANCEL * Services.prompt.BUTTON_POS_1 +
+      Services.prompt.BUTTON_POS_1_DEFAULT;
+
+    return (
+      Services.prompt.confirmExBC(
+        browsingContext,
+        Services.prompt.MODAL_TYPE_TAB,
+        title,
+        message,
+        buttonFlags,
+        acceptLabel,
+        null,
+        null,
+        null,
+        {}
+      ) === 0
+    );
+  }
 }
 
 const BUNDLES = {
diff --git a/dom/html/HTMLInputElement.cpp b/dom/html/HTMLInputElement.cpp
@@ -54,6 +54,7 @@
 #include "nsError.h"
 #include "nsIEditor.h"
 #include "nsAttrValueOrString.h"
+#include "nsIPromptCollection.h"
 
 #include "mozilla/PresState.h"
 #include "nsLinebreakConverter.h"  //to strip out carriage returns
@@ -480,6 +481,37 @@ HTMLInputElement::nsFilePickerShownCallback::Done(int16_t aResult) {
                mode == static_cast<int16_t>(nsIFilePicker::modeGetFolder));
     nsCOMPtr<nsISupports> tmp;
     nsresult rv = mFilePicker->GetDomFileOrDirectory(getter_AddRefs(tmp));
+
+    // Show a prompt to get user confirmation before allowing folder access.
+    // This is to prevent sites from tricking the user into uploading files.
+    // See Bug 1338637.
+    if (mode == static_cast<int16_t>(nsIFilePicker::modeGetFolder)) {
+      nsCOMPtr<nsIPromptCollection> prompter =
+          do_GetService("@mozilla.org/embedcomp/prompt-collection;1");
+      if (!prompter) {
+        return NS_ERROR_NOT_AVAILABLE;
+      }
+
+      bool confirmed = false;
+      BrowsingContext* bc = mInput->OwnerDoc()->GetBrowsingContext();
+
+      // Get directory name
+      RefPtr<Directory> directory = static_cast<Directory*>(tmp.get());
+      nsAutoString directoryName;
+      ErrorResult error;
+      directory->GetName(directoryName, error);
+      if (NS_WARN_IF(error.Failed())) {
+        return error.StealNSResult();
+      }
+
+      rv = prompter->ConfirmFolderUpload(bc, directoryName, &confirmed);
+      NS_ENSURE_SUCCESS(rv, rv);
+      if (!confirmed) {
+        // User aborted upload
+        return NS_OK;
+      }
+    }
+
     NS_ENSURE_SUCCESS(rv, rv);
 
     RefPtr<Blob> blob = do_QueryObject(tmp);
diff --git a/dom/locales/en-US/chrome/dom/dom.properties b/dom/locales/en-US/chrome/dom/dom.properties
@@ -401,3 +401,7 @@ RequestStorageAccessNested=document.requestStorageAccess() may not be called in
 RequestStorageAccessUserGesture=document.requestStorageAccess() may only be requested from inside a short running user-generated event handler.
 # LOCALIZATION NOTE: Do not translate "Location" and "History".
 LocChangeFloodingPrevented=Too many calls to Location or History APIs within a short timeframe.
+FolderUploadPrompt.title = Confirm Upload
+# LOCALIZATION NOTE: %S is the name of the folder the user selected in the file picker.
+FolderUploadPrompt.message = Are you sure you want to upload all files from “%S”? Only do this if you trust the site.
+FolderUploadPrompt.acceptButtonLabel = Upload
diff --git a/mobile/android/components/geckoview/PromptCollection.jsm b/mobile/android/components/geckoview/PromptCollection.jsm
@@ -38,6 +38,11 @@ class PromptCollection {
       prompter.asyncShowPrompt(msg, resolve);
     }).then(result => !!result?.allow);
   }
+
+  confirmFolderUpload() {
+    // Folder upload is not supported by GeckoView yet, see Bug 1674428.
+    return false;
+  }
 }
 
 PromptCollection.prototype.QueryInterface = ChromeUtils.generateQI([
diff --git a/toolkit/components/windowwatcher/nsIPromptCollection.idl b/toolkit/components/windowwatcher/nsIPromptCollection.idl
@@ -33,4 +33,17 @@ interface nsIPromptCollection : nsISupports
    * @return true if the page should be allowed to repost data.
    */
   boolean confirmRepost(in BrowsingContext aBrowsingContext);
+
+  /**
+   * Ask the user for confirmation to upload a selected folder.
+   *
+   * @param aBrowsingContext
+   *        The browsing context the prompt should be opened for.
+   * @param aDirectoryName
+   *        Name of the folder that will be uploaded.
+   *
+   * @return true if the user confirmed the upload, false otherwise.
+   */
+  boolean confirmFolderUpload(in BrowsingContext aBrowsingContext,
+                              in AString aDirectoryName);
 };

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,11 @@ class PromptCollection {`
`38`	`38`	`prompter.asyncShowPrompt(msg, resolve);`
`39`	`39`	`}).then(result => !!result?.allow);`
`40`	`40`	`}`
	`41`	`+`
	`42`	`+ confirmFolderUpload() {`
	`43`	`+ // Folder upload is not supported by GeckoView yet, see Bug 1674428.`
	`44`	`+ return false;`
	`45`	`+ }`
`41`	`46`	`}`
`42`	`47`
`43`	`48`	`PromptCollection.prototype.QueryInterface = ChromeUtils.generateQI([`