Permalink
Browse files

Bug 821671 - Check alarm API parameters in the parent (part 3, Alarm …

…API). r=sicking, a=blocking-basecamp
  • Loading branch information...
1 parent f734452 commit 98ea30020f2b9cec19ecc44d7c373e3fade2e761 @airpingu airpingu committed Dec 22, 2012
Showing with 7 additions and 3 deletions.
  1. +7 −3 dom/alarm/AlarmService.jsm
View
@@ -83,19 +83,23 @@ this.AlarmService = {
receiveMessage: function receiveMessage(aMessage) {
debug("receiveMessage(): " + aMessage.name);
+ let json = aMessage.json;
- // To prevent hacked child processes from sending commands to parent
- // to schedule alarms, we need to check their installed permissions.
+ // To prevent the hacked child process from sending commands to parent
+ // to schedule alarms, we need to check its permission and manifest URL.
if (["AlarmsManager:GetAll", "AlarmsManager:Add", "AlarmsManager:Remove"]
.indexOf(aMessage.name) != -1) {
if (!aMessage.target.assertPermission("alarms")) {
debug("Got message from a child process with no 'alarms' permission.");
return null;
}
+ if (!aMessage.target.assertContainApp(json.manifestURL)) {
+ debug("Got message from a child process containing illegal manifest URL.");
+ return null;
+ }
}
let mm = aMessage.target.QueryInterface(Ci.nsIMessageSender);
- let json = aMessage.json;
switch (aMessage.name) {
case "AlarmsManager:GetAll":
this._db.getAll(

0 comments on commit 98ea300

Please sign in to comment.