yurydelendik · January 22, 2016 22:34 · yurydelendik · Jan 22, 2016
diff --git a/pdfjs_disable_foreigh_origin.diff b/pdfjs_disable_foreigh_origin.diff
 --- a/web/viewer.js	2016-01-21 12:50:58.000000000 -0600
 +++ b/web/viewer.js	2016-01-21 12:51:17.000000000 -0600
 @@ -7154,17 +7154,17 @@
 function webViewerLoad(evt) {
     configure(PDFJS);
     PDFViewerApplication.initialize().then(webViewerInitialized);
 }
 
 function webViewerInitialized() {
   var queryString = document.location.search.substring(1);
   var params = parseQueryString(queryString);
 -  var file = 'file' in params ? params.file : DEFAULT_URL;
 +  var file = 'file' in params && !/^\s*(\/\/|[\w\+\-\.]+:)/.test(params.file)? params.file : DEFAULT_URL;
 
   var fileInput = document.createElement('input');
   fileInput.id = 'fileInput';
   fileInput.className = 'fileInput';
   fileInput.setAttribute('type', 'file');
   fileInput.oncontextmenu = noContextMenuHandler;
   document.body.appendChild(fileInput);
 
diff --git a/pdfjs_viewer_file_origin.diff b/pdfjs_viewer_file_origin.diff
 diff --git a/web/viewer.js b/web/viewer.js
 index 6151a90..17c6036 100644
 --- a/web/viewer.js
 +++ b/web/viewer.js
 @@ -1329,6 +1329,45 @@ window.PDFView = PDFViewerApplication; // obsolete name, using it as an alias
 //})();
 //#endif
 
 +//#if GENERIC
 +var HOSTED_VIEWER_ORIGINS = ['null',
 +  'http://mozilla.github.io', 'https://mozilla.github.io'];
 +function validateFileURL(file) {
 +  function getOrigin(url, base) {
 +    var re = /^(http|https|ftp):\/\/[^\/]*/i;
 +    if (!/^\s*[\w\+\-\.]+:/.test(url)) {
 +      url = /^\s*\/\//.test(url) ? base.split(':')[0] + ':' + url : base;
 +    }
 +    var m = re.exec(url);
 +    return m ? m[0].toLowerCase() : 'null';
 +  }
 +  try {
 +    var viewerOrigin = getOrigin(window.location.href);
 +    if (HOSTED_VIEWER_ORIGINS.indexOf(viewerOrigin) >= 0) {
 +      // Hosted or local viewer, allow for any file locations
 +      return;
 +    }
 +    var fileOrigin = getOrigin(file, window.location.href);
 +    // Removing of the following line will not guarantee that the viewer will
 +    // start accepting URLs from foreign origin -- CORS headers on the remote
 +    // server must be properly configured.
 +    if (fileOrigin !== viewerOrigin) {
 +      throw new Error('file origin does not match viewer\'s');
 +    }
 +  } catch (e) {
 +    var message = e && e.message;
 +    var loadingErrorMessage = mozL10n.get('loading_error', null,
 +      'An error occurred while loading the PDF.');
 +
 +    var moreInfo = {
 +      message: message
 +    };
 +    PDFViewerApplication.error(loadingErrorMessage, moreInfo);
 +    throw e;
 +  }
 +}
 +//#endif
 +
 function webViewerLoad(evt) {
   PDFViewerApplication.initialize().then(webViewerInitialized);
 }
 @@ -1338,6 +1377,7 @@ function webViewerInitialized() {
   var queryString = document.location.search.substring(1);
   var params = parseQueryString(queryString);
   var file = 'file' in params ? params.file : DEFAULT_URL;
 +  validateFileURL(file);
 //#endif
 //#if (FIREFOX || MOZCENTRAL)
 //var file = window.location.href.split('#')[0];
	--- a/web/viewer.js 2016-01-21 12:50:58.000000000 -0600
	+++ b/web/viewer.js 2016-01-21 12:51:17.000000000 -0600
	@@ -7154,17 +7154,17 @@
	function webViewerLoad(evt) {
	configure(PDFJS);
	PDFViewerApplication.initialize().then(webViewerInitialized);
	}

	function webViewerInitialized() {
	var queryString = document.location.search.substring(1);
	var params = parseQueryString(queryString);
	- var file = 'file' in params ? params.file : DEFAULT_URL;
	+ var file = 'file' in params && !/^\s*(\/\/\|[\w\+\-\.]+:)/.test(params.file)? params.file : DEFAULT_URL;

	var fileInput = document.createElement('input');
	fileInput.id = 'fileInput';
	fileInput.className = 'fileInput';
	fileInput.setAttribute('type', 'file');
	fileInput.oncontextmenu = noContextMenuHandler;
	document.body.appendChild(fileInput);
	diff --git a/web/viewer.js b/web/viewer.js
	index 6151a90..17c6036 100644
	--- a/web/viewer.js
	+++ b/web/viewer.js
	@@ -1329,6 +1329,45 @@ window.PDFView = PDFViewerApplication; // obsolete name, using it as an alias
	//})();
	//#endif

	+//#if GENERIC
	+var HOSTED_VIEWER_ORIGINS = ['null',
	+ 'http://mozilla.github.io', 'https://mozilla.github.io'];
	+function validateFileURL(file) {
	+ function getOrigin(url, base) {
	+ var re = /^(http\|https\|ftp):\/\/[^\/]*/i;
	+ if (!/^\s*[\w\+\-\.]+:/.test(url)) {
	+ url = /^\s*\/\//.test(url) ? base.split(':')[0] + ':' + url : base;
	+ }
	+ var m = re.exec(url);
	+ return m ? m[0].toLowerCase() : 'null';
	+ }
	+ try {
	+ var viewerOrigin = getOrigin(window.location.href);
	+ if (HOSTED_VIEWER_ORIGINS.indexOf(viewerOrigin) >= 0) {
	+ // Hosted or local viewer, allow for any file locations
	+ return;
	+ }
	+ var fileOrigin = getOrigin(file, window.location.href);
	+ // Removing of the following line will not guarantee that the viewer will
	+ // start accepting URLs from foreign origin -- CORS headers on the remote
	+ // server must be properly configured.
	+ if (fileOrigin !== viewerOrigin) {
	+ throw new Error('file origin does not match viewer\'s');
	+ }
	+ } catch (e) {
	+ var message = e && e.message;
	+ var loadingErrorMessage = mozL10n.get('loading_error', null,
	+ 'An error occurred while loading the PDF.');
	+
	+ var moreInfo = {
	+ message: message
	+ };
	+ PDFViewerApplication.error(loadingErrorMessage, moreInfo);
	+ throw e;
	+ }
	+}
	+//#endif
	+
	function webViewerLoad(evt) {
	PDFViewerApplication.initialize().then(webViewerInitialized);
	}
	@@ -1338,6 +1377,7 @@ function webViewerInitialized() {
	var queryString = document.location.search.substring(1);
	var params = parseQueryString(queryString);
	var file = 'file' in params ? params.file : DEFAULT_URL;
	+ validateFileURL(file);
	//#endif
	//#if (FIREFOX \|\| MOZCENTRAL)
	//var file = window.location.href.split('#')[0];