archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/shell/lib/security.cpp

252 lines
9.0 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. /*****************************************************************************\
  2. FILE: security.cpp
  4. DESCRIPTION:
  5. Helpers functions to check if an Automation interface or ActiveX Control
  6. is hosted or used by a safe caller.
  8. BryanSt 8/25/1999
  9. Copyright (C) Microsoft Corp 1999-1999. All rights reserved.
  10. \*****************************************************************************/
  11. #include "stock.h"
  12. #pragma hdrstop
  14. #include <mshtml.h>
  17. /***************************************************************\
  18. DESCRIPTION:
  19. We are given a site via IObjectWithSite. Obtain the hosting
  20. IHTMLDocument from there. This is typically used to get a URL from
  21. in order to check zones or ProcessUrlAction() attributes, or if there are
  22. two URLs you can compare their zones from cross-zone restrictions.
  23. \***************************************************************/
  24. STDAPI GetHTMLDoc2(IUnknown *punk, IHTMLDocument2 **ppHtmlDoc)
  25. {
  26. *ppHtmlDoc = NULL;
  28. if (!punk)
  29. return E_FAIL;
  31. *ppHtmlDoc = NULL;
  32. // The window.external, jscript "new ActiveXObject" and the <OBJECT> tag
  33. // don't take us down the same road.
  35. IOleClientSite *pClientSite;
  36. HRESULT hr = punk->QueryInterface(IID_PPV_ARG(IOleClientSite, &pClientSite));
  37. if (SUCCEEDED(hr))
  38. {
  39. // <OBJECT> tag path
  40. IOleContainer *pContainer;
  42. // This will return the interface for the current FRAME containing the
  43. // OBJECT tag. We will only check that frames security because we
  44. // rely on MSHTML to block cross frame scripting when it isn't safe.
  45. hr = pClientSite->GetContainer(&pContainer);
  46. if (SUCCEEDED(hr))
  47. {
  48. hr = pContainer->QueryInterface(IID_PPV_ARG(IHTMLDocument2, ppHtmlDoc));
  49. pContainer->Release();
  50. }
  52. if (FAILED(hr))
  53. {
  54. // window.external path
  55. IWebBrowser2 *pWebBrowser2;
  56. hr = IUnknown_QueryService(pClientSite, SID_SWebBrowserApp, IID_PPV_ARG(IWebBrowser2, &pWebBrowser2));
  57. if (SUCCEEDED(hr))
  58. {
  59. IDispatch *pDispatch;
  60. hr = pWebBrowser2->get_Document(&pDispatch);
  61. if (SUCCEEDED(hr))
  62. {
  63. hr = pDispatch->QueryInterface(IID_PPV_ARG(IHTMLDocument2, ppHtmlDoc));
  64. pDispatch->Release();
  65. }
  66. pWebBrowser2->Release();
  67. }
  68. }
  69. pClientSite->Release();
  70. }
  71. else
  72. {
  73. // jscript path
  74. hr = IUnknown_QueryService(punk, SID_SContainerDispatch, IID_PPV_ARG(IHTMLDocument2, ppHtmlDoc));
  75. }
  77. ASSERT(FAILED(hr) || (*ppHtmlDoc));
  79. return hr;
  80. }
  83. /***************************************************************\
  84. DESCRIPTION:
  85. This function is supposed to find out the zone from the
  86. specified URL or Path.
  87. \***************************************************************/
  88. STDAPI LocalZoneCheckPath(LPCWSTR pszUrl, IUnknown * punkSite)
  89. {
  90. DWORD dwZoneID = URLZONE_UNTRUSTED;
  91. HRESULT hr = GetZoneFromUrl(pszUrl, punkSite, &dwZoneID);
  93. if (SUCCEEDED(hr))
  94. {
  95. if (dwZoneID == URLZONE_LOCAL_MACHINE)
  96. hr = S_OK;
  97. else
  98. hr = E_ACCESSDENIED;
  99. }
  101. return hr;
  102. }
  104. /***************************************************************\
  105. DESCRIPTION:
  106. Get the zone from the specified URL or Path.
  107. \***************************************************************/
  108. STDAPI GetZoneFromUrl(LPCWSTR pszUrl, IUnknown * punkSite, DWORD * pdwZoneID)
  109. {
  110. HRESULT hr = E_FAIL;
  111. if (pszUrl && pdwZoneID)
  112. {
  113. IInternetSecurityManager * pSecMgr = NULL;
  115. // WARNING: IInternetSecurityManager is the guy who translates
  116. // from URL->Zone. If we CoCreate this object, it will do the
  117. // default mapping. Some hosts, like Outlook Express, want to
  118. // over ride the default mapping in order to sandbox some content.
  119. // I beleive this could be used to force HTML in an email
  120. // message (C:\mailmessage.eml) to act like it's from a more
  121. // untrusted zone. We use QueryService to get this interface
  122. // from our host. This info is from SanjayS. (BryanSt 8/21/1999)
  123. hr = IUnknown_QueryService(punkSite, SID_SInternetSecurityManager, IID_PPV_ARG(IInternetSecurityManager, &pSecMgr));
  124. if (FAILED(hr))
  125. {
  126. hr = CoCreateInstance(CLSID_InternetSecurityManager, NULL, CLSCTX_INPROC_SERVER, IID_PPV_ARG(IInternetSecurityManager, &pSecMgr));
  127. }
  129. if (SUCCEEDED(hr))
  130. {
  131. hr = pSecMgr->MapUrlToZone(pszUrl, pdwZoneID, 0);
  132. ATOMICRELEASE(pSecMgr);
  133. }
  134. }
  135. else
  136. {
  137. hr = E_INVALIDARG;
  138. }
  139. return hr;
  140. }
  143. /***************************************************************\
  144. DESCRIPTION:
  145. We are given a site via IObjectWithSite. See if that host
  146. maps to the Local Zone.
  147. \***************************************************************/
  148. STDAPI LocalZoneCheck(IUnknown *punkSite)
  149. {
  150. DWORD dwZoneID = URLZONE_UNTRUSTED;
  151. HRESULT hr = GetZoneFromSite(punkSite, &dwZoneID);
  153. if (SUCCEEDED(hr))
  154. {
  155. if (dwZoneID == URLZONE_LOCAL_MACHINE)
  156. hr = S_OK;
  157. else
  158. hr = E_ACCESSDENIED;
  159. }
  161. return hr;
  162. }
  164. STDAPI GetZoneFromSite(IUnknown *punkSite, DWORD *pdwZoneID)
  165. {
  166. // Return S_FALSE if we don't have a host site since we have no way of doing a
  167. // security check. This is as far as VB 5.0 apps get.
  168. if (!punkSite)
  169. {
  170. *pdwZoneID = URLZONE_UNTRUSTED;
  171. return S_FALSE;
  172. }
  174. HRESULT hr = E_ACCESSDENIED;
  175. BOOL fTriedBrowser = FALSE;
  177. // Try to find the original template path for zone checking
  178. IOleCommandTarget * pct;
  179. if (SUCCEEDED(IUnknown_QueryService(punkSite, SID_DefView, IID_PPV_ARG(IOleCommandTarget, &pct))))
  180. {
  181. VARIANT vTemplatePath;
  182. vTemplatePath.vt = VT_EMPTY;
  183. if (pct->Exec(&CGID_DefView, DVCMDID_GETTEMPLATEDIRNAME, 0, NULL, &vTemplatePath) == S_OK)
  184. {
  185. fTriedBrowser = TRUE;
  186. if (vTemplatePath.vt == VT_BSTR)
  187. {
  188. hr = GetZoneFromUrl(vTemplatePath.bstrVal, punkSite, pdwZoneID);
  189. }
  191. // We were able to talk to the browser, so don't fall back on Trident because they may be
  192. // less secure.
  193. fTriedBrowser = TRUE;
  194. VariantClear(&vTemplatePath);
  195. }
  196. pct->Release();
  197. }
  199. // If this is one of those cases where the browser doesn't exist (AOL, VB, ...) then
  200. // we will check the scripts security. If we did ask the browser, don't ask trident
  201. // because the browser is often more restrictive in some cases.
  202. if (!fTriedBrowser && (hr != S_OK))
  203. {
  204. // Try to use the URL from the document to zone check
  205. IHTMLDocument2 *pHtmlDoc;
  207. /***************************************************************\
  208. NOTE:
  209. 1. If punkSite points into an <IFRAME APPLICATION="yes"> in a
  210. HTA file, then the URL GetHTMLDoc2() returns
  211. is for the IFRAME SRC..
  212. 2. If this isn't an HTML container, then we can't calculate a zone, so it's E_ACCESSDENIED.
  213. \***************************************************************/
  214. if (SUCCEEDED(GetHTMLDoc2(punkSite, &pHtmlDoc)))
  215. {
  216. BSTR bstrURL;
  218. /***************************************************************\
  219. QUESTION:
  220. 1. If this HTML container isn't safe but it's URL maps to the
  221. Local Zone, then we have a problem. This may happen with
  222. email messages, especially if they are saved to a file.
  223. If the user reopens a saved .eml file, it will be hosted in
  224. it's mail container that may support the IInternet interface
  225. to indicate that it's in an untrusted zone. Will we get
  226. a Local Zone URL in that case?
  227. ANSWER:
  228. 1. The container can override zone mappings by supporting
  229. IInternetSecurityManager.
  231. QUESTION:
  232. 2. What if there are multiple frames in different zones.
  233. Will trident block cross frame scripting?
  234. ANSWER:
  235. 2. Yes.
  236. \***************************************************************/
  237. if (SUCCEEDED(pHtmlDoc->get_URL(&bstrURL)))
  238. {
  239. // NOTE: the above URL is improperly escaped, this is
  240. // due to app compat. if you depend on this URL being valid
  241. // use another means to get this
  243. hr = GetZoneFromUrl(bstrURL, punkSite, pdwZoneID);
  244. SysFreeString(bstrURL);
  245. }
  246. pHtmlDoc->Release();
  247. }
  248. }
  250. return hr;
  251. }