archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/shell/lib/security.cpp

294 lines
11 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*****************************************************************************\
  2. FILE: security.cpp
  4. DESCRIPTION:
  5. Helpers functions to check if an Automation interface or ActiveX Control
  6. is hosted or used by a safe caller.
  8. BryanSt 8/25/1999
  9. Copyright (C) Microsoft Corp 1999-1999. All rights reserved.
  10. \*****************************************************************************/
  11. #include "stock.h"
  12. #pragma hdrstop
  14. #include <mshtml.h>
  17. /***************************************************************\
  18. DESCRIPTION:
  19. We are given a site via IObjectWithSite. Obtain the host
  20. from there.
  22. These are the different scenarios to test against:
  23. 1. HTA Content.
  24. 2. HTA contains IFRAME to non-LocalZone. That frame
  25. needs to be treated as unsafe because it hasn't been
  26. "sandboxed"
  27. 3. HTA contains IFRAME to non-LocalZone except the IFRAME tag has
  28. <IFRAME APPLICATION="Yes" SRC="non-LocalZone:foo.htm" ...>
  29. so we need to treat this as safe.
  30. 4. LocalZone Web page with Object. It has an IFRAME to an
  31. non-LocalZone. Is scripting from IFRAME to object allowed? [HUNTER?]
  32. 5. non-LocalZone Web page. It has an IFRAME to an LocalZone with Object.
  33. Is scripting from parent to IFRAME object allowed? [HUNTER?]
  34. 6. LocalZone Web page. It has 2 IFRAMEs. One is in the LocalZone and
  35. has an Object. The other is non-LocalZone. Can the non-LocalZone
  36. script across frames to the object? [HUNTER?]
  37. 7. VB or MFC host.
  38. 8. HTML Mail Message with object. This should be treated as
  39. non-LocalMachine? [HUNTER?]
  40. \***************************************************************/
  41. STDAPI GetHTMLDoc2(IUnknown *punk, IHTMLDocument2 **ppHtmlDoc)
  42. {
  43. *ppHtmlDoc = NULL;
  45. if (!punk)
  46. return E_FAIL;
  48. *ppHtmlDoc = NULL;
  49. // The window.external, jscript "new ActiveXObject" and the <OBJECT> tag
  50. // don't take us down the same road.
  52. IOleClientSite *pClientSite;
  53. HRESULT hr = punk->QueryInterface(IID_PPV_ARG(IOleClientSite, &pClientSite));
  54. if (SUCCEEDED(hr))
  55. {
  56. // <OBJECT> tag path
  57. IOleContainer *pContainer;
  59. // This will return the interface for the current FRAME containing the
  60. // OBJECT tag. We will only check that frames security because we
  61. // rely on MSHTML to block cross frame scripting when it isn't safe.
  62. hr = pClientSite->GetContainer(&pContainer);
  63. if (SUCCEEDED(hr))
  64. {
  65. hr = pContainer->QueryInterface(IID_PPV_ARG(IHTMLDocument2, ppHtmlDoc));
  66. pContainer->Release();
  67. }
  69. if (FAILED(hr))
  70. {
  71. // window.external path
  72. IWebBrowser2 *pWebBrowser2;
  73. hr = IUnknown_QueryService(pClientSite, SID_SWebBrowserApp, IID_PPV_ARG(IWebBrowser2, &pWebBrowser2));
  74. if (SUCCEEDED(hr))
  75. {
  76. IDispatch *pDispatch;
  77. hr = pWebBrowser2->get_Document(&pDispatch);
  78. if (SUCCEEDED(hr))
  79. {
  80. hr = pDispatch->QueryInterface(IID_PPV_ARG(IHTMLDocument2, ppHtmlDoc));
  81. pDispatch->Release();
  82. }
  83. pWebBrowser2->Release();
  84. }
  85. }
  86. pClientSite->Release();
  87. }
  88. else
  89. {
  90. // jscript path
  91. hr = IUnknown_QueryService(punk, SID_SContainerDispatch, IID_PPV_ARG(IHTMLDocument2, ppHtmlDoc));
  92. }
  94. ASSERT(FAILED(hr) || (*ppHtmlDoc));
  96. return hr;
  97. }
  100. /***************************************************************\
  101. DESCRIPTION:
  102. This function is supposed to find out the zone from the
  103. specified URL or Path.
  104. \***************************************************************/
  105. STDAPI LocalZoneCheckPath(LPCWSTR pszUrl, IUnknown * punkSite)
  106. {
  107. DWORD dwZoneID = URLZONE_UNTRUSTED;
  108. HRESULT hr = GetZoneFromUrl(pszUrl, punkSite, &dwZoneID);
  110. if (SUCCEEDED(hr))
  111. {
  112. if (dwZoneID == URLZONE_LOCAL_MACHINE)
  113. hr = S_OK;
  114. else
  115. hr = E_ACCESSDENIED;
  116. }
  118. return hr;
  119. }
  121. /***************************************************************\
  122. DESCRIPTION:
  123. Get the zone from the specified URL or Path.
  124. \***************************************************************/
  125. STDAPI GetZoneFromUrl(LPCWSTR pszUrl, IUnknown * punkSite, DWORD * pdwZoneID)
  126. {
  127. HRESULT hr = E_FAIL;
  128. if (pszUrl && pdwZoneID)
  129. {
  130. IInternetSecurityManager * pSecMgr = NULL;
  132. // WARNING: IInternetSecurityManager is the guy who translates
  133. // from URL->Zone. If we CoCreate this object, it will do the
  134. // default mapping. Some hosts, like Outlook Express, want to
  135. // over ride the default mapping in order to sandbox some content.
  136. // I beleive this could be used to force HTML in an email
  137. // message (C:\mailmessage.eml) to act like it's from a more
  138. // untrusted zone. We use QueryService to get this interface
  139. // from our host. This info is from SanjayS. (BryanSt 8/21/1999)
  140. hr = IUnknown_QueryService(punkSite, SID_SInternetSecurityManager, IID_PPV_ARG(IInternetSecurityManager, &pSecMgr));
  141. if (SUCCEEDED(hr))
  142. {
  143. hr = pSecMgr->MapUrlToZone(pszUrl, pdwZoneID, 0);
  144. ATOMICRELEASE(pSecMgr);
  145. }
  147. if (FAILED(hr))
  148. {
  149. hr = CoCreateInstance(CLSID_InternetSecurityManager, NULL, CLSCTX_INPROC_SERVER, IID_PPV_ARG(IInternetSecurityManager, &pSecMgr));
  150. if (SUCCEEDED(hr))
  151. {
  152. hr = pSecMgr->MapUrlToZone(pszUrl, pdwZoneID, 0);
  153. ATOMICRELEASE(pSecMgr);
  154. }
  155. }
  156. }
  157. else
  158. {
  159. hr = E_INVALIDARG;
  160. }
  161. return hr;
  162. }
  165. /***************************************************************\
  166. DESCRIPTION:
  167. We are given a site via IObjectWithSite. See if that host
  168. maps to the Local Zone.
  170. These are the different scenarios to test against:
  171. 1. HTA Content.
  172. 2. HTA contains IFRAME to non-LocalZone. That frame
  173. needs to be treated as unsafe because it hasn't been
  174. "sandboxed"
  175. 3. HTA contains IFRAME to non-LocalZone except the IFRAME tag has
  176. <IFRAME APPLICATION="Yes" SRC="non-LocalZone:foo.htm" ...>
  177. so we need to treat this as safe.
  178. 4. LocalZone Web page with Object. It has an IFRAME to an
  179. non-LocalZone. Is scripting from IFRAME to object allowed? [HUNTER?]
  180. 5. non-LocalZone Web page. It has an IFRAME to an LocalZone with Object.
  181. Is scripting from parent to IFRAME object allowed? [HUNTER?]
  182. 6. LocalZone Web page. It has 2 IFRAMEs. One is in the LocalZone and
  183. has an Object. The other is non-LocalZone. Can the non-LocalZone
  184. script across frames to the object? [HUNTER?]
  185. 7. VB or MFC host.
  186. 8. HTML Mail Message with object. This should be treated as
  187. non-LocalMachine? [HUNTER?]
  188. \***************************************************************/
  189. STDAPI LocalZoneCheck(IUnknown *punkSite)
  190. {
  191. DWORD dwZoneID = URLZONE_UNTRUSTED;
  192. HRESULT hr = GetZoneFromSite(punkSite, &dwZoneID);
  194. if (SUCCEEDED(hr))
  195. {
  196. if (dwZoneID == URLZONE_LOCAL_MACHINE)
  197. hr = S_OK;
  198. else
  199. hr = E_ACCESSDENIED;
  200. }
  202. return hr;
  203. }
  205. STDAPI GetZoneFromSite(IUnknown *punkSite, DWORD *pdwZoneID)
  206. {
  207. // Return S_FALSE if we don't have a host site since we have no way of doing a
  208. // security check. This is as far as VB 5.0 apps get.
  209. if (!punkSite)
  210. {
  211. *pdwZoneID = URLZONE_UNTRUSTED;
  212. return S_FALSE;
  213. }
  215. HRESULT hr = E_ACCESSDENIED;
  216. BOOL fTriedBrowser = FALSE;
  218. // Try to find the original template path for zone checking
  219. IOleCommandTarget * pct;
  220. if (SUCCEEDED(IUnknown_QueryService(punkSite, SID_DefView, IID_PPV_ARG(IOleCommandTarget, &pct))))
  221. {
  222. VARIANT vTemplatePath;
  223. vTemplatePath.vt = VT_EMPTY;
  224. if (pct->Exec(&CGID_DefView, DVCMDID_GETTEMPLATEDIRNAME, 0, NULL, &vTemplatePath) == S_OK)
  225. {
  226. fTriedBrowser = TRUE;
  227. if (vTemplatePath.vt == VT_BSTR)
  228. {
  229. hr = GetZoneFromUrl(vTemplatePath.bstrVal, punkSite, pdwZoneID);
  230. }
  232. // We were able to talk to the browser, so don't fall back on Trident because they may be
  233. // less secure.
  234. fTriedBrowser = TRUE;
  235. VariantClear(&vTemplatePath);
  236. }
  237. pct->Release();
  238. }
  240. // If this is one of those cases where the browser doesn't exist (AOL, VB, ...) then
  241. // we will check the scripts security. If we did ask the browser, don't ask trident
  242. // because the browser is often more restrictive in some cases.
  243. if (!fTriedBrowser && (hr != S_OK))
  244. {
  245. // Try to use the URL from the document to zone check
  246. IHTMLDocument2 *pHtmlDoc;
  248. /***************************************************************\
  249. NOTE:
  250. 1. If punkSite points into an <IFRAME APPLICATION="yes"> in a
  251. HTA file, then the URL GetHTMLDoc2() returns
  252. is for the IFRAME SRC..
  254. BUGS?:
  255. 1. If this isn't an HTML container, the we will be saying that it
  256. isn't safe. For example, if the container is VB and they support
  257. the security interfaces, then we will assume it isn't safe when
  258. it is. (Is there an IInternet interface that will work in this
  259. case?)
  260. \***************************************************************/
  261. if (SUCCEEDED(GetHTMLDoc2(punkSite, &pHtmlDoc)))
  262. {
  263. BSTR bstrURL;
  265. /***************************************************************\
  266. WARNING: (Security Holes?)
  267. I think this is fundamentally flawed because:
  268. 1. If this HTML container isn't safe but it's URL maps to the
  269. Local Zone, then we have a problem. This may happen with
  270. email messages, especially if they are saved to a file.
  271. If the user reopens a saved .eml file, it will be hosted in
  272. it's mail container that may support the IInternet interface
  273. to indicate that it's in an untrusted zone. Will we get
  274. a Local Zone URL in that case?
  276. TO INVESTIGATE: (HunterH?)
  277. 1. What is the parent HTML is LocalZone but the subframes aren't.
  278. Will trident block cross frame scripting?
  279. \***************************************************************/
  280. if (SUCCEEDED(pHtmlDoc->get_URL(&bstrURL)))
  281. {
  282. // NOTE: the above URL is improperly escaped, this is
  283. // due to app compat. if you depend on this URL being valid
  284. // use another means to get this
  286. hr = GetZoneFromUrl(bstrURL, punkSite, pdwZoneID);
  287. SysFreeString(bstrURL);
  288. }
  289. pHtmlDoc->Release();
  290. }
  291. }
  293. return hr;
  294. }