Ensure that the response-origin of range requests match the full request (issue 12744)

Snuffleupagus · Snuffleupagus · commit 9c38dd518418 · 2024-11-12T15:41:24.000+01:00
The following cases are excluded in the patch: - The Firefox PDF Viewer, since it has been fixed on the platform side already; please see https://bugzilla.mozilla.org/show_bug.cgi?id=1683940 - The `PDFNodeStream`-implementation, used in Node.js environments, since after recent changes that code only supports `file://`-URLs.
diff --git a/src/display/fetch_stream.js b/src/display/fetch_stream.js
@@ -18,6 +18,7 @@ import {
   createHeaders,
   createResponseStatusError,
   extractFilenameFromHeader,
+  getResponseOrigin,
   validateRangeRequestCapabilities,
   validateResponseStatus,
 } from "./network_utils.js";
@@ -52,6 +53,8 @@ function getArrayBuffer(val) {
 
 /** @implements {IPDFStream} */
 class PDFFetchStream {
+  _responseOrigin = Promise.withResolvers();
+
   constructor(source) {
     this.source = source;
     this.isHttp = /^https?:/i.test(source.url);
@@ -121,6 +124,8 @@ class PDFFetchStreamReader {
       createFetchOptions(headers, this._withCredentials, this._abortController)
     )
       .then(response => {
+        stream._responseOrigin.resolve(getResponseOrigin(response.url));
+
         if (!validateResponseStatus(response.status)) {
           throw createResponseStatusError(response.status, url);
         }
@@ -216,7 +221,15 @@ class PDFFetchStreamRangeReader {
       url,
       createFetchOptions(headers, this._withCredentials, this._abortController)
     )
-      .then(response => {
+      .then(async response => {
+        const responseOrigin = getResponseOrigin(response.url),
+          fullResponseOrigin = await stream._responseOrigin.promise;
+
+        if (responseOrigin !== fullResponseOrigin) {
+          throw new Error(
+            `Expected range response-origin "${responseOrigin}" to match "${fullResponseOrigin}".`
+          );
+        }
         if (!validateResponseStatus(response.status)) {
           throw createResponseStatusError(response.status, url);
         }
diff --git a/src/display/network.js b/src/display/network.js
@@ -18,6 +18,7 @@ import {
   createHeaders,
   createResponseStatusError,
   extractFilenameFromHeader,
+  getResponseOrigin,
   validateRangeRequestCapabilities,
 } from "./network_utils.js";
 
@@ -39,6 +40,8 @@ function getArrayBuffer(xhr) {
 }
 
 class NetworkManager {
+  _responseOrigin = Promise.withResolvers();
+
   constructor({ url, httpHeaders, withCredentials }) {
     this.url = url;
     this.isHttp = /^https?:/i.test(url);
@@ -273,6 +276,10 @@ class PDFNetworkStreamFullRequestReader {
     const fullRequestXhrId = this._fullRequestId;
     const fullRequestXhr = this._manager.getRequestXhr(fullRequestXhrId);
 
+    this._manager._responseOrigin.resolve(
+      getResponseOrigin(fullRequestXhr.responseURL)
+    );
+
     const rawResponseHeaders = fullRequestXhr.getAllResponseHeaders();
     const responseHeaders = new Headers(
       rawResponseHeaders
@@ -401,10 +408,13 @@ class PDFNetworkStreamFullRequestReader {
 
 /** @implements {IPDFStreamRangeReader} */
 class PDFNetworkStreamRangeRequestReader {
+  #responseOrigin = Promise.withResolvers();
+
   constructor(manager, begin, end) {
     this._manager = manager;
 
     const args = {
+      onHeadersReceived: this._onHeadersReceived.bind(this),
       onDone: this._onDone.bind(this),
       onError: this._onError.bind(this),
       onProgress: this._onProgress.bind(this),
@@ -420,6 +430,14 @@ class PDFNetworkStreamRangeRequestReader {
     this.onClosed = null;
   }
 
+  _onHeadersReceived() {
+    this.#responseOrigin.resolve(
+      getResponseOrigin(
+        this._manager.getRequestXhr(this._requestId)?.responseURL
+      )
+    );
+  }
+
   _close() {
     this.onClosed?.(this);
   }
@@ -460,6 +478,16 @@ class PDFNetworkStreamRangeRequestReader {
   }
 
   async read() {
+    const [responseOrigin, fullResponseOrigin] = await Promise.all([
+      this.#responseOrigin.promise,
+      this._manager._responseOrigin.promise,
+    ]);
+
+    if (responseOrigin !== fullResponseOrigin) {
+      throw new Error(
+        `Expected range response-origin "${responseOrigin}" to match "${fullResponseOrigin}".`
+      );
+    }
     if (this._storedError) {
       throw this._storedError;
     }
diff --git a/src/display/network_utils.js b/src/display/network_utils.js
@@ -36,6 +36,15 @@ function createHeaders(isHttp, httpHeaders) {
   return headers;
 }
 
+function getResponseOrigin(url) {
+  try {
+    return new URL(url).origin;
+  } catch {
+    // `new URL()` will throw on incorrect data.
+  }
+  return null;
+}
+
 function validateRangeRequestCapabilities({
   responseHeaders,
   isHttp,
@@ -116,6 +125,7 @@ export {
   createHeaders,
   createResponseStatusError,
   extractFilenameFromHeader,
+  getResponseOrigin,
   validateRangeRequestCapabilities,
   validateResponseStatus,
 };
