From 37aa6600779f04e6849c938f8e041162ca5e78dc Mon Sep 17 00:00:00 2001
From: Mike Perry <mikeperry-git@torproject.org>
Date: Tue, 4 Dec 2012 16:03:13 -0800
Subject: [PATCH] Bug 3547: Block all plugins except flash.

We cannot use the @mozilla.org/extensions/blocklist;1 service, because we
actually want to stop plugins from ever entering the browser's process space
and/or executing code (for example, AV plugins that collect statistics/analyse
urls, magical toolbars that phone home or "help" the user, skype buttons that
ruin our day, and censorship filters). Hence we rolled our own.

See https://trac.torproject.org/projects/tor/ticket/3547#comment:6 for musings
on a better way. Until then, it is delta-darwinism for us.
---
 dom/plugins/base/nsPluginHost.cpp | 32 +++++++++++++++++++++++++++++++
 dom/plugins/base/nsPluginHost.h   |  2 ++
 2 files changed, 34 insertions(+)

diff --git a/dom/plugins/base/nsPluginHost.cpp b/dom/plugins/base/nsPluginHost.cpp
index 410132450dd97..d373a05754cf4 100644
--- a/dom/plugins/base/nsPluginHost.cpp
+++ b/dom/plugins/base/nsPluginHost.cpp
@@ -1954,6 +1954,34 @@ static bool ShouldAddPlugin(const nsPluginInfo& info, bool flashOnly) {
   return false;
 }
 
+PRBool nsPluginHost::GhettoBlacklist(nsIFile* pluginFile) {
+  nsCString leaf;
+  const char* leafStr;
+  nsresult rv;
+
+  rv = pluginFile->GetNativeLeafName(leaf);
+  if (NS_FAILED(rv)) {
+    return PR_TRUE;  // fuck 'em. blacklist.
+  }
+
+  leafStr = leaf.get();
+
+  if (!leafStr) {
+    return PR_TRUE;  // fuck 'em. blacklist.
+  }
+
+  // libgnashplugin.so, libflashplayer.so, Flash Player-10.4-10.5.plugin,
+  // NPSWF32.dll, NPSWF64.dll
+  if (strstr(leafStr, "libgnashplugin") == leafStr ||
+      strstr(leafStr, "libflashplayer") == leafStr ||
+      strstr(leafStr, "Flash Player") == leafStr ||
+      strstr(leafStr, "NPSWF") == leafStr) {
+    return PR_FALSE;
+  }
+
+  return PR_TRUE;  // fuck 'em. blacklist.
+}
+
 void nsPluginHost::AddPluginTag(nsPluginTag* aPluginTag) {
   aPluginTag->mNext = mPlugins;
   mPlugins = aPluginTag;
@@ -2072,6 +2100,10 @@ nsresult nsPluginHost::ScanPluginsDirectory(nsIFile* pluginsDir,
       continue;
     }
 
+    if (GhettoBlacklist(localfile)) {
+      continue;
+    }
+
     // if it is not found in cache info list or has been changed, create a new
     // one
     if (!pluginTag) {
diff --git a/dom/plugins/base/nsPluginHost.h b/dom/plugins/base/nsPluginHost.h
index 937a949a4606d..39fa993632818 100644
--- a/dom/plugins/base/nsPluginHost.h
+++ b/dom/plugins/base/nsPluginHost.h
@@ -329,6 +329,8 @@ class nsPluginHost final : public nsIPluginHost,
   // Loads all cached plugins info into mCachedPlugins
   nsresult ReadPluginInfo();
 
+  PRBool GhettoBlacklist(nsIFile* pluginFile);
+
   // Given a file path, returns the plugins info from our cache
   // and removes it from the cache.
   void RemoveCachedPluginsInfo(const char* filePath, nsPluginTag** result);
-- 
GitLab