seamonkey-1.1-location_hostname-1.patch on Ticket #2217 – Attachment – BLFS Trac

TabularUnified netwerk/base/src/nsSimpleURI.cpp

Submitted By: Hatzimanikas Agathoklis (a dot hatzim at gmail dot com)
Date: 2007-02-25
Initial Package Version: 1.1
Origin: Upstream
Upstream Status: Applied
Description: Fixes security flaw.
             https://bugzilla.mozilla.org/show_bug.cgi?id=370445

diff -Naur mozilla.orig/netwerk/base/src/nsSimpleURI.cpp mozilla/netwerk/base/src/nsSimpleURI.cpp

-              old
+              new
     NS_EscapeURL(specPtr, specLen, esc_OnlyNonASCII|esc_AlwaysCopy, spec);
     PRInt32 pos = spec.FindChar(':');
     if (pos == -1)
+    if (pos == -1 || !net_IsValidScheme(spec.get(), pos))
         return NS_ERROR_MALFORMED_URI;
     mScheme.Truncate();
 …
 NS_IMETHODIMP
 nsSimpleURI::SetScheme(const nsACString &scheme)
+{
+    const nsPromiseFlatCString &flat = PromiseFlatCString(scheme);
+    if (!net_IsValidScheme(flat)) {
+        NS_ERROR("the given url scheme contains invalid characters");
+        return NS_ERROR_MALFORMED_URI;
+    }
     mScheme = scheme;
     ToLowerCase(mScheme);
     return NS_OK;

TabularUnified netwerk/base/src/nsStandardURL.cpp

diff -Naur mozilla.orig/netwerk/base/src/nsStandardURL.cpp mozilla/netwerk/base/src/nsStandardURL.cpp

-              old
+              new
     if (mHost.mLen > 0) {
         const nsCSubstring& tempHost =
             Substring(spec + mHost.mPos, spec + mHost.mPos + mHost.mLen);
+        if (tempHost.FindChar('\0') != kNotFound)
+            return NS_ERROR_MALFORMED_URI;  // null embedded in hostname
         if ((useEncHost = NormalizeIDN(tempHost, encHost)))
             approxLen += encHost.Length();
         else
 …
         return NS_ERROR_UNEXPECTED;
+    }
+    if (host && strlen(host) < flat.Length())
+        return NS_ERROR_MALFORMED_URI; // found embedded null
     InvalidateCache();
     mHostEncoding = eEncoding_ASCII;

TabularUnified netwerk/base/src/nsURLHelper.cpp

diff -Naur mozilla.orig/netwerk/base/src/nsURLHelper.cpp mozilla/netwerk/base/src/nsURLHelper.cpp

-              old
+              new
 PRBool
 net_IsValidScheme(const char *scheme, PRUint32 schemeLen)
+{
     // first char much be alpha
+    // first char must be alpha
     if (!nsCRT::IsAsciiAlpha(*scheme))
         return PR_FALSE;
+    for (; schemeLen && *scheme; ++scheme, --schemeLen) {
+    // nsCStrings may have embedded nulls -- reject those too
+    for (; schemeLen; ++scheme, --schemeLen) {
         if (!(nsCRT::IsAsciiAlpha(*scheme) ||
               nsCRT::IsAsciiDigit(*scheme) ||
               *scheme == '+' ||

Context Navigation

Ticket #2217: seamonkey-1.1-location_hostname-1.patch

TabularUnified netwerk/base/src/nsSimpleURI.cpp

TabularUnified netwerk/base/src/nsStandardURL.cpp

TabularUnified netwerk/base/src/nsURLHelper.cpp

Download in other formats: