guix/gnu/packages/patches/icecat-CVE-2015-7188.patch
Mark H Weaver 0ca1eb705d gnu: icecat: Add several security fixes.
* gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch,
  gnu/packages/patches/icecat-CVE-2015-7188.patch,
  gnu/packages/patches/icecat-CVE-2015-7189.patch,
  gnu/packages/patches/icecat-CVE-2015-7193.patch,
  gnu/packages/patches/icecat-CVE-2015-7194.patch,
  gnu/packages/patches/icecat-CVE-2015-7196.patch,
  gnu/packages/patches/icecat-CVE-2015-7197.patch,
  gnu/packages/patches/icecat-CVE-2015-7198.patch,
  gnu/packages/patches/icecat-CVE-2015-7199.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
2015-11-07 08:33:16 -05:00

143 lines
4.6 KiB
Diff

From 23e5bd6ffab4b6fa17a92d0bc58fbd185e9a7e6e Mon Sep 17 00:00:00 2001
From: Valentin Gosu <valentin.gosu@gmail.com>
Date: Tue, 13 Oct 2015 11:10:26 +0200
Subject: [PATCH] Bug 1199430 - Reject hostnames containing @. r=mcmanus, a=al
---
docshell/test/unit/test_nsDefaultURIFixup_info.js | 16 ++++++------
netwerk/base/nsStandardURL.cpp | 30 ++++++++++++++---------
netwerk/base/nsStandardURL.h | 2 +-
3 files changed, 27 insertions(+), 21 deletions(-)
diff --git a/docshell/test/unit/test_nsDefaultURIFixup_info.js b/docshell/test/unit/test_nsDefaultURIFixup_info.js
index b178ea9..dbb55c6 100644
--- a/docshell/test/unit/test_nsDefaultURIFixup_info.js
+++ b/docshell/test/unit/test_nsDefaultURIFixup_info.js
@@ -199,12 +199,10 @@ let testcases = [ {
protocolChange: true
}, {
input: "[::1][100",
- fixedURI: "http://[::1][100/",
- alternateURI: "http://[::1][100/",
+ fixedURI: null,
+ alternateURI: null,
keywordLookup: true,
- protocolChange: true,
- affectedByWhitelist: true,
- affectedByDNSForSingleHosts: true,
+ protocolChange: true
}, {
input: "[::1]]",
keywordLookup: true,
@@ -514,15 +512,15 @@ if (Services.appinfo.OS.toLowerCase().startsWith("win")) {
input: "//mozilla",
fixedURI: "file:////mozilla",
protocolChange: true,
- });
+ }); // \ is an invalid character in the hostname until bug 652186 is implemented
testcases.push({
input: "mozilla\\",
- fixedURI: "http://mozilla\\/",
- alternateURI: "http://www.mozilla/",
+ // fixedURI: "http://mozilla\\/",
+ // alternateURI: "http://www.mozilla/",
keywordLookup: true,
protocolChange: true,
affectedByWhitelist: true,
- affectedByDNSForSingleHosts: true,
+ // affectedByDNSForSingleHosts: true,
});
}
diff --git a/netwerk/base/nsStandardURL.cpp b/netwerk/base/nsStandardURL.cpp
index f5f516f..cff90fc 100644
--- a/netwerk/base/nsStandardURL.cpp
+++ b/netwerk/base/nsStandardURL.cpp
@@ -427,14 +427,16 @@ nsStandardURL::NormalizeIDN(const nsCSubstring &host, nsCString &result)
}
bool
-nsStandardURL::ValidIPv6orHostname(const char *host)
+nsStandardURL::ValidIPv6orHostname(const char *host, uint32_t length)
{
- if (!host || !*host) {
- // Should not be NULL or empty string
+ if (!host) {
return false;
}
- int32_t length = strlen(host);
+ if (length != strlen(host)) {
+ // Embedded null
+ return false;
+ }
bool openBracket = host[0] == '[';
bool closeBracket = host[length - 1] == ']';
@@ -448,8 +450,9 @@ nsStandardURL::ValidIPv6orHostname(const char *host)
return false;
}
- if (PL_strchr(host, ':')) {
- // Hostnames should not contain a colon
+ const char *end = host + length;
+ if (end != net_FindCharInSet(host, end, "\t\n\v\f\r #/:?@[\\]")) {
+ // % is allowed because we don't do hostname percent decoding yet.
return false;
}
@@ -587,6 +590,11 @@ nsStandardURL::BuildNormalizedSpec(const char *spec)
approxLen += encHost.Length();
else
approxLen += mHost.mLen;
+
+ if ((useEncHost && !ValidIPv6orHostname(encHost.BeginReading(), encHost.Length())) ||
+ (!useEncHost && !ValidIPv6orHostname(tempHost.BeginReading(), tempHost.Length()))) {
+ return NS_ERROR_MALFORMED_URI;
+ }
}
//
@@ -1580,14 +1588,10 @@ nsStandardURL::SetHost(const nsACString &input)
if (strchr(host, ' '))
return NS_ERROR_MALFORMED_URI;
- if (!ValidIPv6orHostname(host)) {
- return NS_ERROR_MALFORMED_URI;
- }
-
InvalidateCache();
mHostEncoding = eEncoding_ASCII;
- int32_t len;
+ uint32_t len;
nsAutoCString hostBuf;
if (NormalizeIDN(flat, hostBuf)) {
host = hostBuf.get();
@@ -1596,6 +1600,10 @@ nsStandardURL::SetHost(const nsACString &input)
else
len = flat.Length();
+ if (!ValidIPv6orHostname(host, len)) {
+ return NS_ERROR_MALFORMED_URI;
+ }
+
if (mHost.mLen < 0) {
int port_length = 0;
if (mPort != -1) {
diff --git a/netwerk/base/nsStandardURL.h b/netwerk/base/nsStandardURL.h
index 179a618..c56426e 100644
--- a/netwerk/base/nsStandardURL.h
+++ b/netwerk/base/nsStandardURL.h
@@ -173,7 +173,7 @@ private:
void Clear();
void InvalidateCache(bool invalidateCachedFile = true);
- bool ValidIPv6orHostname(const char *host);
+ bool ValidIPv6orHostname(const char *host, uint32_t aLen);
bool NormalizeIDN(const nsCSubstring &host, nsCString &result);
void CoalescePath(netCoalesceFlags coalesceFlag, char *path);
--
2.5.0