diff options
author | Pale Moon <git-repo@palemoon.org> | 2015-11-25 21:59:31 +0100 |
---|---|---|
committer | Pale Moon <git-repo@palemoon.org> | 2015-11-25 22:01:09 +0100 |
commit | 16576423b528e669b6cfda2c3577f60dde2cc0fa (patch) | |
tree | 9fc0dcb73fa0c5497969d08e7e5708b570fede96 | |
parent | c124a93c0c036b5a2a7fba7cbfd3ab3f5b44c2b6 (diff) | |
download | palemoon-v25_Dev.tar.gz |
CSP: Make sure to only grab a port as :nnnn from the origin host, not the entire string.v25_Dev
-rw-r--r-- | content/base/src/CSPUtils.jsm | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/content/base/src/CSPUtils.jsm b/content/base/src/CSPUtils.jsm index 049bb0add..4a17a88be 100644 --- a/content/base/src/CSPUtils.jsm +++ b/content/base/src/CSPUtils.jsm @@ -1370,8 +1370,13 @@ CSPSource.fromString = function(aStr, aCSPRep, self, enforceSelfChecks) { hostMatch[0] = hostMatch[0].replace(R_FILE, ""); hostMatch[0] = hostMatch[0].replace(R_PATH, ""); - var portMatch = R_PORT.exec(hostMatch); - + // Host regex also gets port, so grab it from there to avoid :nnnn sequence + // matches later on in the path/URLs. + // XXX: If paths are going to be checked, this will probably need to be + // changed to use the host-only string as a source (which is now just the + // main source string). + var portMatch = R_PORT.exec(hostMatch[0]); + // Host regex also gets port, so remove the port here. if (portMatch) hostMatch = R_HOSTSRC.exec(hostMatch[0].substring(0, hostMatch[0].length - portMatch[0].length)); |