diff options
author | Gaming4JC <g4jc@bulletmail.org> | 2018-10-09 17:35:00 -0400 |
---|---|---|
committer | Gaming4JC <g4jc@bulletmail.org> | 2018-10-09 17:41:02 -0400 |
commit | 791e7540d3a4208b0182f5cc6f26485f62e1594b (patch) | |
tree | bd0a4b35ccff50c674136b384db18b084317327f | |
parent | bea97848f457fa0b6df515bdf5d2db06fa43c5b8 (diff) | |
download | uxp-791e7540d3a4208b0182f5cc6f26485f62e1594b.tar.gz |
backport m-c 1435319: CVE-2018-12381 - Dropping an Outlook email message into the browser window will trigger a page navigation when the message's mail columns are incorrectly interpreted as a URL.
-rw-r--r-- | docshell/base/nsDefaultURIFixup.cpp | 29 | ||||
-rw-r--r-- | docshell/test/unit/test_nsDefaultURIFixup_info.js | 8 |
2 files changed, 29 insertions, 8 deletions
diff --git a/docshell/base/nsDefaultURIFixup.cpp b/docshell/base/nsDefaultURIFixup.cpp index e519720ab7..d2876181a9 100644 --- a/docshell/base/nsDefaultURIFixup.cpp +++ b/docshell/base/nsDefaultURIFixup.cpp @@ -154,6 +154,15 @@ HasUserPassword(const nsACString& aStringURI) return false; } +// Assume that 1 tab is accidental, but more than 1 implies this is +// supposed to be tab-separated content. +static bool +MaybeTabSeparatedContent(const nsCString& aStringURI) +{ + auto firstTab = aStringURI.FindChar('\t'); + return firstTab != kNotFound && aStringURI.RFindChar('\t') != firstTab; +} + NS_IMETHODIMP nsDefaultURIFixup::GetFixupURIInfo(const nsACString& aStringURI, uint32_t aFixupFlags, @@ -168,8 +177,8 @@ nsDefaultURIFixup::GetFixupURIInfo(const nsACString& aStringURI, // Eliminate embedded newlines, which single-line text fields now allow: uriString.StripChars("\r\n"); - // Cleanup the empty spaces that might be on each end: - uriString.Trim(" "); + // Cleanup the empty spaces and tabs that might be on each end: + uriString.Trim(" \t"); NS_ENSURE_TRUE(!uriString.IsEmpty(), NS_ERROR_FAILURE); @@ -367,12 +376,16 @@ nsDefaultURIFixup::GetFixupURIInfo(const nsACString& aStringURI, inputHadDuffProtocol = true; } - // NB: this rv gets returned at the end of this method if we never - // do a keyword fixup after this (because the pref or the flags passed - // might not let us). - rv = FixupURIProtocol(uriString, info, getter_AddRefs(uriWithProtocol)); - if (uriWithProtocol) { - info->mFixedURI = uriWithProtocol; + // Note: this rv gets returned at the end of this method if we don't fix up + // the protocol and don't do a keyword fixup after this (because the pref + // or the flags passed might not let us). + rv = NS_OK; + // Avoid fixing up content that looks like tab-separated values + if (!MaybeTabSeparatedContent(uriString)) { + rv = FixupURIProtocol(uriString, info, getter_AddRefs(uriWithProtocol)); + if (uriWithProtocol) { + info->mFixedURI = uriWithProtocol; + } } // See if it is a keyword diff --git a/docshell/test/unit/test_nsDefaultURIFixup_info.js b/docshell/test/unit/test_nsDefaultURIFixup_info.js index c606ac32ef..748aaab93d 100644 --- a/docshell/test/unit/test_nsDefaultURIFixup_info.js +++ b/docshell/test/unit/test_nsDefaultURIFixup_info.js @@ -469,6 +469,14 @@ var testcases = [ { keywordLookup: true, protocolChange: true, affectedByDNSForSingleHosts: true, + }, { + input: " \t mozilla.org/\t \t ", + fixedURI: "http://mozilla.org/", + alternateURI: "http://www.mozilla.org/", + protocolChange: true, + }, { + input: " moz\ti\tlla.org ", + keywordLookup: true, }]; if (Services.appinfo.OS.toLowerCase().startsWith("win")) { |