summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGaming4JC <g4jc@bulletmail.org>2018-10-09 17:35:00 -0400
committerGaming4JC <g4jc@bulletmail.org>2018-10-09 17:41:02 -0400
commit791e7540d3a4208b0182f5cc6f26485f62e1594b (patch)
treebd0a4b35ccff50c674136b384db18b084317327f
parentbea97848f457fa0b6df515bdf5d2db06fa43c5b8 (diff)
downloaduxp-791e7540d3a4208b0182f5cc6f26485f62e1594b.tar.gz
backport m-c 1435319: CVE-2018-12381 - Dropping an Outlook email message into the browser window will trigger a page navigation when the message's mail columns are incorrectly interpreted as a URL.
-rw-r--r--docshell/base/nsDefaultURIFixup.cpp29
-rw-r--r--docshell/test/unit/test_nsDefaultURIFixup_info.js8
2 files changed, 29 insertions, 8 deletions
diff --git a/docshell/base/nsDefaultURIFixup.cpp b/docshell/base/nsDefaultURIFixup.cpp
index e519720ab7..d2876181a9 100644
--- a/docshell/base/nsDefaultURIFixup.cpp
+++ b/docshell/base/nsDefaultURIFixup.cpp
@@ -154,6 +154,15 @@ HasUserPassword(const nsACString& aStringURI)
return false;
}
+// Assume that 1 tab is accidental, but more than 1 implies this is
+// supposed to be tab-separated content.
+static bool
+MaybeTabSeparatedContent(const nsCString& aStringURI)
+{
+ auto firstTab = aStringURI.FindChar('\t');
+ return firstTab != kNotFound && aStringURI.RFindChar('\t') != firstTab;
+}
+
NS_IMETHODIMP
nsDefaultURIFixup::GetFixupURIInfo(const nsACString& aStringURI,
uint32_t aFixupFlags,
@@ -168,8 +177,8 @@ nsDefaultURIFixup::GetFixupURIInfo(const nsACString& aStringURI,
// Eliminate embedded newlines, which single-line text fields now allow:
uriString.StripChars("\r\n");
- // Cleanup the empty spaces that might be on each end:
- uriString.Trim(" ");
+ // Cleanup the empty spaces and tabs that might be on each end:
+ uriString.Trim(" \t");
NS_ENSURE_TRUE(!uriString.IsEmpty(), NS_ERROR_FAILURE);
@@ -367,12 +376,16 @@ nsDefaultURIFixup::GetFixupURIInfo(const nsACString& aStringURI,
inputHadDuffProtocol = true;
}
- // NB: this rv gets returned at the end of this method if we never
- // do a keyword fixup after this (because the pref or the flags passed
- // might not let us).
- rv = FixupURIProtocol(uriString, info, getter_AddRefs(uriWithProtocol));
- if (uriWithProtocol) {
- info->mFixedURI = uriWithProtocol;
+ // Note: this rv gets returned at the end of this method if we don't fix up
+ // the protocol and don't do a keyword fixup after this (because the pref
+ // or the flags passed might not let us).
+ rv = NS_OK;
+ // Avoid fixing up content that looks like tab-separated values
+ if (!MaybeTabSeparatedContent(uriString)) {
+ rv = FixupURIProtocol(uriString, info, getter_AddRefs(uriWithProtocol));
+ if (uriWithProtocol) {
+ info->mFixedURI = uriWithProtocol;
+ }
}
// See if it is a keyword
diff --git a/docshell/test/unit/test_nsDefaultURIFixup_info.js b/docshell/test/unit/test_nsDefaultURIFixup_info.js
index c606ac32ef..748aaab93d 100644
--- a/docshell/test/unit/test_nsDefaultURIFixup_info.js
+++ b/docshell/test/unit/test_nsDefaultURIFixup_info.js
@@ -469,6 +469,14 @@ var testcases = [ {
keywordLookup: true,
protocolChange: true,
affectedByDNSForSingleHosts: true,
+ }, {
+ input: " \t mozilla.org/\t \t ",
+ fixedURI: "http://mozilla.org/",
+ alternateURI: "http://www.mozilla.org/",
+ protocolChange: true,
+ }, {
+ input: " moz\ti\tlla.org ",
+ keywordLookup: true,
}];
if (Services.appinfo.OS.toLowerCase().startsWith("win")) {