summaryrefslogtreecommitdiff
path: root/netwerk
diff options
context:
space:
mode:
authorValentin Gosu <valentin.gosu@gmail.com>2018-03-22 15:34:43 +0100
committerwolfbeast <mcwerewolf@gmail.com>2018-04-19 11:34:13 +0200
commite01e302f1095908f9d0c8ebe0fde6cc7a5d84d69 (patch)
treee5c86e316eb476d89ff96afd2047c2b008bd899d /netwerk
parent09bbda15b26b806c3d63ec5fa4a1f3431c18d96d (diff)
downloaduxp-e01e302f1095908f9d0c8ebe0fde6cc7a5d84d69.tar.gz
Bug 1433609 - Ensure that deserialized URL is correct. r=mayhemer, a=RyanVM
MozReview-Commit-ID: BMQfPzPhDhc
Diffstat (limited to 'netwerk')
-rw-r--r--netwerk/base/nsStandardURL.cpp64
1 files changed, 49 insertions, 15 deletions
diff --git a/netwerk/base/nsStandardURL.cpp b/netwerk/base/nsStandardURL.cpp
index 21c4cf7fdc..0cdd2a7b5c 100644
--- a/netwerk/base/nsStandardURL.cpp
+++ b/netwerk/base/nsStandardURL.cpp
@@ -3442,10 +3442,29 @@ ToIPCSegment(const nsStandardURL::URLSegment& aSegment)
}
inline
-nsStandardURL::URLSegment
-FromIPCSegment(const ipc::StandardURLSegment& aSegment)
+MOZ_MUST_USE bool
+FromIPCSegment(const nsACString& aSpec, const ipc::StandardURLSegment& aSegment, nsStandardURL::URLSegment& aTarget)
{
- return nsStandardURL::URLSegment(aSegment.position(), aSegment.length());
+ // This seems to be just an empty segment.
+ if (aSegment.length() == -1) {
+ aTarget = nsStandardURL::URLSegment();
+ return true;
+ }
+
+ // A value of -1 means an empty segment, but < -1 is undefined.
+ if (NS_WARN_IF(aSegment.length() < -1)) {
+ return false;
+ }
+
+ // Make sure the segment does not extend beyond the spec.
+ if (NS_WARN_IF(aSegment.position() + aSegment.length() > aSpec.Length())) {
+ return false;
+ }
+
+ aTarget.mPos = aSegment.position();
+ aTarget.mLen = aSegment.length();
+
+ return true;
}
void
@@ -3520,23 +3539,38 @@ nsStandardURL::Deserialize(const URIParams& aParams)
mPort = params.port();
mDefaultPort = params.defaultPort();
mSpec = params.spec();
- mScheme = FromIPCSegment(params.scheme());
- mAuthority = FromIPCSegment(params.authority());
- mUsername = FromIPCSegment(params.username());
- mPassword = FromIPCSegment(params.password());
- mHost = FromIPCSegment(params.host());
- mPath = FromIPCSegment(params.path());
- mFilepath = FromIPCSegment(params.filePath());
- mDirectory = FromIPCSegment(params.directory());
- mBasename = FromIPCSegment(params.baseName());
- mExtension = FromIPCSegment(params.extension());
- mQuery = FromIPCSegment(params.query());
- mRef = FromIPCSegment(params.ref());
+
+ NS_ENSURE_TRUE(mSpec.Length() <= (uint32_t) net_GetURLMaxLength(), false);
+ NS_ENSURE_TRUE(FromIPCSegment(mSpec, params.scheme(), mScheme), false);
+ NS_ENSURE_TRUE(FromIPCSegment(mSpec, params.authority(), mAuthority), false);
+ NS_ENSURE_TRUE(FromIPCSegment(mSpec, params.username(), mUsername), false);
+ NS_ENSURE_TRUE(FromIPCSegment(mSpec, params.password(), mPassword), false);
+ NS_ENSURE_TRUE(FromIPCSegment(mSpec, params.host(), mHost), false);
+ NS_ENSURE_TRUE(FromIPCSegment(mSpec, params.path(), mPath), false);
+ NS_ENSURE_TRUE(FromIPCSegment(mSpec, params.filePath(), mFilepath), false);
+ NS_ENSURE_TRUE(FromIPCSegment(mSpec, params.directory(), mDirectory), false);
+ NS_ENSURE_TRUE(FromIPCSegment(mSpec, params.baseName(), mBasename), false);
+ NS_ENSURE_TRUE(FromIPCSegment(mSpec, params.extension(), mExtension), false);
+ NS_ENSURE_TRUE(FromIPCSegment(mSpec, params.query(), mQuery), false);
+ NS_ENSURE_TRUE(FromIPCSegment(mSpec, params.ref(), mRef), false);
+
mOriginCharset = params.originCharset();
mMutable = params.isMutable();
mSupportsFileURL = params.supportsFileURL();
mHostEncoding = params.hostEncoding();
+ // Some sanity checks
+ NS_ENSURE_TRUE(mScheme.mPos == 0, false);
+ NS_ENSURE_TRUE(mScheme.mLen > 0, false);
+ // Make sure scheme is followed by :// (3 characters)
+ NS_ENSURE_TRUE(mScheme.mLen < INT32_MAX - 3, false); // avoid overflow
+ NS_ENSURE_TRUE(mSpec.Length() >= (uint32_t) mScheme.mLen + 3, false);
+ NS_ENSURE_TRUE(nsDependentCSubstring(mSpec, mScheme.mLen, 3).EqualsLiteral("://"), false);
+ NS_ENSURE_TRUE(mPath.mLen != -1 && mSpec.CharAt(mPath.mPos) == '/', false);
+ NS_ENSURE_TRUE(mPath.mPos == mFilepath.mPos, false);
+ NS_ENSURE_TRUE(mQuery.mLen == -1 || mSpec.CharAt(mQuery.mPos - 1) == '?', false);
+ NS_ENSURE_TRUE(mRef.mLen == -1 || mSpec.CharAt(mRef.mPos - 1) == '#', false);
+
// mSpecEncoding and mHostA are just caches that can be recovered as needed.
return true;
}