backport m-c 1435319: CVE-2018-12381 - Dropping an Outlook email message into the browser window will trigger a page navigation when the message's mail columns are incorrectly interpreted as a URL.

pull/1/head
Gaming4JC 4 years ago committed by Roy Tam
parent c7545b7d4e
commit d6206801dd
  1. 29
      docshell/base/nsDefaultURIFixup.cpp
  2. 8
      docshell/test/unit/test_nsDefaultURIFixup_info.js

@ -154,6 +154,15 @@ HasUserPassword(const nsACString& aStringURI)
return false;
}
// Assume that 1 tab is accidental, but more than 1 implies this is
// supposed to be tab-separated content.
static bool
MaybeTabSeparatedContent(const nsCString& aStringURI)
{
auto firstTab = aStringURI.FindChar('\t');
return firstTab != kNotFound && aStringURI.RFindChar('\t') != firstTab;
}
NS_IMETHODIMP
nsDefaultURIFixup::GetFixupURIInfo(const nsACString& aStringURI,
uint32_t aFixupFlags,
@ -168,8 +177,8 @@ nsDefaultURIFixup::GetFixupURIInfo(const nsACString& aStringURI,
// Eliminate embedded newlines, which single-line text fields now allow:
uriString.StripChars("\r\n");
// Cleanup the empty spaces that might be on each end:
uriString.Trim(" ");
// Cleanup the empty spaces and tabs that might be on each end:
uriString.Trim(" \t");
NS_ENSURE_TRUE(!uriString.IsEmpty(), NS_ERROR_FAILURE);
@ -367,12 +376,16 @@ nsDefaultURIFixup::GetFixupURIInfo(const nsACString& aStringURI,
inputHadDuffProtocol = true;
}
// NB: this rv gets returned at the end of this method if we never
// do a keyword fixup after this (because the pref or the flags passed
// might not let us).
rv = FixupURIProtocol(uriString, info, getter_AddRefs(uriWithProtocol));
if (uriWithProtocol) {
info->mFixedURI = uriWithProtocol;
// Note: this rv gets returned at the end of this method if we don't fix up
// the protocol and don't do a keyword fixup after this (because the pref
// or the flags passed might not let us).
rv = NS_OK;
// Avoid fixing up content that looks like tab-separated values
if (!MaybeTabSeparatedContent(uriString)) {
rv = FixupURIProtocol(uriString, info, getter_AddRefs(uriWithProtocol));
if (uriWithProtocol) {
info->mFixedURI = uriWithProtocol;
}
}
// See if it is a keyword

@ -469,6 +469,14 @@ var testcases = [ {
keywordLookup: true,
protocolChange: true,
affectedByDNSForSingleHosts: true,
}, {
input: " \t mozilla.org/\t \t ",
fixedURI: "http://mozilla.org/",
alternateURI: "http://www.mozilla.org/",
protocolChange: true,
}, {
input: " moz\ti\tlla.org ",
keywordLookup: true,
}];
if (Services.appinfo.OS.toLowerCase().startsWith("win")) {

Loading…
Cancel
Save