Add extra check for path traversal sanity.

author: Pale Moon <git-repo@palemoon.org> 2018-03-17 13:23:28 +0100
committer: Pale Moon <git-repo@palemoon.org> 2018-03-17 13:23:28 +0100
commit: 5885484548dbc77177ac744d5cca416e8f1871df (patch)
tree: 38c8a067773f8914887f9b5569a1a0051de68a6e
parent: 0d66b1d067e015b3676bd323d79b11d38953a269 (diff)
download: palemoon-gre-5885484548dbc77177ac744d5cca416e8f1871df.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/chrome/nsChromeRegistry.cpp b/chrome/nsChromeRegistry.cpp
index c1422088b..c8127d7eb 100644
--- a/chrome/nsChromeRegistry.cpp
+++ b/chrome/nsChromeRegistry.cpp
@@ -231,6 +231,12 @@ nsChromeRegistry::Canonify(nsIURL* aChromeURL)
     // path is already unescaped once, but uris can get unescaped twice
     const char* pos = path.BeginReading();
     const char* end = path.EndReading();
+    // Must start with [a-zA-Z0-9].
+    if (!('a' <= *pos && *pos <= 'z') &&
+        !('A' <= *pos && *pos <= 'Z') &&
+        !('0' <= *pos && *pos <= '9')) {
+      return NS_ERROR_DOM_BAD_URI;
+    }
     while (pos < end) {
       switch (*pos) {
         case ':':
author	Pale Moon <git-repo@palemoon.org>	2018-03-17 13:23:28 +0100
committer	Pale Moon <git-repo@palemoon.org>	2018-03-17 13:23:28 +0100
commit	5885484548dbc77177ac744d5cca416e8f1871df (patch)
tree	38c8a067773f8914887f9b5569a1a0051de68a6e
parent	0d66b1d067e015b3676bd323d79b11d38953a269 (diff)
download	palemoon-gre-5885484548dbc77177ac744d5cca416e8f1871df.tar.gz