Merge pull request 'Guard against empty update manifest URL' (#1910) from athenian200/UXP:empty-manifest-url into master

Reviewed-on: https://repo.palemoon.org/MoonchildProductions/UXP/pulls/1910

2 files changed, 13 insertions, 1 deletions

diff --git a/toolkit/mozapps/extensions/internal/AddonUpdateChecker.jsm b/toolkit/mozapps/extensions/internal/AddonUpdateChecker.jsm
index 0dfb7cd109..7eb8c9b9d5 100644
--- a/toolkit/mozapps/extensions/internal/AddonUpdateChecker.jsm
+++ b/toolkit/mozapps/extensions/internal/AddonUpdateChecker.jsm
@@ -611,6 +611,14 @@ function UpdateParser(aId, aUpdateKey, aUrl, aObserver) {
   let requireBuiltIn = Services.prefs.getBoolPref(PREF_UPDATE_REQUIREBUILTINCERTS, true);
 
   logger.debug("Requesting " + aUrl);
+
+  if (!aUrl) {
+    logger.warn("Request failed: empty update manifest URL");
+    this._doneAt = new Error("UP_emptyManifestURL");
+    this.notifyError(AddonUpdateChecker.ERROR_DOWNLOAD_ERROR);
+    return;
+  }
+
   try {
     this.request = new ServiceRequest();
     this.request.open("GET", this.url, true);
diff --git a/toolkit/mozapps/extensions/internal/XPIProvider.jsm b/toolkit/mozapps/extensions/internal/XPIProvider.jsm
index dbb1a18dd1..d266ab6fac 100644
--- a/toolkit/mozapps/extensions/internal/XPIProvider.jsm
+++ b/toolkit/mozapps/extensions/internal/XPIProvider.jsm
@@ -6129,7 +6129,11 @@ function UpdateChecker(aAddon, aListener, aReason, aAppVersion, aPlatformVersion
   if ("onUpdateAvailable" in this.listener)
     aReason |= UPDATE_TYPE_NEWVERSION;
 
-  let url = escapeAddonURI(aAddon, updateURL, aReason, aAppVersion);
+  // Don't perform substitutions on the update URL if we still don't
+  // have one at this point.
+  let url = updateURL ?
+            escapeAddonURI(aAddon, url, aReason, aAppVersion) :
+            updateURL;
   this._parser = AddonUpdateChecker.checkForUpdates(aAddon.id, aAddon.updateKey,
                                                     url, this);
 }