diff options
| author | Gaming4JC <g4jc@bulletmail.org> | 2018-10-09 17:35:00 -0400 |
|---|---|---|
| committer | Gaming4JC <g4jc@bulletmail.org> | 2018-10-09 17:41:02 -0400 |
| commit | e5683f2aa6c1864372e93f509886336114c43ded (patch) | |
| tree | bd0a4b35ccff50c674136b384db18b084317327f /docshell/base | |
| parent | a1b79f6ab1c3f3af6fe88fad42ff930c168eadbd (diff) | |
| download | uxp-e5683f2aa6c1864372e93f509886336114c43ded.tar.gz | |
backport m-c 1435319: CVE-2018-12381 - Dropping an Outlook email message into the browser window will trigger a page navigation when the message's mail columns are incorrectly interpreted as a URL.
Diffstat (limited to 'docshell/base')
| -rw-r--r-- | docshell/base/nsDefaultURIFixup.cpp | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/docshell/base/nsDefaultURIFixup.cpp b/docshell/base/nsDefaultURIFixup.cpp index e519720ab7..d2876181a9 100644 --- a/docshell/base/nsDefaultURIFixup.cpp +++ b/docshell/base/nsDefaultURIFixup.cpp @@ -154,6 +154,15 @@ HasUserPassword(const nsACString& aStringURI) return false; } +// Assume that 1 tab is accidental, but more than 1 implies this is +// supposed to be tab-separated content. +static bool +MaybeTabSeparatedContent(const nsCString& aStringURI) +{ + auto firstTab = aStringURI.FindChar('\t'); + return firstTab != kNotFound && aStringURI.RFindChar('\t') != firstTab; +} + NS_IMETHODIMP nsDefaultURIFixup::GetFixupURIInfo(const nsACString& aStringURI, uint32_t aFixupFlags, @@ -168,8 +177,8 @@ nsDefaultURIFixup::GetFixupURIInfo(const nsACString& aStringURI, // Eliminate embedded newlines, which single-line text fields now allow: uriString.StripChars("\r\n"); - // Cleanup the empty spaces that might be on each end: - uriString.Trim(" "); + // Cleanup the empty spaces and tabs that might be on each end: + uriString.Trim(" \t"); NS_ENSURE_TRUE(!uriString.IsEmpty(), NS_ERROR_FAILURE); @@ -367,12 +376,16 @@ nsDefaultURIFixup::GetFixupURIInfo(const nsACString& aStringURI, inputHadDuffProtocol = true; } - // NB: this rv gets returned at the end of this method if we never - // do a keyword fixup after this (because the pref or the flags passed - // might not let us). - rv = FixupURIProtocol(uriString, info, getter_AddRefs(uriWithProtocol)); - if (uriWithProtocol) { - info->mFixedURI = uriWithProtocol; + // Note: this rv gets returned at the end of this method if we don't fix up + // the protocol and don't do a keyword fixup after this (because the pref + // or the flags passed might not let us). + rv = NS_OK; + // Avoid fixing up content that looks like tab-separated values + if (!MaybeTabSeparatedContent(uriString)) { + rv = FixupURIProtocol(uriString, info, getter_AddRefs(uriWithProtocol)); + if (uriWithProtocol) { + info->mFixedURI = uriWithProtocol; + } } // See if it is a keyword |