1 files changed, 4 insertions, 1 deletions

diff --git a/chrome/nsChromeRegistry.cpp b/chrome/nsChromeRegistry.cpp
index 0aa7f3f149..0302b9997d 100644
--- a/chrome/nsChromeRegistry.cpp
+++ b/chrome/nsChromeRegistry.cpp
@@ -234,15 +234,18 @@ nsChromeRegistry::Canonify(nsIURL* aChromeURL)
     aChromeURL->SetPath(path);
   }
   else {
-    // prevent directory traversals ("..")
     // path is already unescaped once, but uris can get unescaped twice
     const char* pos = path.BeginReading();
     const char* end = path.EndReading();
+    if (*pos == '/' || *pos == ' ') {
+      return NS_ERROR_DOM_BAD_URI;
+    }
     while (pos < end) {
       switch (*pos) {
         case ':':
           return NS_ERROR_DOM_BAD_URI;
         case '.':
+          // prevent directory traversals ("..")
           if (pos[1] == '.')
             return NS_ERROR_DOM_BAD_URI;
           break;