summaryrefslogtreecommitdiffstats
path: root/netwerk
diff options
context:
space:
mode:
Diffstat (limited to 'netwerk')
-rw-r--r--netwerk/protocol/http/Http2Compression.cpp26
-rw-r--r--netwerk/protocol/http/nsHttpChannel.cpp9
-rw-r--r--netwerk/protocol/http/nsHttpChannel.h4
-rw-r--r--netwerk/protocol/http/nsHttpPipeline.cpp5
-rw-r--r--netwerk/sctp/datachannel/DataChannel.cpp1
-rw-r--r--netwerk/streamconv/converters/nsIndexedToHTML.cpp20
6 files changed, 55 insertions, 10 deletions
diff --git a/netwerk/protocol/http/Http2Compression.cpp b/netwerk/protocol/http/Http2Compression.cpp
index 64fd05a17..9206f8b4c 100644
--- a/netwerk/protocol/http/Http2Compression.cpp
+++ b/netwerk/protocol/http/Http2Compression.cpp
@@ -402,7 +402,7 @@ Http2Decompressor::DecodeHeaderBlock(const uint8_t *data, uint32_t datalen,
nsresult rv = NS_OK;
nsresult softfail_rv = NS_OK;
- while (NS_SUCCEEDED(rv) && (mOffset < datalen)) {
+ while (NS_SUCCEEDED(rv) && (mOffset < mDataLen)) {
bool modifiesTable = true;
if (mData[mOffset] & 0x80) {
rv = DoIndexed();
@@ -684,6 +684,11 @@ nsresult
Http2Decompressor::DecodeFinalHuffmanCharacter(const HuffmanIncomingTable *table,
uint8_t &c, uint8_t &bitsLeft)
{
+ MOZ_ASSERT(mOffset <= mDataLen);
+ if (mOffset > mDataLen) {
+ NS_WARNING("DecodeFinalHuffmanCharacter trying to read beyond end of buffer");
+ return NS_ERROR_FAILURE;
+ }
uint8_t mask = (1 << bitsLeft) - 1;
uint8_t idx = mData[mOffset - 1] & mask;
idx <<= (8 - bitsLeft);
@@ -721,6 +726,7 @@ Http2Decompressor::DecodeFinalHuffmanCharacter(const HuffmanIncomingTable *table
uint8_t
Http2Decompressor::ExtractByte(uint8_t bitsLeft, uint32_t &bytesConsumed)
{
+ MOZ_DIAGNOSTIC_ASSERT(mOffset < mDataLen);
uint8_t rv;
if (bitsLeft) {
@@ -750,8 +756,8 @@ Http2Decompressor::DecodeHuffmanCharacter(const HuffmanIncomingTable *table,
uint8_t idx = ExtractByte(bitsLeft, bytesConsumed);
if (table->IndexHasANextTable(idx)) {
- if (bytesConsumed >= mDataLen) {
- if (!bitsLeft || (bytesConsumed > mDataLen)) {
+ if (mOffset >= mDataLen) {
+ if (!bitsLeft || (mOffset > mDataLen)) {
// TODO - does this get me into trouble in the new world?
// No info left in input to try to consume, we're done
LOG(("DecodeHuffmanCharacter all out of bits to consume, can't chain"));
@@ -892,6 +898,13 @@ Http2Decompressor::DoLiteralInternal(nsACString &name, nsACString &value,
return rv;
}
+ // sanity check
+ if (mOffset >= mDataLen) {
+ NS_WARNING("Http2 Decompressor ran out of data");
+ // This is session-fatal
+ return NS_ERROR_FAILURE;
+ }
+
bool isHuffmanEncoded;
if (!index) {
@@ -919,6 +932,13 @@ Http2Decompressor::DoLiteralInternal(nsACString &name, nsACString &value,
return rv;
}
+ // sanity check
+ if (mOffset >= mDataLen) {
+ NS_WARNING("Http2 Decompressor ran out of data");
+ // This is session-fatal
+ return NS_ERROR_FAILURE;
+ }
+
// now the value
uint32_t valueLen;
isHuffmanEncoded = mData[mOffset] & (1 << 7);
diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
index bb0b3ca77..be5539a02 100644
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -313,11 +313,15 @@ nsHttpChannel::nsHttpChannel()
, mPushedStream(nullptr)
, mLocalBlocklist(false)
, mWarningReporter(nullptr)
+ , mSendUpgradeRequest(false)
, mDidReval(false)
{
LOG(("Creating nsHttpChannel [this=%p]\n", this));
mChannelCreationTime = PR_Now();
mChannelCreationTimestamp = TimeStamp::Now();
+
+ mSendUpgradeRequest =
+ Preferences::GetBool("network.http.upgrade-insecure-requests", false);
}
nsHttpChannel::~nsHttpChannel()
@@ -377,8 +381,9 @@ nsHttpChannel::Connect()
mLoadInfo->GetExternalContentPolicyType() :
nsIContentPolicy::TYPE_OTHER;
- if (type == nsIContentPolicy::TYPE_DOCUMENT ||
- type == nsIContentPolicy::TYPE_SUBDOCUMENT) {
+ if (mSendUpgradeRequest &&
+ (type == nsIContentPolicy::TYPE_DOCUMENT ||
+ type == nsIContentPolicy::TYPE_SUBDOCUMENT)) {
rv = SetRequestHeader(NS_LITERAL_CSTRING("Upgrade-Insecure-Requests"),
NS_LITERAL_CSTRING("1"), false);
NS_ENSURE_SUCCESS(rv, rv);
diff --git a/netwerk/protocol/http/nsHttpChannel.h b/netwerk/protocol/http/nsHttpChannel.h
index 2e24d6e81..152cf1503 100644
--- a/netwerk/protocol/http/nsHttpChannel.h
+++ b/netwerk/protocol/http/nsHttpChannel.h
@@ -597,6 +597,10 @@ private:
HttpChannelSecurityWarningReporter* mWarningReporter;
RefPtr<ADivertableParentChannel> mParentChannel;
+
+ // Whether we send opportunistic encryption requests.
+ bool mSendUpgradeRequest;
+
protected:
virtual void DoNotifyListenerCleanup() override;
diff --git a/netwerk/protocol/http/nsHttpPipeline.cpp b/netwerk/protocol/http/nsHttpPipeline.cpp
index 293de8e39..4f5777244 100644
--- a/netwerk/protocol/http/nsHttpPipeline.cpp
+++ b/netwerk/protocol/http/nsHttpPipeline.cpp
@@ -291,6 +291,11 @@ nsHttpPipeline::PushBack(const char *data, uint32_t length)
MOZ_ASSERT(PR_GetCurrentThread() == gSocketThread);
MOZ_ASSERT(mPushBackLen == 0, "push back buffer already has data!");
+ // Some bad behaving proxies may yank the connection out from under us.
+ // Check if we still have a connection to work with.
+ if (!mConnection)
+ return NS_ERROR_FAILURE;
+
// If we have no chance for a pipeline (e.g. due to an Upgrade)
// then push this data down to original connection
if (!mConnection->IsPersistent())
diff --git a/netwerk/sctp/datachannel/DataChannel.cpp b/netwerk/sctp/datachannel/DataChannel.cpp
index f2a91c589..ebc430f8c 100644
--- a/netwerk/sctp/datachannel/DataChannel.cpp
+++ b/netwerk/sctp/datachannel/DataChannel.cpp
@@ -276,6 +276,7 @@ DataChannelConnection::Destroy()
LOG(("Deregistered %p from the SCTP stack.", static_cast<void *>(this)));
}
+ mListener = nullptr;
// Finish Destroy on STS thread to avoid bug 876167 - once that's fixed,
// the usrsctp_close() calls can move back here (and just proxy the
// disconnect_all())
diff --git a/netwerk/streamconv/converters/nsIndexedToHTML.cpp b/netwerk/streamconv/converters/nsIndexedToHTML.cpp
index 0414c4841..29fea8bfb 100644
--- a/netwerk/streamconv/converters/nsIndexedToHTML.cpp
+++ b/netwerk/streamconv/converters/nsIndexedToHTML.cpp
@@ -146,7 +146,14 @@ nsIndexedToHTML::DoOnStartRequest(nsIRequest* request, nsISupports *aContext,
nsAutoCString baseUri, titleUri;
rv = uri->GetAsciiSpec(baseUri);
if (NS_FAILED(rv)) return rv;
- titleUri = baseUri;
+
+ nsCOMPtr<nsIURI> titleURL;
+ rv = uri->Clone(getter_AddRefs(titleURL));
+ if (NS_FAILED(rv)) titleURL = uri;
+ rv = titleURL->SetQuery(EmptyCString());
+ if (NS_FAILED(rv)) titleURL = uri;
+ rv = titleURL->SetRef(EmptyCString());
+ if (NS_FAILED(rv)) titleURL = uri;
nsCString parentStr;
@@ -170,16 +177,14 @@ nsIndexedToHTML::DoOnStartRequest(nsIRequest* request, nsISupports *aContext,
// that - see above
nsAutoCString pw;
- rv = uri->GetPassword(pw);
+ rv = titleURL->GetPassword(pw);
if (NS_FAILED(rv)) return rv;
if (!pw.IsEmpty()) {
nsCOMPtr<nsIURI> newUri;
- rv = uri->Clone(getter_AddRefs(newUri));
+ rv = titleURL->Clone(getter_AddRefs(newUri));
if (NS_FAILED(rv)) return rv;
rv = newUri->SetPassword(EmptyCString());
if (NS_FAILED(rv)) return rv;
- rv = newUri->GetAsciiSpec(titleUri);
- if (NS_FAILED(rv)) return rv;
}
nsAutoCString path;
@@ -247,6 +252,11 @@ nsIndexedToHTML::DoOnStartRequest(nsIRequest* request, nsISupports *aContext,
}
}
+ rv = titleURL->GetAsciiSpec(titleUri);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
buffer.AppendLiteral("<style type=\"text/css\">\n"
":root {\n"
" font-family: sans-serif;\n"
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-19 15:56:41 +0000