| Commit message (Collapse) | Author | Age | Lines |
|
|
|
| |
exploited for non-binary projects
|
|\
| |
| | |
Issue #792 - backport mozbug 1334776 - CVE-2017-7797 Header name interning leaks across origins
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
origins
Potential attack: session supercookie.
[Moz Notes](https://bugzilla.mozilla.org/show_bug.cgi?id=1334776#c5):
"The problem is that for unknown header names we store the first one we see and then later we case-insensitively match against that name *globally*. That means you can track if a user agent has already seen a certain header name used (by using a different casing and observing whether it gets normalized). This would allow you to see if a user has used a sensitive service that uses custom header names, or allows you to track a user across sites, by teaching the browser about a certain header case once and then observing if different casings get normalized to that.
What we should do instead is only store the casing for a header name for each header list and not globally. That way it only leaks where it's expected (and necessary) to leak."
[Moz fix note](https://bugzilla.mozilla.org/show_bug.cgi?id=1334776#c8):
"nsHttpAtom now holds the old nsHttpAtom and a string that is case sensitive (only for not standard headers).
So nsHttpAtom holds a pointer to a header name. (header names are store on a static structure). This is how it used to be. I left that part the same but added a nsCString which holds a string that was used to resoled the header name. So when we parse headers we call ResolveHeader with a char*. If it is a new header name the char* will be stored in a HttpHeapAtom, nsHttpAtom::_val will point to HttpHeapAtom::value and the same strings will be stored in mLocalCaseSensitiveHeader. For the first resolve request they will be the same but for the following maybe not. At the end this nsHttpAtom will be stored in nsHttpHeaderArray. For all operation we will used the old char* except when we are returning it to a script using VisitHeaders."
|
|\ \
| | |
| | | |
backport mozbug 1444532 - fix a leak in SHA256 in nsHttpConnectionInfo.cpp r=mayhemer
|
| |/
| |
| |
| |
| |
| |
| |
| | |
r=mayhemer
The original code (from bug 1200802) declared an XPCOM object as a static bare pointer,
which for future reference is probably never the right thing to do. It might have worked if
it was cleared before shutdown but it never was.
|
| | |
|
|\ \
| | |
| | | |
backport mozbug 1344613 - Avoid possibility of null pointer crash in nsSOCKSIOLayer.cpp r=mayhemer
|
| |/
| |
| |
| | |
nsSOCKSIOLayer.cpp r=mayhemer
|
|\ \
| |/
|/| |
gfx: add pref for enabling APZ without e10s
|
| | |
|
|\| |
|
| |\
| | |
| | | |
Remove window.sizeToContent() from commonDialog.js, as it's useless and leads to overflow in the basic auth dialog
|
| |/
| |
| |
| | |
leads to overflow in the basic auth dialog
|
|/ |
|
| |
|
| |
|
|
|
|
|
|
| |
BrowserUtils.principalFromOrigin()
This resolves #734.
|
|\
| |
| | |
Fix more -Wclass-memaccess warnings (part 3)
|
| |
| |
| |
| |
| |
| | |
freshly initializes the TemporaryTypeSet* provided to it.
Also removes existing code that, quite unnecessarily, partly initialized that argument.
|
| |
| |
| |
| | |
Standard std::copy and std::copy_n are readily optimized to the same thing, and they don't have a non-obvious requirement that the type being copied be trivial.
|
| |
| |
| |
| |
| |
| | |
constructor, and copy-assignment operator.
This also allows uint8_clamped to be permissibly memmove'd and memcpy'd.
|
|\ \
| |/
|/| |
[PALEMOON] Restore strings mistakenly removed from downloads.properties
|
|/
|
|
| |
[8be0c16be614d54183ee3d4877e2243cb9e468c8]
|
|\
| |
| | |
Fix timer overflow on converting from sec to msec in idleService
|
|/ |
|
|
|
|
| |
This resolves #776.
|
|\ |
|
| |
| |
| |
| |
| |
| | |
A case of "one queue too many" here. Instead of worker runnables being sent to the main thread
where they are supposed to run, they are put in a task queue per-worker. This is devastating
for performance if many workers are running.
|
| | |
|
| | |
|
| |
| |
| |
| | |
This is a rewrite of the document by Moonchild. Although the rough layout of the previous document is maintained, it is a significantly expanded and rewritten version no longer related to the contributor-covenant version that was initially used.
|
| |
| |
| |
| |
| |
| |
| |
| | |
"about:home" (#774)
* Use SessionStore.promiseInitialized() to avoid race condition in "about:home"
* Improve code style of [d6c3adb91c9f29786f8ed8d93baa14c076494017]
|
| | |
|
|\ \
| | |
| | | |
Skip notifications for background tabs when restoring a session in Pale Moon and Basilisk
|
| | | |
|
|/ / |
|
|\ \
| |/
|/| |
Fix more -Wclass-memaccess warnings (part 2)
|
| |
| |
| |
| | |
VirtualRegister instances
|
| |
| |
| |
| | |
memset-on-nontrivial warnings with gcc that don't matter for an object whose lifetime is about to end
|
| | |
|
| | |
|
| |
| |
| |
| | |
Includes a standalone reftest.
|
|\| |
|
| |
| |
| |
| | |
Tag #447
|
| |
| |
| |
| | |
Follow-up to 9830cd079d8306abc223461190553af64b6fd0ca
|
|/ |
|
|\ |
|
| |
| |
| |
| | |
Allow the pref to switch between global search term and per-tab search term
|
| | |
|
| |
| |
| |
| | |
This reverts commit fb291846a59f9b8eaf8bba29e0d9794893e895bf.
|