summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-03-17 13:22:41 +0100
committerwolfbeast <mcwerewolf@gmail.com>2018-03-17 13:22:41 +0100
commit41bd3e2599696771485c9dc75a7e27b94c0597fb (patch)
tree120e03adef2d3551ad6e86561b747dfbbccd713c
parent191ec5415b5bc6f06cc5cd7b1d907575eb928332 (diff)
downloadUXP-41bd3e2599696771485c9dc75a7e27b94c0597fb.tar
UXP-41bd3e2599696771485c9dc75a7e27b94c0597fb.tar.gz
UXP-41bd3e2599696771485c9dc75a7e27b94c0597fb.tar.lz
UXP-41bd3e2599696771485c9dc75a7e27b94c0597fb.tar.xz
UXP-41bd3e2599696771485c9dc75a7e27b94c0597fb.zip
Add extra check for path traversal sanity.
-rw-r--r--chrome/nsChromeRegistry.cpp6
1 files changed, 6 insertions, 0 deletions
diff --git a/chrome/nsChromeRegistry.cpp b/chrome/nsChromeRegistry.cpp
index 0aa7f3f14..e88aca41f 100644
--- a/chrome/nsChromeRegistry.cpp
+++ b/chrome/nsChromeRegistry.cpp
@@ -238,6 +238,12 @@ nsChromeRegistry::Canonify(nsIURL* aChromeURL)
// path is already unescaped once, but uris can get unescaped twice
const char* pos = path.BeginReading();
const char* end = path.EndReading();
+ // Must start with [a-zA-Z0-9].
+ if (!('a' <= *pos && *pos <= 'z') &&
+ !('A' <= *pos && *pos <= 'Z') &&
+ !('0' <= *pos && *pos <= '9')) {
+ return NS_ERROR_DOM_BAD_URI;
+ }
while (pos < end) {
switch (*pos) {
case ':':