diff options
author | Pale Moon <git-repo@palemoon.org> | 2018-03-18 10:37:51 +0100 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-03-18 10:56:47 +0100 |
commit | dda392cd4edb3258889188af5a5644eb8d36aeb7 (patch) | |
tree | 86e29a77a534ade39a8fc2088c48464ea4d385ea /chrome | |
parent | 912aa47acf658ae26ac24bb3f6ca52b04919f2ee (diff) | |
download | UXP-dda392cd4edb3258889188af5a5644eb8d36aeb7.tar UXP-dda392cd4edb3258889188af5a5644eb8d36aeb7.tar.gz UXP-dda392cd4edb3258889188af5a5644eb8d36aeb7.tar.lz UXP-dda392cd4edb3258889188af5a5644eb8d36aeb7.tar.xz UXP-dda392cd4edb3258889188af5a5644eb8d36aeb7.zip |
Add extra check for path traversal sanity v2.
Diffstat (limited to 'chrome')
-rw-r--r-- | chrome/nsChromeRegistry.cpp | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/chrome/nsChromeRegistry.cpp b/chrome/nsChromeRegistry.cpp index 0aa7f3f14..0302b9997 100644 --- a/chrome/nsChromeRegistry.cpp +++ b/chrome/nsChromeRegistry.cpp @@ -234,15 +234,18 @@ nsChromeRegistry::Canonify(nsIURL* aChromeURL) aChromeURL->SetPath(path); } else { - // prevent directory traversals ("..") // path is already unescaped once, but uris can get unescaped twice const char* pos = path.BeginReading(); const char* end = path.EndReading(); + if (*pos == '/' || *pos == ' ') { + return NS_ERROR_DOM_BAD_URI; + } while (pos < end) { switch (*pos) { case ':': return NS_ERROR_DOM_BAD_URI; case '.': + // prevent directory traversals ("..") if (pos[1] == '.') return NS_ERROR_DOM_BAD_URI; break; |