summaryrefslogtreecommitdiffstats
path: root/chrome
diff options
context:
space:
mode:
authorPale Moon <git-repo@palemoon.org>2018-03-18 10:37:51 +0100
committerwolfbeast <mcwerewolf@gmail.com>2018-03-18 10:56:47 +0100
commitdda392cd4edb3258889188af5a5644eb8d36aeb7 (patch)
tree86e29a77a534ade39a8fc2088c48464ea4d385ea /chrome
parent912aa47acf658ae26ac24bb3f6ca52b04919f2ee (diff)
downloadUXP-dda392cd4edb3258889188af5a5644eb8d36aeb7.tar
UXP-dda392cd4edb3258889188af5a5644eb8d36aeb7.tar.gz
UXP-dda392cd4edb3258889188af5a5644eb8d36aeb7.tar.lz
UXP-dda392cd4edb3258889188af5a5644eb8d36aeb7.tar.xz
UXP-dda392cd4edb3258889188af5a5644eb8d36aeb7.zip
Add extra check for path traversal sanity v2.
Diffstat (limited to 'chrome')
-rw-r--r--chrome/nsChromeRegistry.cpp5
1 files changed, 4 insertions, 1 deletions
diff --git a/chrome/nsChromeRegistry.cpp b/chrome/nsChromeRegistry.cpp
index 0aa7f3f14..0302b9997 100644
--- a/chrome/nsChromeRegistry.cpp
+++ b/chrome/nsChromeRegistry.cpp
@@ -234,15 +234,18 @@ nsChromeRegistry::Canonify(nsIURL* aChromeURL)
aChromeURL->SetPath(path);
}
else {
- // prevent directory traversals ("..")
// path is already unescaped once, but uris can get unescaped twice
const char* pos = path.BeginReading();
const char* end = path.EndReading();
+ if (*pos == '/' || *pos == ' ') {
+ return NS_ERROR_DOM_BAD_URI;
+ }
while (pos < end) {
switch (*pos) {
case ':':
return NS_ERROR_DOM_BAD_URI;
case '.':
+ // prevent directory traversals ("..")
if (pos[1] == '.')
return NS_ERROR_DOM_BAD_URI;
break;