summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--chrome/nsChromeRegistry.cpp5
1 files changed, 4 insertions, 1 deletions
diff --git a/chrome/nsChromeRegistry.cpp b/chrome/nsChromeRegistry.cpp
index 0aa7f3f14..0302b9997 100644
--- a/chrome/nsChromeRegistry.cpp
+++ b/chrome/nsChromeRegistry.cpp
@@ -234,15 +234,18 @@ nsChromeRegistry::Canonify(nsIURL* aChromeURL)
aChromeURL->SetPath(path);
}
else {
- // prevent directory traversals ("..")
// path is already unescaped once, but uris can get unescaped twice
const char* pos = path.BeginReading();
const char* end = path.EndReading();
+ if (*pos == '/' || *pos == ' ') {
+ return NS_ERROR_DOM_BAD_URI;
+ }
while (pos < end) {
switch (*pos) {
case ':':
return NS_ERROR_DOM_BAD_URI;
case '.':
+ // prevent directory traversals ("..")
if (pos[1] == '.')
return NS_ERROR_DOM_BAD_URI;
break;