From 791e7540d3a4208b0182f5cc6f26485f62e1594b Mon Sep 17 00:00:00 2001 From: Gaming4JC Date: Tue, 9 Oct 2018 17:35:00 -0400 Subject: backport m-c 1435319: CVE-2018-12381 - Dropping an Outlook email message into the browser window will trigger a page navigation when the message's mail columns are incorrectly interpreted as a URL. --- docshell/base/nsDefaultURIFixup.cpp | 29 ++++++++++++++++------- docshell/test/unit/test_nsDefaultURIFixup_info.js | 8 +++++++ 2 files changed, 29 insertions(+), 8 deletions(-) diff --git a/docshell/base/nsDefaultURIFixup.cpp b/docshell/base/nsDefaultURIFixup.cpp index e519720ab..d2876181a 100644 --- a/docshell/base/nsDefaultURIFixup.cpp +++ b/docshell/base/nsDefaultURIFixup.cpp @@ -154,6 +154,15 @@ HasUserPassword(const nsACString& aStringURI) return false; } +// Assume that 1 tab is accidental, but more than 1 implies this is +// supposed to be tab-separated content. +static bool +MaybeTabSeparatedContent(const nsCString& aStringURI) +{ + auto firstTab = aStringURI.FindChar('\t'); + return firstTab != kNotFound && aStringURI.RFindChar('\t') != firstTab; +} + NS_IMETHODIMP nsDefaultURIFixup::GetFixupURIInfo(const nsACString& aStringURI, uint32_t aFixupFlags, @@ -168,8 +177,8 @@ nsDefaultURIFixup::GetFixupURIInfo(const nsACString& aStringURI, // Eliminate embedded newlines, which single-line text fields now allow: uriString.StripChars("\r\n"); - // Cleanup the empty spaces that might be on each end: - uriString.Trim(" "); + // Cleanup the empty spaces and tabs that might be on each end: + uriString.Trim(" \t"); NS_ENSURE_TRUE(!uriString.IsEmpty(), NS_ERROR_FAILURE); @@ -367,12 +376,16 @@ nsDefaultURIFixup::GetFixupURIInfo(const nsACString& aStringURI, inputHadDuffProtocol = true; } - // NB: this rv gets returned at the end of this method if we never - // do a keyword fixup after this (because the pref or the flags passed - // might not let us). - rv = FixupURIProtocol(uriString, info, getter_AddRefs(uriWithProtocol)); - if (uriWithProtocol) { - info->mFixedURI = uriWithProtocol; + // Note: this rv gets returned at the end of this method if we don't fix up + // the protocol and don't do a keyword fixup after this (because the pref + // or the flags passed might not let us). + rv = NS_OK; + // Avoid fixing up content that looks like tab-separated values + if (!MaybeTabSeparatedContent(uriString)) { + rv = FixupURIProtocol(uriString, info, getter_AddRefs(uriWithProtocol)); + if (uriWithProtocol) { + info->mFixedURI = uriWithProtocol; + } } // See if it is a keyword diff --git a/docshell/test/unit/test_nsDefaultURIFixup_info.js b/docshell/test/unit/test_nsDefaultURIFixup_info.js index c606ac32e..748aaab93 100644 --- a/docshell/test/unit/test_nsDefaultURIFixup_info.js +++ b/docshell/test/unit/test_nsDefaultURIFixup_info.js @@ -469,6 +469,14 @@ var testcases = [ { keywordLookup: true, protocolChange: true, affectedByDNSForSingleHosts: true, + }, { + input: " \t mozilla.org/\t \t ", + fixedURI: "http://mozilla.org/", + alternateURI: "http://www.mozilla.org/", + protocolChange: true, + }, { + input: " moz\ti\tlla.org ", + keywordLookup: true, }]; if (Services.appinfo.OS.toLowerCase().startsWith("win")) { -- cgit v1.2.3