From dda392cd4edb3258889188af5a5644eb8d36aeb7 Mon Sep 17 00:00:00 2001
From: Pale Moon <git-repo@palemoon.org>
Date: Sun, 18 Mar 2018 10:37:51 +0100
Subject: Add extra check for path traversal sanity v2.

---
 chrome/nsChromeRegistry.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'chrome')

diff --git a/chrome/nsChromeRegistry.cpp b/chrome/nsChromeRegistry.cpp
index 0aa7f3f14..0302b9997 100644
--- a/chrome/nsChromeRegistry.cpp
+++ b/chrome/nsChromeRegistry.cpp
@@ -234,15 +234,18 @@ nsChromeRegistry::Canonify(nsIURL* aChromeURL)
     aChromeURL->SetPath(path);
   }
   else {
-    // prevent directory traversals ("..")
     // path is already unescaped once, but uris can get unescaped twice
     const char* pos = path.BeginReading();
     const char* end = path.EndReading();
+    if (*pos == '/' || *pos == ' ') {
+      return NS_ERROR_DOM_BAD_URI;
+    }
     while (pos < end) {
       switch (*pos) {
         case ':':
           return NS_ERROR_DOM_BAD_URI;
         case '.':
+          // prevent directory traversals ("..")
           if (pos[1] == '.')
             return NS_ERROR_DOM_BAD_URI;
           break;
-- 
cgit v1.2.3