kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
freebsd-ports/www/firefox15/files/patch-CAN-2005-2871
Pav Lucistnik cfffa5699c - Patch a security vulnerability (DoS, remote execution) in IDN 
(internationalized domain names) subsystem, also known as "hyphen domain
  name bug"

Submitted by:	Marcus Grando
Obtained from:	Mozilla Project CVS,
		https://bugzilla.mozilla.org/show_bug.cgi?query_format=specific&order=relevance+desc&bug_status=__open__&id=307259
Security:	CAN-2005-2871
		http://secunia.com/advisories/16764/
2005-09-10 17:24:31 +00:00

104 lines
4 KiB
Text
Raw Blame History

Index: netwerk/base/src/nsStandardURL.cpp
===================================================================
RCS file: /cvs/mozilla/netwerk/base/src/nsStandardURL.cpp,v
retrieving revision 1.60.16.2
diff -p -u -1 -2 -r1.60.16.2 nsStandardURL.cpp
--- netwerk/base/src/nsStandardURL.cpp 17 Feb 2005 23:40:53 -0000 1.60.16.2
+++ netwerk/base/src/nsStandardURL.cpp 9 Sep 2005 16:34:46 -0000
@@ -403,24 +403,25 @@ nsStandardURL::AppendToBuf(char *buf, PR
// 4- update url segment positions and lengths
nsresult
nsStandardURL::BuildNormalizedSpec(const char *spec)
{
// Assumptions: all member URLSegments must be relative the |spec| argument
// passed to this function.
// buffers for holding escaped url segments (these will remain empty unless
// escaping is required).
nsCAutoString encUsername;
nsCAutoString encPassword;
nsCAutoString encHost;
+ PRBool useEncHost;
nsCAutoString encDirectory;
nsCAutoString encBasename;
nsCAutoString encExtension;
nsCAutoString encParam;
nsCAutoString encQuery;
nsCAutoString encRef;
//
// escape each URL segment, if necessary, and calculate approximate normalized
// spec length.
//
PRInt32 approxLen = 3; // includes room for "://"
@@ -440,34 +441,36 @@ nsStandardURL::BuildNormalizedSpec(const
approxLen += encoder.EncodeSegmentCount(spec, mBasename, esc_FileBaseName, encBasename);
approxLen += encoder.EncodeSegmentCount(spec, mExtension, esc_FileExtension, encExtension);
approxLen += encoder.EncodeSegmentCount(spec, mParam, esc_Param, encParam);
approxLen += encoder.EncodeSegmentCount(spec, mQuery, esc_Query, encQuery);
approxLen += encoder.EncodeSegmentCount(spec, mRef, esc_Ref, encRef);
}
// do not escape the hostname, if IPv6 address literal, mHost will
// already point to a [ ] delimited IPv6 address literal.
// However, perform Unicode normalization on it, as IDN does.
mHostEncoding = eEncoding_ASCII;
if (mHost.mLen > 0) {
+ useEncHost = PR_FALSE;
const nsCSubstring& tempHost =
Substring(spec + mHost.mPos, spec + mHost.mPos + mHost.mLen);
if (IsASCII(tempHost))
approxLen += mHost.mLen;
else {
mHostEncoding = eEncoding_UTF8;
if (gIDNService &&
- NS_SUCCEEDED(gIDNService->Normalize(tempHost, encHost)))
+ NS_SUCCEEDED(gIDNService->Normalize(tempHost, encHost))) {
approxLen += encHost.Length();
- else {
+ useEncHost = PR_TRUE;
+ } else {
encHost.Truncate();
approxLen += mHost.mLen;
}
}
}
//
// generate the normalized URL string
//
mSpec.SetLength(approxLen + 32);
char *buf;
mSpec.BeginWriting(buf);
@@ -483,25 +486,30 @@ nsStandardURL::BuildNormalizedSpec(const
mAuthority.mPos = i;
// append authority
if (mUsername.mLen > 0) {
i = AppendSegmentToBuf(buf, i, spec, mUsername, &encUsername);
if (mPassword.mLen >= 0) {
buf[i++] = ':';
i = AppendSegmentToBuf(buf, i, spec, mPassword, &encPassword);
}
buf[i++] = '@';
}
if (mHost.mLen > 0) {
- i = AppendSegmentToBuf(buf, i, spec, mHost, &encHost);
+ if (useEncHost) {
+ mHost.mPos = i;
+ mHost.mLen = encHost.Length();
+ i = AppendToBuf(buf, i, encHost.get(), mHost.mLen);
+ } else
+ i = AppendSegmentToBuf(buf, i, spec, mHost);
net_ToLowerCase(buf + mHost.mPos, mHost.mLen);
if (mPort != -1 && mPort != mDefaultPort) {
nsCAutoString portbuf;
portbuf.AppendInt(mPort);
buf[i++] = ':';
i = AppendToBuf(buf, i, portbuf.get(), portbuf.Length());
}
}
// record authority length
mAuthority.mLen = i - mAuthority.mPos;
Reference in a new issue View git blame Copy permalink