Bug 230703 - only accept link header field target when it's first in the value. r=bz
authorJulian Reschke <julian.reschke@gmx.de>
Thu, 04 Aug 2011 08:56:25 +0200
changeset 73809 0cff49ed75df6778f7b4777c1c96ecd8d91e377c
parent 73808 d43b06e79794b2ecd34d8e66afbc77fbedf7f258
child 73810 49f8fb1d048fcc3b8dbbb7fca990b173b76e0af6
push id964
push userdgottwald@mozilla.com
push dateThu, 04 Aug 2011 06:57:09 +0000
treeherdermozilla-inbound@0cff49ed75df [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs230703
milestone8.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 230703 - only accept link header field target when it's first in the value. r=bz
content/base/src/nsContentSink.cpp
--- a/content/base/src/nsContentSink.cpp
+++ b/content/base/src/nsContentSink.cpp
@@ -604,16 +604,19 @@ nsContentSink::LinkContextIsOurDocument(
 }
 
 nsresult
 nsContentSink::ProcessLinkHeader(nsIContent* aElement,
                                  const nsAString& aLinkData)
 {
   nsresult rv = NS_OK;
 
+  // keep track where we are within the header field
+  PRBool seenParameters = PR_FALSE;
+
   // parse link content and call process style link
   nsAutoString href;
   nsAutoString rel;
   nsAutoString title;
   nsAutoString type;
   nsAutoString media;
   nsAutoString anchor;
 
@@ -699,22 +702,25 @@ nsContentSink::ProcessLinkHeader(nsICont
 
     // end string here
     *end = kNullCh;
 
     if (start < end) {
       if ((*start == kLessThan) && (*last == kGreaterThan)) {
         *last = kNullCh;
 
-        if (href.IsEmpty()) { // first one wins
+        // first instance of <...> wins
+        // also, do not allow hrefs after the first param was seen
+        if (href.IsEmpty() && !seenParameters) {
           href = (start + 1);
           href.StripWhitespace();
         }
       } else {
         PRUnichar* equals = start;
+        seenParameters = PR_TRUE;
 
         while ((*equals != kNullCh) && (*equals != kEqual)) {
           equals++;
         }
 
         if (*equals != kNullCh) {
           *equals = kNullCh;
           nsAutoString  attr(start);
@@ -786,16 +792,18 @@ nsContentSink::ProcessLinkHeader(nsICont
       }
 
       href.Truncate();
       rel.Truncate();
       title.Truncate();
       type.Truncate();
       media.Truncate();
       anchor.Truncate();
+      
+      seenParameters = PR_FALSE;
     }
 
     start = ++end;
   }
                 
   href.Trim(" \t\n\r\f"); // trim HTML5 whitespace
   if (!href.IsEmpty() && !rel.IsEmpty()) {
     rv = ProcessLink(aElement, anchor, href, rel, title, type, media);