Bug 1399325 - Do not allow parsed URLs to exceed max length r=mayhemer
authorValentin Gosu <valentin.gosu@gmail.com>
Fri, 23 Mar 2018 08:49:41 +0100
changeset 414248 40b4fba437ca6e5c136c5bafa22e13ae07427c81
parent 414247 c513037dd5511c2d34e73aa22d9e70d6c18bd15c
child 414249 09c4cd5c8946259f133b10c0844380712c02c912
push id33862
push userdluca@mozilla.com
push dateWed, 18 Apr 2018 16:55:46 +0000
treeherdermozilla-central@697d0f7076eb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmayhemer
bugs1399325
milestone61.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1399325 - Do not allow parsed URLs to exceed max length r=mayhemer When normalizing the spec, some characters get percent encoded, so even if the original input was shorter than the max length, the final result could be longer. MozReview-Commit-ID: 78IDM7Hoa55
netwerk/base/nsStandardURL.cpp
--- a/netwerk/base/nsStandardURL.cpp
+++ b/netwerk/base/nsStandardURL.cpp
@@ -776,16 +776,22 @@ nsStandardURL::BuildNormalizedSpec(const
     URLSegment path(mPath);
     URLSegment filepath(mFilepath);
     URLSegment directory(mDirectory);
     URLSegment basename(mBasename);
     URLSegment extension(mExtension);
     URLSegment query(mQuery);
     URLSegment ref(mRef);
 
+    // The encoded string could be longer than the original input, so we need
+    // to check the final URI isn't longer than the max length.
+    if (approxLen + 1 > (uint32_t) net_GetURLMaxLength()) {
+        return NS_ERROR_MALFORMED_URI;
+    }
+
     //
     // generate the normalized URL string
     //
     // approxLen should be correct or 1 high
     if (!mSpec.SetLength(approxLen+1, fallible)) // buf needs a trailing '\0' below
         return NS_ERROR_OUT_OF_MEMORY;
     char *buf;
     mSpec.BeginWriting(buf);
@@ -926,16 +932,19 @@ nsStandardURL::BuildNormalizedSpec(const
             coalesceFlag = (netCoalesceFlags) (coalesceFlag
                                         | NET_COALESCE_ALLOW_RELATIVE_ROOT
                                         | NET_COALESCE_DOUBLE_SLASH_IS_ROOT);
         }
         CoalescePath(coalesceFlag, buf + mDirectory.mPos);
     }
     mSpec.SetLength(strlen(buf));
     NS_ASSERTION(mSpec.Length() <= approxLen, "We've overflowed the mSpec buffer!");
+    MOZ_ASSERT(mSpec.Length() <= (uint32_t) net_GetURLMaxLength(),
+               "The spec should never be this long, we missed a check.");
+
     return NS_OK;
 }
 
 bool
 nsStandardURL::SegmentIs(const URLSegment &seg, const char *val, bool ignoreCase)
 {
     // one or both may be null
     if (!val || mSpec.IsEmpty())