Bug 1432870. r=bz, a=lizzard
authorGijs Kruitbosch <gijskruitbosch@gmail.com>
Tue, 30 Jan 2018 12:07:08 +0000
changeset 452202 43c1a3c2f4c50eac8f1a818b54fd2b25726a3865
parent 452201 24ea37d401ad5d7bcfaf7a5f473b0806010cfee3
child 452203 7cefe9877e46f2eefab2a8169777755b96252743
push id8651
push userryanvm@gmail.com
push dateMon, 05 Feb 2018 20:15:56 +0000
treeherdermozilla-beta@e83f82bb9962 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz, lizzard
bugs1432870
milestone59.0
Bug 1432870. r=bz, a=lizzard
chrome/nsChromeRegistry.cpp
--- a/chrome/nsChromeRegistry.cpp
+++ b/chrome/nsChromeRegistry.cpp
@@ -230,16 +230,22 @@ nsChromeRegistry::Canonify(nsIURL* aChro
     }
     aChromeURL->SetPathQueryRef(path);
   }
   else {
     // prevent directory traversals ("..")
     // path is already unescaped once, but uris can get unescaped twice
     const char* pos = path.BeginReading();
     const char* end = path.EndReading();
+    // Must start with [a-zA-Z0-9].
+    if (!('a' <= *pos && *pos <= 'z') &&
+        !('A' <= *pos && *pos <= 'Z') &&
+        !('0' <= *pos && *pos <= '9')) {
+      return NS_ERROR_DOM_BAD_URI;
+    }
     while (pos < end) {
       switch (*pos) {
         case ':':
           return NS_ERROR_DOM_BAD_URI;
         case '.':
           if (pos[1] == '.')
             return NS_ERROR_DOM_BAD_URI;
           break;