Bug 1074485 - Reflected Cross-Site Scripting (XSS) on about:cache context and storage request variables, r=MattN
authorHonza Bambas <honzab.moz@firemni.cz>
Wed, 08 Oct 2014 17:07:42 +0200
changeset 232574 73b8074b7299d608ca96fa1368aceb90f4e39506
parent 232573 bbbf658ef840a51cac276ceefb994047062cce81
child 232575 72a705b53e7581e086ee7b4281fad9d45ffd2382
push id4187
push userbhearsum@mozilla.com
push dateFri, 28 Nov 2014 15:29:12 +0000
treeherdermozilla-beta@f23cc6a30c11 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersMattN
bugs1074485
milestone35.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1074485 - Reflected Cross-Site Scripting (XSS) on about:cache context and storage request variables, r=MattN
netwerk/protocol/about/nsAboutCache.cpp
--- a/netwerk/protocol/about/nsAboutCache.cpp
+++ b/netwerk/protocol/about/nsAboutCache.cpp
@@ -180,23 +180,27 @@ nsAboutCache::VisitNextStorage()
 void
 nsAboutCache::FireVisitStorage()
 {
     nsresult rv;
 
     rv = VisitStorage(mStorageName);
     if (NS_FAILED(rv)) {
         if (mLoadInfo) {
+            char* escaped = nsEscapeHTML(mStorageName.get());
             mBuffer.Append(
                 nsPrintfCString("<p>Unrecognized storage name '%s' in about:cache URL</p>",
-                                mStorageName.get()));
+                                escaped));
+            nsMemory::Free(escaped);
         } else {
+            char* escaped = nsEscapeHTML(mContextString.get());
             mBuffer.Append(
                 nsPrintfCString("<p>Unrecognized context key '%s' in about:cache URL</p>",
-                                mContextString.get()));
+                                escaped));
+            nsMemory::Free(escaped);
         }
 
         FlushBuffer();
 
         // Simulate finish of a visit cycle, this tries the next storage
         // or closes the output stream (i.e. the UI loader will stop spinning)
         OnCacheEntryVisitCompleted();
     }