Bug 1010594 - Part 1/2 OCSP url check - r=briansmith

--HG--
extra : rebase_source : 0b26339d33db90722401ae1d8ac255d0390aea30

security/certverifier/OCSPRequestor.cpp

@@ -56,9 +56,22 @@ SECItem* DoOCSPRequest(PLArenaPool* arena, const char* url,
     PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
     return nullptr;
   }
+  if (schemeLen < 0 || authorityLen < 0) {
+    PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
+    return nullptr;
+  }
+  nsAutoCString scheme(url + schemePos, schemeLen);
+  if (!scheme.LowerCaseEqualsLiteral("http")) {
+    // We dont support https:// to avoid loops see Bug 92923
+    PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
+    return nullptr;
+  }
+
   uint32_t hostnamePos;
   int32_t hostnameLen;
   int32_t port;
+  // We do not support urls with user@pass sections in the URL,
+  // In cas we find them we will ignore and try to connect with
   rv = urlParser->ParseAuthority(url + authorityPos, authorityLen,
                                  nullptr, nullptr, nullptr, nullptr,
                                  &hostnamePos, &hostnameLen, &port);
@@ -66,6 +79,10 @@ SECItem* DoOCSPRequest(PLArenaPool* arena, const char* url,
     PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
     return nullptr;
   }
+  if (hostnameLen < 0) {
+    PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
+    return nullptr;
+  }
   if (port == -1) {
     port = 80;
   }
@@ -80,7 +97,12 @@ SECItem* DoOCSPRequest(PLArenaPool* arena, const char* url,
 
   ScopedHTTPServerSession serverSession(
     reinterpret_cast<nsNSSHttpServerSession*>(serverSessionPtr));
-  nsAutoCString path(url + pathPos, pathLen);
+  nsAutoCString path;
+  if (pathLen > 0) {
+    path.Assign(url + pathPos, pathLen);
+  } else {
+    path.Assign("/");
+  }
   SEC_HTTP_REQUEST_SESSION requestSessionPtr;
   if (nsNSSHttpInterface::createFcn(serverSession.get(), "http",
                                     path.BeginReading(), "POST",