bug 1125503 - when canonicalizing hostnames, check string length before calling Last() r=mmc

security/manager/boot/src/PublicKeyPinningService.cpp

@@ -375,7 +375,8 @@ PublicKeyPinningService::CanonicalizeHostname(const char* hostname)
 {
   nsAutoCString canonicalizedHostname(hostname);
   ToLowerCase(canonicalizedHostname);
-  while (canonicalizedHostname.Last() == '.') {
+  while (canonicalizedHostname.Length() > 0 &&
+         canonicalizedHostname.Last() == '.') {
     canonicalizedHostname.Truncate(canonicalizedHostname.Length() - 1);
   }
   return canonicalizedHostname;

security/manager/boot/src/nsSiteSecurityService.cpp

@@ -279,12 +279,14 @@ nsSiteSecurityService::GetHost(nsIURI* aURI, nsACString& aResult)
 
   nsAutoCString host;
   nsresult rv = innerURI->GetAsciiHost(host);
-
-  if (NS_FAILED(rv) || host.IsEmpty()) {
-    return NS_ERROR_UNEXPECTED;
+  if (NS_FAILED(rv)) {
+    return rv;
   }
 
   aResult.Assign(PublicKeyPinningService::CanonicalizeHostname(host.get()));
+  if (aResult.IsEmpty()) {
+    return NS_ERROR_UNEXPECTED;
+  }
 
   return NS_OK;
 }

security/manager/ssl/tests/unit/test_sts_fqdn.js

@@ -42,4 +42,15 @@ function run_test() {
                                         "example.com.", 0));
   do_check_false(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                                         "example.com..", 0));
+
+  // Somehow creating this malformed URI succeeds - we need to handle it
+  // gracefully.
+  uri = Services.io.newURI("https://../foo", null, null);
+  do_check_eq(uri.host, "..");
+  try {
+    SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0);
+    do_check_false(true); // this shouldn't run
+  } catch (e) {
+    do_check_eq(e.result, Cr.NS_ERROR_UNEXPECTED);
+  }
 }