Bug 380994 - "Fix for bug 367428 lets through escaped slashes on Linux (windows too on trunk)" [r=biesi]

2024-09-13 09:24:08 -07:00 · 2008-10-01 00:15:58 -05:00 · 2008-10-01 00:15:58 -05:00 · e519ee34e1
commit e519ee34e1
parent f6374e5a2c
2 changed files with 60 additions and 1 deletions
--- a/netwerk/protocol/res/src/nsResProtocolHandler.cpp
+++ b/netwerk/protocol/res/src/nsResProtocolHandler.cpp
@ -22,6 +22,7 @@
 * Contributor(s):
 *   Darin Fisher <darin@netscape.com>
 *   Benjamin Smedberg <bsmedberg@covad.net>
+ *   Daniel Veditz <dveditz@cruzio.com>
 *
 * Alternatively, the contents of this file may be used under the terms of
 * either the GNU General Public License Version 2 or later (the "GPL"), or
@ -176,6 +177,9 @@ nsResProtocolHandler::Init()
    //XXXbsmedberg Neil wants a resource://pchrome/ for the profile chrome dir...
    // but once I finish multiple chrome registration I'm not sure that it is needed

+    // XXX dveditz: resource://pchrome/ defeats profile directory salting
+    // if web content can load it. Tread carefully.
+
    return rv;
 }

@ -229,7 +233,36 @@ nsResProtocolHandler::NewURI(const nsACString &aSpec,
        return NS_ERROR_OUT_OF_MEMORY;
    NS_ADDREF(resURL);

-    rv = resURL->Init(nsIStandardURL::URLTYPE_STANDARD, -1, aSpec, aCharset, aBaseURI);
+    // unescape any %2f and %2e to make sure nsStandardURL coalesces them.
+    // Later net_GetFileFromURLSpec() will do a full unescape and we want to
+    // treat them the same way the file system will. (bugs 380994, 394075)
+    nsCAutoString spec;
+    const char *src = aSpec.BeginReading();
+    const char *end = aSpec.EndReading();
+    const char *last = src;
+
+    spec.SetCapacity(aSpec.Length()+1);
+    for ( ; src < end; ++src) {
+        if (*src == '%' && (src < end-2) && *(src+1) == '2') {
+           char ch = '\0';
+           if (*(src+2) == 'f' || *(src+1) == 'F')
+             ch = '/';
+           else if (*(src+2) == 'e' || *(src+2) == 'E')
+             ch = '.';
+
+           if (ch) {
+             if (last < src)
+               spec.Append(last, src-last);
+             spec.Append(ch);
+             src += 2;
+             last = src+1; // src will be incremented by the loop
+           }
+        }
+    }
+    if (last < src)
+      spec.Append(last, src-last);
+
+    rv = resURL->Init(nsIStandardURL::URLTYPE_STANDARD, -1, spec, aCharset, aBaseURI);
    if (NS_SUCCEEDED(rv))
        rv = CallQueryInterface(resURL, result);
    NS_RELEASE(resURL);
--- a/netwerk/test/unit/test_bug380994.js
+++ b/netwerk/test/unit/test_bug380994.js
@ -0,0 +1,26 @@
+/* check resource: protocol for traversal problems */
+
+const Cc = Components.classes;
+const Ci = Components.interfaces;
+const Cr = Components.results;
+
+const specs = [
+  "resource:///chrome/../plugins",
+  "resource:///chrome%2f../plugins",
+  "resource:///chrome/..%2fplugins",
+  "resource:///chrome%2f%2e%2e%2fplugins",
+  "resource:///../../../..",
+  "resource:///..%2f..%2f..%2f..",
+  "resource:///%2e%2e"
+];
+
+function run_test() {
+  var ios = Cc["@mozilla.org/network/io-service;1"].
+            getService(Ci.nsIIOService);
+
+  for each (spec in specs) {
+    uri = ios.newURI(spec,null,null);
+    if (uri.spec.indexOf("..") != -1)
+      do_throw("resource: traversal remains: '"+spec+"' ==> '"+uri.spec+"'");
+  }
+}