diff options
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-0816.patch')
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-0816.patch | 76 |
1 files changed, 0 insertions, 76 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-0816.patch b/gnu/packages/patches/icecat-CVE-2015-0816.patch deleted file mode 100644 index 5632e37eb3..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-0816.patch +++ /dev/null @@ -1,76 +0,0 @@ -From ae49ed04f54c2f78d6ba7e545e0099602a3270fa Mon Sep 17 00:00:00 2001 -From: Boris Zbarsky <bzbarsky@mit.edu> -Date: Thu, 19 Mar 2015 18:58:44 -0400 -Subject: [PATCH] Bug 1144991 - Be a bit more restrictive about when a - URI_IS_UI_RESOURCE source is allowed to link to a URI_IS_UI_RESOURCE URI that - doesn't have the same scheme. r=bholley, a=abillings - ---- - caps/src/nsScriptSecurityManager.cpp | 38 +++++++++++++++++++++++++----------- - 1 file changed, 27 insertions(+), 11 deletions(-) - -diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp -index 3587358..6577b95 100644 ---- a/caps/src/nsScriptSecurityManager.cpp -+++ b/caps/src/nsScriptSecurityManager.cpp -@@ -770,12 +770,31 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, - NS_ENSURE_SUCCESS(rv, rv); - if (hasFlags) { - if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) { -+ -+ // For now, don't change behavior for resource:// or moz-icon:// and -+ // just allow them. - if (!targetScheme.EqualsLiteral("chrome")) { -- // for now don't change behavior for resource: or moz-icon: - return NS_OK; - } - -- // allow load only if chrome package is whitelisted -+ // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE -+ // target if ALLOW_CHROME is set. -+ // -+ // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell -+ // loads (since docshell loads run the loaded content with its origin -+ // principal). So we're effectively allowing resource://, chrome://, -+ // and moz-icon:// source URIs to load resource://, chrome://, and -+ // moz-icon:// files, so long as they're not loading it as a document. -+ bool sourceIsUIResource; -+ rv = NS_URIChainHasFlags(sourceBaseURI, -+ nsIProtocolHandler::URI_IS_UI_RESOURCE, -+ &sourceIsUIResource); -+ NS_ENSURE_SUCCESS(rv, rv); -+ if (sourceIsUIResource) { -+ return NS_OK; -+ } -+ -+ // Allow the load only if the chrome package is whitelisted. - nsCOMPtr<nsIXULChromeRegistry> reg(do_GetService( - NS_CHROMEREGISTRY_CONTRACTID)); - if (reg) { -@@ -787,17 +806,14 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, - } - } - -- // resource: and chrome: are equivalent, securitywise -- // That's bogus!! Fix this. But watch out for -- // the view-source stylesheet? -- bool sourceIsChrome; -- rv = NS_URIChainHasFlags(sourceBaseURI, -- nsIProtocolHandler::URI_IS_UI_RESOURCE, -- &sourceIsChrome); -- NS_ENSURE_SUCCESS(rv, rv); -- if (sourceIsChrome) { -+ // Special-case the hidden window: it's allowed to load -+ // URI_IS_UI_RESOURCE no matter what. Bug 1145470 tracks removing this. -+ nsAutoCString sourceSpec; -+ if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) && -+ sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) { - return NS_OK; - } -+ - if (reportErrors) { - ReportError(nullptr, errorTag, sourceURI, aTargetURI); - } --- -2.2.1 - |