Rollup updates for FeedConverter.js sync with Firefox as at 20161231

RESOLVED FIXED in seamonkey2.50

Status

SeaMonkey
Feed Discovery and Preview
RESOLVED FIXED
11 months ago
10 months ago

People

(Reporter: Philip Chee, Assigned: Philip Chee)

Tracking

SeaMonkey 2.50 Branch
seamonkey2.50
Dependency tree / graph

SeaMonkey Tracking Flags

(seamonkey2.46 wontfix, seamonkey2.47 wontfix, seamonkey2.48? fixed, seamonkey2.49esr? fixed, seamonkey2.50 fixed)

Details

User Story

[sg bugs]
Bug 1277685 - Nested feed: URIs should only allow http/https as inner URIs
https://hg.mozilla.org/mozilla-central/rev/2974a3e83592
Bug 1277698 - Consider making feed: DANGEROUS_TO_LOAD
https://hg.mozilla.org/mozilla-central/rev/f48fbe411650

[normal bugs]
Bug 1233899 - fix the feeds converter to use default user context origin attributes
https://hg.mozilla.org/mozilla-central/rev/8e052220dd9e
Bug 1165272 - unify Get*CodebasePrincipal with createCodebasePrincipal in nsIScriptSecurityManager
https://hg.mozilla.org/mozilla-central/rev/5a29e8bc51ca

[minor tweaks]
Bug 1314918 - Fix most of the remaining no-unused-vars issues.
Bug 1199239, remove cpow usage from bookmark this page.

Attachments

(1 attachment)

(Assignee)

Description

11 months ago
Port the following bugs from Firefox:
[sg bugs]
Bug 1277685 - Nested feed: URIs should only allow http/https as inner URIs
https://hg.mozilla.org/mozilla-central/rev/2974a3e83592
Bug 1277698 - Consider making feed: DANGEROUS_TO_LOAD
https://hg.mozilla.org/mozilla-central/rev/f48fbe411650

[normal bugs]
Bug 1233899 - fix the feeds converter to use default user context origin attributes
https://hg.mozilla.org/mozilla-central/rev/8e052220dd9e
Bug 1165272 - unify Get*CodebasePrincipal with createCodebasePrincipal in nsIScriptSecurityManager
https://hg.mozilla.org/mozilla-central/rev/5a29e8bc51ca

[minor tweaks]
Bug 1314918 - Fix most of the remaining no-unused-vars issues.
Bug 1199239, remove cpow usage from bookmark this page.
(Assignee)

Comment 1

11 months ago
Created attachment 8824655 [details] [diff] [review]
Patch v1.0 Fixes.

>          chromeChannel.owner = Services.scriptSecurityManager
> -                                      .getNoAppCodebasePrincipal(chromeURI);
> +                                      .createCodebasePrincipal(chromeURI,
> +                                                               loadInfo.originAttributes);
Bug 1165272 - Part 2: Replace getNoAppCodebasePrincipal with createCodebasePrincipal.
Bug 1233899 - Fix the feeds converter to use default user context origin attributes

>  GenericProtocolHandler.prototype = {
>    get protocolFlags() {
> -    return this._http.protocolFlags;
> +    var httpPref = "browser.feeds.feeds_like_http"
> +    if (Services.prefs.getPrefType(httpPref) == Services.prefs.PREF_BOOL &&
> +        Services.prefs.getBoolPref(httpPref)) {
> +      return this._http.protocolFlags;
> +    }
> +
> +    return this._http.URI_DANGEROUS_TO_LOAD |
> +           this._http.ALLOWS_PROXY |
> +           this._http.ALLOWS_PROXY_HTTP;
Bug 1277698 - Consider making feed: DANGEROUS_TO_LOAD

> -    var netutil = Components.classes["@mozilla.org/network/util;1"]
> -                            .getService(Components.interfaces.nsINetUtil);
> -    if (netutil.URIChainHasFlags(inner,
> -        Components.interfaces.nsIProtocolHandler.URI_INHERITS_SECURITY_CONTEXT))
> +
> +    if (! /^https?/.test(inner.scheme))
>        throw Components.results.NS_ERROR_MALFORMED_URI;
....
> -    var uri = netutil.newSimpleNestedURI(inner);
> +    var uri = Services.io.QueryInterface(Components.interfaces.nsINetUtil)
> +                         .newSimpleNestedURI(inner);
Bug 1277685 - Nested feed: URIs should only allow http/https as inner URIs

> -      var noSniff = httpChannel.getResponseHeader("X-Moz-Is-Feed");
> +      // Note: this throws if the header is not set.
> +      httpChannel.getResponseHeader("X-Moz-Is-Feed");
Bug 1314918 - Fix most of the remaining no-unused-vars issues.

>      case "bookmarks":
>        var topWindow = Services.wm.getMostRecentWindow("navigator:browser");
>        topWindow.PlacesCommandHook.addLiveBookmark(spec, title, subtitle);
> -      topWindow.PlacesCommandHook.addLiveBookmark(spec, title, subtitle);
> +      topWindow.PlacesCommandHook.addLiveBookmark(spec, title, subtitle)
> +                                 .catch(Components.utils.reportError);
Bug 1199239, remove cpow usage from bookmark this page.
Attachment #8824655 - Flags: review?(iann_bugzilla)
(Assignee)

Updated

11 months ago
(Assignee)

Comment 2

11 months ago
Comment on attachment 8824655 [details] [diff] [review]
Patch v1.0 Fixes.

My build environment is broken so I can't test.
FRG: could you take this patch for a spin round the block? Thanks.
Attachment #8824655 - Flags: feedback?(frgrahl)
Comment on attachment 8824655 [details] [diff] [review]
Patch v1.0 Fixes.

Works. I put it on top of bug 1329186. Tested with two feeds and source code changes look sane. The patch is bitrotted. Needs one change.
Attachment #8824655 - Flags: feedback?(frgrahl) → feedback+
(Assignee)

Comment 4

10 months ago
Thanks!
> The patch is bitrotted. Needs one change.
If r+ I will push an unbitrotted patch ;)

Comment 5

10 months ago
Comment on attachment 8824655 [details] [diff] [review]
Patch v1.0 Fixes.

r/a=me for unbitrotted patch
Attachment #8824655 - Flags: review?(iann_bugzilla) → review+
(Assignee)

Comment 6

10 months ago
http://hg.mozilla.org/comm-central/rev/d1e921152a8fd1c4d87580a5f6e7682f96058d6f
status-seamonkey2.46: --- → verified
status-seamonkey2.47: --- → wontfix
status-seamonkey2.48: --- → affected
status-seamonkey2.49esr: --- → affected
status-seamonkey2.50: --- → fixed
tracking-seamonkey2.48: --- → ?
tracking-seamonkey2.49esr: --- → ?
Target Milestone: --- → seamonkey2.50
(Assignee)

Comment 7

10 months ago
Comment on attachment 8824655 [details] [diff] [review]
Patch v1.0 Fixes.

[Approval Request Comment]
Regression caused by (bug #): N/A

User impact if declined: Missing security fixes Bug 1277685 and Bug 1277698 which landed on Firefox 50. The other patches landed on Firefox 50 or earlier except Bug 1314918 which is just fixing nits.

Testing completed (on m-c, etc.): comm-central and Firefox 50

Risk to taking this patch (and alternatives if risky): Low risk. Has been baked in mozilla-central since Firefox 50.

String changes made by this patch: none
Attachment #8824655 - Flags: approval-comm-beta?
Attachment #8824655 - Flags: approval-comm-aurora?

Updated

10 months ago
Attachment #8824655 - Flags: approval-comm-beta?
Attachment #8824655 - Flags: approval-comm-beta+
Attachment #8824655 - Flags: approval-comm-aurora?
Attachment #8824655 - Flags: approval-comm-aurora+
(Assignee)

Comment 8

10 months ago
Pushed to comm-aurora: (SeaMonkey 2.49)
http://hg.mozilla.org/releases/comm-beta/rev/7e4b5f38cfe14f65c92af09b71c2e4ee2082f8e2
Pushed to comm-beta: (SeaMonkey 2.48)
http://hg.mozilla.org/releases/comm-release/rev/1a420d3ee2c640a9688e75ddafd858c6551611e0
Status: ASSIGNED → UNCONFIRMED
status-seamonkey2.46: verified → wontfix
status-seamonkey2.48: affected → fixed
status-seamonkey2.49esr: affected → fixed
Ever confirmed: false

Updated

10 months ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.