Closed Bug 1329401 Opened 3 years ago Closed 3 years ago

Rollup updates for FeedConverter.js sync with Firefox as at 20161231

Categories

(SeaMonkey :: Feed Discovery and Preview, defect)

SeaMonkey 2.50 Branch
defect
Not set

Tracking

(seamonkey2.46 wontfix, seamonkey2.47 wontfix, seamonkey2.48 fixed, seamonkey2.49esr fixed, seamonkey2.50 fixed)

RESOLVED FIXED
seamonkey2.50
Tracking Status
seamonkey2.46 --- wontfix
seamonkey2.47 --- wontfix
seamonkey2.48 --- fixed
seamonkey2.49esr --- fixed
seamonkey2.50 --- fixed

People

(Reporter: philip.chee, Assigned: philip.chee)

References

Details

User Story

[sg bugs]
Bug 1277685 - Nested feed: URIs should only allow http/https as inner URIs
https://hg.mozilla.org/mozilla-central/rev/2974a3e83592
Bug 1277698 - Consider making feed: DANGEROUS_TO_LOAD
https://hg.mozilla.org/mozilla-central/rev/f48fbe411650

[normal bugs]
Bug 1233899 - fix the feeds converter to use default user context origin attributes
https://hg.mozilla.org/mozilla-central/rev/8e052220dd9e
Bug 1165272 - unify Get*CodebasePrincipal with createCodebasePrincipal in nsIScriptSecurityManager
https://hg.mozilla.org/mozilla-central/rev/5a29e8bc51ca

[minor tweaks]
Bug 1314918 - Fix most of the remaining no-unused-vars issues.
Bug 1199239, remove cpow usage from bookmark this page.

Attachments

(1 file)

Port the following bugs from Firefox:
[sg bugs]
Bug 1277685 - Nested feed: URIs should only allow http/https as inner URIs
https://hg.mozilla.org/mozilla-central/rev/2974a3e83592
Bug 1277698 - Consider making feed: DANGEROUS_TO_LOAD
https://hg.mozilla.org/mozilla-central/rev/f48fbe411650

[normal bugs]
Bug 1233899 - fix the feeds converter to use default user context origin attributes
https://hg.mozilla.org/mozilla-central/rev/8e052220dd9e
Bug 1165272 - unify Get*CodebasePrincipal with createCodebasePrincipal in nsIScriptSecurityManager
https://hg.mozilla.org/mozilla-central/rev/5a29e8bc51ca

[minor tweaks]
Bug 1314918 - Fix most of the remaining no-unused-vars issues.
Bug 1199239, remove cpow usage from bookmark this page.
>          chromeChannel.owner = Services.scriptSecurityManager
> -                                      .getNoAppCodebasePrincipal(chromeURI);
> +                                      .createCodebasePrincipal(chromeURI,
> +                                                               loadInfo.originAttributes);
Bug 1165272 - Part 2: Replace getNoAppCodebasePrincipal with createCodebasePrincipal.
Bug 1233899 - Fix the feeds converter to use default user context origin attributes

>  GenericProtocolHandler.prototype = {
>    get protocolFlags() {
> -    return this._http.protocolFlags;
> +    var httpPref = "browser.feeds.feeds_like_http"
> +    if (Services.prefs.getPrefType(httpPref) == Services.prefs.PREF_BOOL &&
> +        Services.prefs.getBoolPref(httpPref)) {
> +      return this._http.protocolFlags;
> +    }
> +
> +    return this._http.URI_DANGEROUS_TO_LOAD |
> +           this._http.ALLOWS_PROXY |
> +           this._http.ALLOWS_PROXY_HTTP;
Bug 1277698 - Consider making feed: DANGEROUS_TO_LOAD

> -    var netutil = Components.classes["@mozilla.org/network/util;1"]
> -                            .getService(Components.interfaces.nsINetUtil);
> -    if (netutil.URIChainHasFlags(inner,
> -        Components.interfaces.nsIProtocolHandler.URI_INHERITS_SECURITY_CONTEXT))
> +
> +    if (! /^https?/.test(inner.scheme))
>        throw Components.results.NS_ERROR_MALFORMED_URI;
....
> -    var uri = netutil.newSimpleNestedURI(inner);
> +    var uri = Services.io.QueryInterface(Components.interfaces.nsINetUtil)
> +                         .newSimpleNestedURI(inner);
Bug 1277685 - Nested feed: URIs should only allow http/https as inner URIs

> -      var noSniff = httpChannel.getResponseHeader("X-Moz-Is-Feed");
> +      // Note: this throws if the header is not set.
> +      httpChannel.getResponseHeader("X-Moz-Is-Feed");
Bug 1314918 - Fix most of the remaining no-unused-vars issues.

>      case "bookmarks":
>        var topWindow = Services.wm.getMostRecentWindow("navigator:browser");
>        topWindow.PlacesCommandHook.addLiveBookmark(spec, title, subtitle);
> -      topWindow.PlacesCommandHook.addLiveBookmark(spec, title, subtitle);
> +      topWindow.PlacesCommandHook.addLiveBookmark(spec, title, subtitle)
> +                                 .catch(Components.utils.reportError);
Bug 1199239, remove cpow usage from bookmark this page.
Attachment #8824655 - Flags: review?(iann_bugzilla)
Comment on attachment 8824655 [details] [diff] [review]
Patch v1.0 Fixes.

My build environment is broken so I can't test.
FRG: could you take this patch for a spin round the block? Thanks.
Attachment #8824655 - Flags: feedback?(frgrahl)
Comment on attachment 8824655 [details] [diff] [review]
Patch v1.0 Fixes.

Works. I put it on top of bug 1329186. Tested with two feeds and source code changes look sane. The patch is bitrotted. Needs one change.
Attachment #8824655 - Flags: feedback?(frgrahl) → feedback+
Thanks!
> The patch is bitrotted. Needs one change.
If r+ I will push an unbitrotted patch ;)
Comment on attachment 8824655 [details] [diff] [review]
Patch v1.0 Fixes.

r/a=me for unbitrotted patch
Attachment #8824655 - Flags: review?(iann_bugzilla) → review+
Comment on attachment 8824655 [details] [diff] [review]
Patch v1.0 Fixes.

[Approval Request Comment]
Regression caused by (bug #): N/A

User impact if declined: Missing security fixes Bug 1277685 and Bug 1277698 which landed on Firefox 50. The other patches landed on Firefox 50 or earlier except Bug 1314918 which is just fixing nits.

Testing completed (on m-c, etc.): comm-central and Firefox 50

Risk to taking this patch (and alternatives if risky): Low risk. Has been baked in mozilla-central since Firefox 50.

String changes made by this patch: none
Attachment #8824655 - Flags: approval-comm-beta?
Attachment #8824655 - Flags: approval-comm-aurora?
Attachment #8824655 - Flags: approval-comm-beta?
Attachment #8824655 - Flags: approval-comm-beta+
Attachment #8824655 - Flags: approval-comm-aurora?
Attachment #8824655 - Flags: approval-comm-aurora+
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.