Closed
Bug 278772
Opened 20 years ago
Closed 19 years ago
Various Firefox code incorrectly constructs URIs
Categories
(Firefox :: General, defect)
Firefox
General
Tracking
()
RESOLVED
FIXED
Firefox1.5
People
(Reporter: bzbarsky, Assigned: Gavin)
References
()
Details
(Whiteboard: [sg:fix])
Attachments
(1 file, 1 obsolete file)
14.08 KB,
patch
|
mconnor
:
review+
darin.moz
:
superreview+
|
Details | Diff | Splinter Review |
Unless you're implementing a protocol, creating an nsIURI object by instantiating an nsStandardURL and setting the spec is almost certainly the wrong thing to do. This will lead to bugs for various URIs, ranging from data: and javascript: to jar: (and we don't really want to break signed jars any more than we have to, please). Especially troubling, to me, are the cases where the incorrectly-created URI object is then used in security checks. This could cause real issues in both directions (checks failing when they should succeed, and the other way around). The URL in the url field shows a number of hits for the contractid in browser/base/content/browser.js, browser/base/content/contentAreaUtils.js, browser/base/content/metaData.js, etc; some spot-testing shows that every single one I checked on should be using newURI or newFileURI on the nsIIOService instead.
Reporter | ||
Comment 1•20 years ago
|
||
Bug 278773 is the equivalent toolkit bug.
Reporter | ||
Comment 2•20 years ago
|
||
Requesting blocking status, since these incorrectly constructed objects are used for security checks...
Flags: blocking-aviary1.1?
Updated•19 years ago
|
Whiteboard: [sg:fix]
Assignee | ||
Comment 3•19 years ago
|
||
Changes most of the bad calls. I'm not sure when these calls could fail.
Reporter | ||
Comment 4•19 years ago
|
||
newURI can fail any time (OOM, if nothing else, but also some particularly bogus http URIs will cause it to throw, iirc). Of course those caused the SetSpec calls that used to be here to throw too.
Comment 5•19 years ago
|
||
The problem wasn't that setting the spec on a standard URL would fail, it was that not all URLs are correctly handled by nsStandardURL. One old problem, for example, was cleverly-formatted javascript: urls interpreted as having a "host" and using that to slip past same-origin checks. The IOService will make sure we use the correct nsIURI implementation for each protocol.
Comment 6•19 years ago
|
||
Comment on attachment 175259 [details] [diff] [review] Patch browser/base/content/browser.js @@ -2711,19 +2714,21 @@ function BrowserToolboxCustomizeDone(aTo var url = getWebNavigation().currentURI.spec; if (gURLBar) { gURLBar.value = url; - var uri = Components.classes["@mozilla.org/network/standard-url;1"] - .createInstance(Components.interfaces.nsIURI); - uri.spec = url; + + var uri = Components.classes["@mozilla.org/network/io-service;1"] + .getService(Components.interfaces.nsIIOService) + .newURI(url, null, null); errr... why not just reuse getWebNavigation().currentURI here? use .clone() if needed. this construction of URIs without an origin charset isn't so great... it seems that in most cases you have one (document.characterSet, with the right document) + .newURI(this.imageURL, null, null); this could get an nsIURI from the nsIImageLoadingContent instead...
Assignee | ||
Updated•19 years ago
|
Assignee: firefox → gavin.sharp
Assignee | ||
Comment 7•19 years ago
|
||
(In reply to comment #6) > @@ -2711,19 +2714,21 @@ function BrowserToolboxCustomizeDone(aTo > errr... why not just reuse getWebNavigation().currentURI here? use .clone() if > needed. Turns out that one can be removed, see bug 283522. > this construction of URIs without an origin charset isn't so great... it seems > that in most cases you have one (document.characterSet, with the right > document) > + .newURI(this.imageURL, null, null); > > this could get an nsIURI from the nsIImageLoadingContent instead... Ok, new patch coming up.
Status: NEW → ASSIGNED
Target Milestone: --- → Firefox1.1
Assignee | ||
Comment 8•19 years ago
|
||
Assignee | ||
Updated•19 years ago
|
Attachment #175259 -
Attachment is obsolete: true
Assignee | ||
Updated•19 years ago
|
Attachment #175496 -
Flags: review?(mconnor)
Assignee | ||
Updated•19 years ago
|
Whiteboard: [sg:fix] → [patch-r?] [sg:fix]
Updated•19 years ago
|
Attachment #175496 -
Flags: review?(mconnor) → review+
Comment 9•19 years ago
|
||
Comment on attachment 175496 [details] [diff] [review] Patch v2 sr=darin FWIW
Attachment #175496 -
Flags: superreview+
Assignee | ||
Updated•19 years ago
|
Whiteboard: [patch-r?] [sg:fix] → [patch-r+] [checkin needed] [sg:fix]
Comment 10•19 years ago
|
||
Checking in base/content/browser.js; /cvsroot/mozilla/browser/base/content/browser.js,v <-- browser.js new revision: 1.393; previous revision: 1.392 done Checking in base/content/contentAreaUtils.js; /cvsroot/mozilla/browser/base/content/contentAreaUtils.js,v <-- contentAreaUtils.js new revision: 1.63; previous revision: 1.62 done Checking in base/content/pageReport.js; /cvsroot/mozilla/browser/base/content/pageReport.js,v <-- pageReport.js new revision: 1.13; previous revision: 1.12 done Checking in base/content/search.xml; /cvsroot/mozilla/browser/base/content/search.xml,v <-- search.xml new revision: 1.23; previous revision: 1.22 done Checking in components/history/content/history.js; /cvsroot/mozilla/browser/components/history/content/history.js,v <-- history.js new revision: 1.45; previous revision: 1.44 done
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Flags: blocking-aviary1.1?
Resolution: --- → FIXED
Whiteboard: [patch-r+] [checkin needed] [sg:fix] → [sg:fix]
Updated•19 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•