Closed Bug 348360 Opened 18 years ago Closed 18 years ago

jar:file: urls should not trigger a lookup

Categories

(Toolkit :: Safe Browsing, defect)

Product:
Toolkit
Component:
Safe Browsing
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tony, Assigned: tony)

Details

(Keywords: fixed1.8.1)

Attachments

(3 files, 3 obsolete files)

v1: check inner uri
1.85 KB, patch
bryner
: review+
beltzner
: approval1.8.1+
Details | Diff | Splinter Review
use nsIJARURI instead of GetPath
1.98 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
dbaron
: approval1.8.1+
Details | Diff | Splinter Review
v4: any nested URI
1.69 KB, patch
Details | Diff | Splinter Review 
In bug 341946, we turned on url checks for all jar: urls.  Most jar: urls are actually jar:file: urls when viewing a xul document.  These shouldn't result in a lookup.
It would be nice to use nsINestedURI, but that's not on branch, so just do it manually.
Attachment #233257 - Flags: review?(bryner)
Flags: blocking-firefox2?
Attachment #233257 - Flags: review?(bryner) → review+
on trunk
Not going to block, but will take a patch that's well-baked.
Flags: blocking-firefox2? → blocking-firefox2-
Attachment #233257 - Flags: approval1.8.1?
Comment on attachment 233257 [details] [diff] [review]
v1: check inner uri

a=drivers for the mozilla181 branch
Attachment #233257 - Flags: approval1.8.1? → approval1.8.1+
on branch
Status: NEW → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Comment on attachment 233257 [details] [diff] [review]
v1: check inner uri

Er... this patch is wrong.  You can't use nsINestedURI on the branch, but you _CAN_ use nsIJARURI.  And should.

For example, the code as currently written will break on something simple like:

jar:jar:http://...

Please see http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/caps/src/nsScriptSecurityManager.cpp&rev=1.266.2.14&mark=263-268#262 for the right way to do this.

Also, I would like to see a followup bug for doing this using nsINestedURI on trunk.
(In reply to comment #6)
> (From update of attachment 233257 [details] [diff] [review] [edit])
> Er... this patch is wrong.  You can't use nsINestedURI on the branch, but you
> _CAN_ use nsIJARURI.  And should.

Ah, didn't know about that.  Will post a fixed patch today.

> For example, the code as currently written will break on something simple like:
> 
> jar:jar:http://...

This should work with the current patch since it recurses (I tested this case as well).

> Also, I would like to see a followup bug for doing this using nsINestedURI on
> trunk.

Ok, will do this also.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

        Attachment #233908 -
        Flags: superreview?(bryner)

        Attachment #233908 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 233908 [details] [diff] [review]
use nsIJARURI instead of GetPath

Looks good.  Thanks!

        Attachment #233908 -
        Flags: superreview?(bryner)

        Attachment #233908 -
        Flags: superreview+

        Attachment #233908 -
        Flags: review?(bzbarsky)

        Attachment #233908 -
        Flags: review+

    
  

        Attachment #233908 -
        Flags: approval1.8.1?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        use nsINestedURI (for trunk) (obsolete)
        — Splinter Review
      

    


  

        Attachment #233920 -
        Flags: superreview?(bzbarsky)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v2: use nsINestedURI (for trunk) (obsolete)
        — Splinter Review
      

    


  
Oops, failed to remove the old return in the last patch.

        Attachment #233920 -
        Attachment is obsolete: true

        Attachment #233922 -
        Flags: superreview?(bzbarsky)

        Attachment #233920 -
        Flags: superreview?(bzbarsky)

    
    

    
  
Comment on attachment 233922 [details] [diff] [review]
v2: use nsINestedURI (for trunk)

You don't want the check for "jar" here, do you?

        Attachment #233922 -
        Flags: superreview?(bzbarsky) → superreview-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v3: any nested URI (obsolete)
        — Splinter Review
      

    


  
Check any URI with a nested URI (except those that already pass our filter, like about: URIs).

        Attachment #233922 -
        Attachment is obsolete: true

        Attachment #233944 -
        Flags: superreview?(bzbarsky)

    
    

    
  
Comment on attachment 233944 [details] [diff] [review]
v3: any nested URI

>+    nsCOMPtr<nsINestedURI> nestedURI;

Put the do_QI there.

>+    if (nestedURI = do_QueryInterface(aURI)) {

Because this will warn...

sr=bzbarsky with that.

        Attachment #233944 -
        Flags: superreview?(bzbarsky) → superreview+

    
    

    
  


  

        Attachment #233944 -
        Attachment is obsolete: true

    
    

    
  
v4 on trunk

    
    

    
  
Comment on attachment 233908 [details] [diff] [review]
use nsIJARURI instead of GetPath

a=dbaron on behalf of drivers.  Please land on MOZILLA_1_8_BRANCH and add the fixed1.8.1 keyword once you have done so.

        Attachment #233908 -
        Flags: approval1.8.1? → approval1.8.1+

    
    

    
  
patch "use nsIJARURI instead of GetPath" on branch.
Status: REOPENED → RESOLVED
Closed: 18 years ago18 years ago
Resolution: --- → FIXED
Product: Firefox → Toolkit

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: