From 50d2e2b43cae4dea1b53547e2b81a34bc2e127c9 Mon Sep 17 00:00:00 2001 From: roytam1 Date: Fri, 21 Apr 2023 10:33:34 +0800 Subject: [PATCH] import changes from tenfourfox: - #651: M1779993 + backbugs (9197c1505) - #651: M1786188 M1791029 (28b4c0882) - #651: M1761233 M1687303 M1633019 M1797336 M1799748 M1801102 (fb91afbb4) - add MDN script to problematic scripts due to screen blanking after load (2488fabc4) - #659: initial support for per-host CSS grid whitelist (c889bc5ce) - #659 sidecar: better blocking means for developer.mozilla.org (c51a503ed) - #659: tuneups and edgecases (17b23692f) --- caps/nsScriptSecurityManager.cpp | 3 ++ dom/base/nsHTMLContentSerializer.cpp | 4 +- gfx/cairo/libpixman/src/pixman-trap.c | 2 +- gfx/ots/src/vdmx.cc | 30 ++++++++++--- layout/base/nsLayoutUtils.cpp | 3 ++ layout/base/nsPresShell.cpp | 6 ++- layout/style/nsCSSParser.cpp | 38 +++++++++++++++++ modules/libjar/nsZipArchive.cpp | 10 +++++ modules/libpref/init/all.js | 7 ++- netwerk/cookie/nsCookieService.cpp | 61 +++++++++++++++++++++++++++ netwerk/cookie/nsCookieService.h | 2 + parser/expat/lib/xmlparse.c | 8 ++++ xpcom/io/nsLocalFileUnix.cpp | 20 +++++++-- 13 files changed, 176 insertions(+), 18 deletions(-) diff --git a/caps/nsScriptSecurityManager.cpp b/caps/nsScriptSecurityManager.cpp index 9c17a3e39..51cf055f1 100644 --- a/caps/nsScriptSecurityManager.cpp +++ b/caps/nsScriptSecurityManager.cpp @@ -699,6 +699,7 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, ToLowerCase(hostname); #define BLOC(q) hostname.EqualsLiteral(q) #define BLOCU(q) url.EqualsLiteral(q) +#define BLOCS(q) (StringBeginsWith(url, NS_LITERAL_CSTRING(q))) #define BLOCE(q) (StringEndsWith(url, NS_LITERAL_CSTRING(q))) if (0 || @@ -711,10 +712,12 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, BLOCE("/public/scripts/tldr/index.js") ) || #endif // __ppc__ + BLOCS("https://developer.mozilla.org/static/js/main.") || 0) { #undef BLOC #undef BLOCU +#undef BLOCS #undef BLOCE #ifndef DEBUG diff --git a/dom/base/nsHTMLContentSerializer.cpp b/dom/base/nsHTMLContentSerializer.cpp index ef31e6d4a..e12d7440a 100644 --- a/dom/base/nsHTMLContentSerializer.cpp +++ b/dom/base/nsHTMLContentSerializer.cpp @@ -281,7 +281,7 @@ nsHTMLContentSerializer::AppendElementStart(Element* aElement, if (ns == kNameSpaceID_XHTML && (name == nsGkAtoms::script || name == nsGkAtoms::style || - name == nsGkAtoms::noscript || + (name == nsGkAtoms::noscript && aElement->OwnerDoc()->IsScriptEnabled()) || name == nsGkAtoms::noframes)) { ++mDisableEntityEncoding; } @@ -310,7 +310,7 @@ nsHTMLContentSerializer::AppendElementEnd(Element* aElement, if (ns == kNameSpaceID_XHTML && (name == nsGkAtoms::script || name == nsGkAtoms::style || - name == nsGkAtoms::noscript || + (name == nsGkAtoms::noscript && aElement->OwnerDoc()->IsScriptEnabled()) || name == nsGkAtoms::noframes)) { --mDisableEntityEncoding; } diff --git a/gfx/cairo/libpixman/src/pixman-trap.c b/gfx/cairo/libpixman/src/pixman-trap.c index 91766fdbf..7560405ee 100644 --- a/gfx/cairo/libpixman/src/pixman-trap.c +++ b/gfx/cairo/libpixman/src/pixman-trap.c @@ -74,7 +74,7 @@ pixman_sample_floor_y (pixman_fixed_t y, if (f < Y_FRAC_FIRST (n)) { - if (pixman_fixed_to_int (i) == 0x8000) + if (pixman_fixed_to_int (i) == 0xffff8000) { f = 0; /* saturate */ } diff --git a/gfx/ots/src/vdmx.cc b/gfx/ots/src/vdmx.cc index 54055777a..17433f889 100644 --- a/gfx/ots/src/vdmx.cc +++ b/gfx/ots/src/vdmx.cc @@ -4,18 +4,23 @@ #include "vdmx.h" +#include + // VDMX - Vertical Device Metrics // http://www.microsoft.com/typography/otspec/vdmx.htm namespace ots { +#define TABLE_NAME "VDMX" + bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) { Buffer table(data, length); + ots::Font* font = this->GetFont(); if (!table.ReadU16(&this->version) || !table.ReadU16(&this->num_recs) || !table.ReadU16(&this->num_ratios)) { - return Error("Failed to read table header"); + return Drop("Failed to read table header"); } if (this->version > 1) { @@ -30,7 +35,7 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) { !table.ReadU8(&rec.x_ratio) || !table.ReadU8(&rec.y_start_ratio) || !table.ReadU8(&rec.y_end_ratio)) { - return Error("Failed to read RatioRange record %d", i); + return Drop("Failed to read RatioRange record %d", i); } if (rec.charset > 1) { @@ -56,17 +61,28 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) { this->offsets.reserve(this->num_ratios); const size_t current_offset = table.offset(); + std::set unique_offsets; // current_offset is less than (2 bytes * 3) + (4 bytes * USHRT_MAX) = 256k. for (unsigned i = 0; i < this->num_ratios; ++i) { uint16_t offset; if (!table.ReadU16(&offset)) { - return Error("Failed to read ratio offset %d", i); + return Drop("Failed to read ratio offset %d", i); } if (current_offset + offset >= length) { // thus doesn't overflow. - return Error("Bad ratio offset %d for ration %d", offset, i); + return Drop("Bad ratio offset %d for ration %d", offset, i); } this->offsets.push_back(offset); + unique_offsets.insert(offset); + } + + // Check that num_recs is sufficient to provide as many VDMXGroup records + // as there are unique offsets; if not, update it (we'll return an error + // below if they're not actually present). + if (unique_offsets.size() > this->num_recs) { + OTS_WARNING("increasing num_recs (%u is too small for %u unique offsets)", + this->num_recs, unique_offsets.size()); + this->num_recs = unique_offsets.size(); } this->groups.reserve(this->num_recs); @@ -75,7 +91,7 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) { if (!table.ReadU16(&group.recs) || !table.ReadU8(&group.startsz) || !table.ReadU8(&group.endsz)) { - return Error("Failed to read record header %d", i); + return Drop("Failed to read record header %d", i); } group.entries.reserve(group.recs); for (unsigned j = 0; j < group.recs; ++j) { @@ -83,7 +99,7 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) { if (!table.ReadU16(&vt.y_pel_height) || !table.ReadS16(&vt.y_max) || !table.ReadS16(&vt.y_min)) { - return Error("Failed to read reacord %d group %d", i, j); + return Drop("Failed to read record %d group %d", i, j); } if (vt.y_max < vt.y_min) { return Drop("bad y min/max"); @@ -152,4 +168,6 @@ bool OpenTypeVDMX::Serialize(OTSStream *out) { return true; } +#undef TABLE_NAME + } // namespace ots diff --git a/layout/base/nsLayoutUtils.cpp b/layout/base/nsLayoutUtils.cpp index d02fb34c1..afa61fed0 100644 --- a/layout/base/nsLayoutUtils.cpp +++ b/layout/base/nsLayoutUtils.cpp @@ -174,6 +174,9 @@ static ContentMap& GetContentMap() { // When the pref "layout.css.grid.enabled" changes, this function is invoked // to let us update kDisplayKTable, to selectively disable or restore the // entries for "grid" and "inline-grid" in that table. +// +// NB: as of TenFourFox issue 659, a whitelist entry per host is also required +// to enable (but turning it off turns it off globally). static void GridEnabledPrefChangeCallback(const char* aPrefName, void* aClosure) { diff --git a/layout/base/nsPresShell.cpp b/layout/base/nsPresShell.cpp index ee68dba20..d6202872a 100644 --- a/layout/base/nsPresShell.cpp +++ b/layout/base/nsPresShell.cpp @@ -6598,7 +6598,11 @@ PresShell::RecordMouseLocation(WidgetGUIEvent* aEvent) nsIFrame* GetNearestFrameContainingPresShell(nsIPresShell* aPresShell) { - nsView* view = aPresShell->GetViewManager()->GetRootView(); + nsViewManager* vm = aPresShell->GetViewManager(); + if (!vm) { + return nullptr; + } + nsView* view = vm->GetRootView(); while (view && !view->GetFrame()) { view = view->GetParent(); } diff --git a/layout/style/nsCSSParser.cpp b/layout/style/nsCSSParser.cpp index 2e77eae0d..38026e25f 100644 --- a/layout/style/nsCSSParser.cpp +++ b/layout/style/nsCSSParser.cpp @@ -1439,6 +1439,10 @@ protected: // Value to make sure our resolved variable results stay within sane limits. const uint32_t MAX_CSS_VAR_LENGTH = 10240; + // TenFourFox issue 659 + // If this host is whitelisted, turn on CSS grid and inline grid. + bool mHostCSSGridOK : 1; + public: // Used from nsCSSParser constructors and destructors CSSParserImpl* mNextFree; @@ -1587,6 +1591,32 @@ CSSParserImpl::InitScanner(nsCSSScanner& aScanner, mSheetURI = aSheetURI; mSheetPrincipal = aSheetPrincipal; mHavePushBack = false; + + // TenFourFox issue 659 + mHostCSSGridOK = false; + if (MOZ_LIKELY(mBaseURI)) { + nsCString host; + bool isChrome; + + // Never turn on grid for browser chrome. + nsresult rv = mBaseURI->SchemeIs("chrome", &isChrome); + if (NS_SUCCEEDED(rv) && !isChrome) { + // Get host and check pref. + rv = mBaseURI->GetHost(host); + if (NS_SUCCEEDED(rv) && !host.IsEmpty()) { + nsCString pref; + + pref.AssignLiteral("layout.css.grid.host."); + pref.SetCapacity(pref.Length() + host.Length()); + pref += host; + mHostCSSGridOK = Preferences::GetBool(pref.get(), false); +#if DEBUG + if (mHostCSSGridOK) + fprintf(stderr, "CSS grid enabled for %s\n", pref.get()); +#endif + } + } + } } void @@ -7586,6 +7616,14 @@ CSSParserImpl::ParseVariant(nsCSSValue& aValue, } if ((aVariantMask & VARIANT_KEYWORD) != 0) { int32_t value; + + // TenFourFox issue 659 + if (MOZ_UNLIKELY(!mHostCSSGridOK && + aKeywordTable == nsCSSProps::kDisplayKTable && + (keyword == eCSSKeyword_grid || + keyword == eCSSKeyword_inline_grid))) { + // pretend the keyword wasn't found + } else if (nsCSSProps::FindKeyword(keyword, aKeywordTable, value)) { aValue.SetIntValue(value, eCSSUnit_Enumerated); return CSSParseResult::Ok; diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp index 568d0b68e..c491614bc 100644 --- a/modules/libjar/nsZipArchive.cpp +++ b/modules/libjar/nsZipArchive.cpp @@ -826,6 +826,11 @@ MOZ_WIN_MEM_TRY_BEGIN uint32_t offset = aItem->LocalOffset(); if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE) return 0; + // Check there's enough space for the signature + if (offset > mFd->mLen) { + NS_WARNING("Corrupt local offset in JAR file"); + return 0; + } // -- check signature before using the structure, in case the zip file is corrupt ZipLocal* Local = (ZipLocal*)(data + offset); @@ -838,6 +843,11 @@ MOZ_WIN_MEM_TRY_BEGIN offset += ZIPLOCAL_SIZE + xtoint(Local->filename_len) + xtoint(Local->extrafield_len); + // Check data points inside the file. + if (offset > mFd->mLen) { + NS_WARNING("Corrupt local offset in JAR file"); + return 0; + } return offset; MOZ_WIN_MEM_TRY_CATCH(return 0) diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index 834b15e3a..3b697b2fe 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -2403,11 +2403,10 @@ pref("layout.css.variables.enabled", true); pref("layout.css.overflow-clip-box.enabled", false); // Is support for CSS grid enabled? -#ifdef RELEASE_BUILD -pref("layout.css.grid.enabled", false); -#else +// TenFourFox issue 659 makes this into a per-host whitelist. pref("layout.css.grid.enabled", true); -#endif +// Whitelist by default: +pref("layout.css.grid.host.developer.mozilla.org", true); // Is support for CSS "grid-template-{columns,rows}: subgrid X" enabled? pref("layout.css.grid-template-subgrid-value.enabled", false); diff --git a/netwerk/cookie/nsCookieService.cpp b/netwerk/cookie/nsCookieService.cpp index 377d59576..df6fa7ad6 100644 --- a/netwerk/cookie/nsCookieService.cpp +++ b/netwerk/cookie/nsCookieService.cpp @@ -3224,11 +3224,13 @@ nsCookieService::SetCookieInternal(nsIURI *aHostURI, // 3 = secure and "https:" bool isHTTPS; nsresult rv = aHostURI->SchemeIs("https", &isHTTPS); +/* if (NS_SUCCEEDED(rv)) { Telemetry::Accumulate(Telemetry::COOKIE_SCHEME_SECURITY, ((cookieAttributes.isSecure)? 0x02 : 0x00) | ((isHTTPS)? 0x01 : 0x00)); } +*/ int64_t currentTimeInUsec = PR_Now(); @@ -3285,6 +3287,15 @@ nsCookieService::SetCookieInternal(nsIURI *aHostURI, return newCookie; } + if (!CheckHiddenPrefix(cookieAttributes)) { + COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, savedCookieHeader, "failed the CheckHiddenPrefix tests"); + return newCookie; + } + if (!CheckPrefixes(cookieAttributes, isHTTPS)) { + COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, savedCookieHeader, "failed the prefix tests"); + return newCookie; + } + // create a new nsCookie and copy attributes RefPtr cookie = nsCookie::Create(cookieAttributes.name, @@ -4108,6 +4119,56 @@ nsCookieService::CheckPath(nsCookieAttributes &aCookieAttributes, return true; } +bool +nsCookieService::CheckPrefixes(nsCookieAttributes &aCookieAttributes, + bool aSecureRequest) +{ + if (aCookieAttributes.name.IsEmpty() || aCookieAttributes.name.Length() == 0) + return true; + + bool isSecure = StringBeginsWith(aCookieAttributes.name, NS_LITERAL_CSTRING("__Secure-")); + bool isHost = StringBeginsWith(aCookieAttributes.name, NS_LITERAL_CSTRING("__Host-")); + + if (!isSecure && !isHost) { + // not one of the magic prefixes: carry on + return true; + } + + if (!aSecureRequest || !aCookieAttributes.isSecure) { + // the magic prefixes may only be used from a secure request and + // the secure attribute must be set on the cookie + return false; + } + + if (isHost) { + // The host prefix requires that the path is "/" and that the cookie + // had no domain attribute. CheckDomain() and CheckPath() MUST be run + // first to make sure invalid attributes are rejected and to regularlize + // them. In particular all explicit domain attributes result in a host + // that starts with a dot, and if the host doesn't start with a dot it + // correctly matches the true host. + if (aCookieAttributes.host[0] == '.' || + !aCookieAttributes.path.EqualsLiteral("/")) { + return false; + } + } + + return true; +} + +bool +nsCookieService::CheckHiddenPrefix(nsCookieAttributes &aCookieAttributes) +{ + if (aCookieAttributes.name.IsEmpty() || aCookieAttributes.name.Length() == 0) + return true; + if (StringBeginsWith(aCookieAttributes.value, NS_LITERAL_CSTRING("__Host-"))) + return false; + if (StringBeginsWith(aCookieAttributes.value, NS_LITERAL_CSTRING("__Secure-"))) + return false; + + return true; +} + bool nsCookieService::GetExpiry(nsCookieAttributes &aCookieAttributes, int64_t aServerTime, diff --git a/netwerk/cookie/nsCookieService.h b/netwerk/cookie/nsCookieService.h index 27469f21c..8b28f6c25 100644 --- a/netwerk/cookie/nsCookieService.h +++ b/netwerk/cookie/nsCookieService.h @@ -309,6 +309,8 @@ class nsCookieService final : public nsICookieService CookieStatus CheckPrefs(nsIURI *aHostURI, bool aIsForeign, bool aRequireHostMatch, const char *aCookieHeader); bool CheckDomain(nsCookieAttributes &aCookie, nsIURI *aHostURI, const nsCString &aBaseDomain, bool aRequireHostMatch); static bool CheckPath(nsCookieAttributes &aCookie, nsIURI *aHostURI); + bool CheckPrefixes(nsCookieAttributes &aCookie, bool aSecureRequest); + bool CheckHiddenPrefix(nsCookieAttributes &aCookie); static bool GetExpiry(nsCookieAttributes &aCookie, int64_t aServerTime, int64_t aCurrentTime); void RemoveAllFromMemory(); already_AddRefed PurgeCookies(int64_t aCurrentTimeInUsec); diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c index 0025c8c34..429b7c380 100644 --- a/parser/expat/lib/xmlparse.c +++ b/parser/expat/lib/xmlparse.c @@ -786,6 +786,14 @@ parserCreate(const XML_Char *encodingName, parserInit(parser, encodingName); if (encodingName && !protocolEncodingName) { + if (dtd) { + // We need to stop the upcoming call to XML_ParserFree from happily + // destroying parser->m_dtd because the DTD is shared with the parent + // parser and the only guard that keeps XML_ParserFree from destroying + // parser->m_dtd is parser->m_isParamEntity but it will be set to + // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). + parser->m_dtd = NULL; + } XML_ParserFree(parser); return NULL; } diff --git a/xpcom/io/nsLocalFileUnix.cpp b/xpcom/io/nsLocalFileUnix.cpp index f3d74c0c0..af3fcda64 100644 --- a/xpcom/io/nsLocalFileUnix.cpp +++ b/xpcom/io/nsLocalFileUnix.cpp @@ -1569,13 +1569,22 @@ nsLocalFile::IsExecutable(bool* aResult) // Search for any of the set of executable extensions. static const char* const executableExts[] = { +#ifdef MOZ_WIDGET_COCOA + "afploc", // Can point to other files. +#endif "air", // Adobe AIR installer #ifdef MOZ_WIDGET_COCOA - "inetloc", // https://ssd-disclosure.com/ssd-advisory-macos-finder-rce/ + "atloc", // Can point to other files. "fileloc", // File location files can be used to point to other files. - "webloc", // same URL + "ftploc", // Can point to other files. + "inetloc", // https://ssd-disclosure.com/ssd-advisory-macos-finder-rce/ + // Shouldn't be able to do the same, but can, due to + // macOS vulnerabilities. #endif "jar" // java application bundle +#ifdef MOZ_WIDGET_COCOA + ,"webloc" // same URL +#endif }; nsDependentSubstring ext = Substring(path, dotIdx + 1); for (size_t i = 0; i < ArrayLength(executableExts); i++) { @@ -1778,11 +1787,14 @@ nsLocalFile::GetNativeTarget(nsACString& aResult) return NS_ERROR_OUT_OF_MEMORY; } - if (readlink(mPath.get(), target, (size_t)size) < 0) { + ssize_t written = readlink(mPath.get(), target, (size_t)size); + if (written < 0) { free(target); return NSRESULT_FOR_ERRNO(); } - target[size] = '\0'; + // Target might have changed since the lstat call, or lstat might lie, see bug + // 1791029. + target[written] = '\0'; nsresult rv = NS_OK; nsCOMPtr self(this);