diff --git a/caps/nsScriptSecurityManager.cpp b/caps/nsScriptSecurityManager.cpp index 96898539b..134039885 100644 --- a/caps/nsScriptSecurityManager.cpp +++ b/caps/nsScriptSecurityManager.cpp @@ -755,6 +755,7 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, BLOK("sb.scorecardresearch.com") || BLOK("ad.doubleclick.net") || + BLOK("cm.g.doubleclick.net") || BLOK("static.doubleclick.net") || BLOK("stats.g.doubleclick.net") || BLOK("pubads.g.doubleclick.net") || @@ -809,6 +810,7 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, BLOK("cdn-gl.imrworldwide.com") || BLOK("secure-us.imrworldwide.com") || BLOK("secure-dcr.imrworldwide.com") || + BLOK("secure-drm.imrworldwide.com") || BLOK("labs-cdn.revcontent.com") || BLOK("trends.revcontent.com") || @@ -1139,6 +1141,9 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, BLOK("nervoussummer.com") || BLOK("usasync01.admantx.com") || + + BLOK("synchrobox.adswizz.com") || + BLOK("delivery-cdn-cf.adswizz.com") || 0) { #undef BLOK // Yup. diff --git a/dom/base/Element.cpp b/dom/base/Element.cpp index c07c1b2fd..134952cec 100644 --- a/dom/base/Element.cpp +++ b/dom/base/Element.cpp @@ -1168,6 +1168,17 @@ Element::GetDestinationInsertionPoints() void Element::GetAttribute(const nsAString& aName, DOMString& aReturn) { + // Complete the illusion of TenFourFox issue 517 by preventing Rocket Loader + // from seeing the data-cf-nonce attribute. This doesn't seem to be used + // anywhere else in the Cloudflare stack. + if (!IsXULElement() && MOZ_UNLIKELY(aName.LowerCaseEqualsASCII("data-cf-nonce"))) { +#if DEBUG + fprintf(stderr, "TenFourFox: blocked access to proscribed property data-cf-nonce.\n"); +#endif + aReturn.SetNull(); + return; + } + const nsAttrValue* val = mAttrsAndChildren.GetAttr(aName, IsHTMLElement() && IsInHTMLDocument() ? diff --git a/dom/base/nsContentUtils.cpp b/dom/base/nsContentUtils.cpp index 3a9afc301..6f839e63c 100644 --- a/dom/base/nsContentUtils.cpp +++ b/dom/base/nsContentUtils.cpp @@ -7108,9 +7108,6 @@ nsContentUtils::IsForbiddenSystemRequestHeader(const nsACString& aHeader) }; for (uint32_t i = 0; i < ArrayLength(kInvalidHeaders); ++i) { if (aHeader.LowerCaseEqualsASCII(kInvalidHeaders[i])) { -#if DEBUG - fprintf(stderr, "offending header was %s\n", kInvalidHeaders[i]); -#endif return true; } } @@ -7219,6 +7216,22 @@ nsContentUtils::IsJavascriptMIMEType(const nsAString& aMIMEType) } } + // Workaround for Rocket Script; current versions do not load properly. + // This version just relaxes the limits on the MIME type so that the + // browser loads the scripts for us and RocketScript is not involved. + // Old-school Rocket Script that used text/rocketscript is OK; we don't + // interfere with that. + // (TenFourFox issue 517.) + if (StringEndsWith(aMIMEType, NS_LITERAL_STRING("-text/javascript"), + nsCaseInsensitiveStringComparator())) { + // Don't use Find(). We really care just if it's at the end. + // If we need to look elsewhere, use FindInReadable(). +#if DEBUG + fprintf(stderr, "TenFourFox: Rocket Script detected\n"); +#endif + return true; + } + return false; } diff --git a/dom/events/EventStateManager.cpp b/dom/events/EventStateManager.cpp index 846601b06..5101ed223 100644 --- a/dom/events/EventStateManager.cpp +++ b/dom/events/EventStateManager.cpp @@ -522,11 +522,14 @@ EventStateManager::PreHandleEvent(nsPresContext* aPresContext, return NS_ERROR_NULL_POINTER; } +#if(0) +// This is obnoxious, and seems to no longer be relevant. NS_WARN_IF_FALSE(!aTargetFrame || !aTargetFrame->GetContent() || aTargetFrame->GetContent() == aTargetContent || aTargetFrame->GetContent()->GetFlattenedTreeParent() == aTargetContent, "aTargetFrame should be related with aTargetContent"); +#endif mCurrentTarget = aTargetFrame; mCurrentTargetContent = nullptr; diff --git a/media/libvpx/vp8/common/postproc.c b/media/libvpx/vp8/common/postproc.c index a4e6ae170..3b05bc63e 100644 --- a/media/libvpx/vp8/common/postproc.c +++ b/media/libvpx/vp8/common/postproc.c @@ -330,7 +330,7 @@ void vp8_deblock(VP8_COMMON *cm, double level = 6.0e-05 * q * q * q - .0067 * q * q + .306 * q + .0065; int ppl = (int)(level + .5); - const MODE_INFO *mode_info_context = cm->show_frame_mi; + const MODE_INFO *mode_info_context = cm->mi; int mbr, mbc; /* The pixel thresholds are adjusted according to if or not the macroblock diff --git a/netwerk/base/nsURLHelperOSX.cpp b/netwerk/base/nsURLHelperOSX.cpp index bcc0b257f..4ebef4a3c 100644 --- a/netwerk/base/nsURLHelperOSX.cpp +++ b/netwerk/base/nsURLHelperOSX.cpp @@ -206,6 +206,17 @@ net_GetFileFromURLSpec(const nsACString &aURL, nsIFile **result) if (bHFSPath) convertHFSPathtoPOSIX(path, path); + // TenFourFox issue 512 (our own fix for M1412081). Just disallow anything + // where path starts with /net/ since it looks like ../ paths have already + // been parsed. Not needed for Tiger, but doesn't hurt. + nsAutoCString lcPath; + lcPath.Append(path); + ToLowerCase(lcPath); + if (StringBeginsWith(lcPath, NS_LITERAL_CSTRING("/net/"))) { + fprintf(stderr, "Warning: TenFourFox blocking file:// access to potentially dangerous path %s.\n", path.get()); + return NS_ERROR_FILE_INVALID_PATH; + } + // assuming path is encoded in the native charset rv = localFile->InitWithNativePath(path); if (NS_FAILED(rv)) diff --git a/netwerk/protocol/http/nsHttpHandler.cpp b/netwerk/protocol/http/nsHttpHandler.cpp index b8582e07e..d300a65c0 100644 --- a/netwerk/protocol/http/nsHttpHandler.cpp +++ b/netwerk/protocol/http/nsHttpHandler.cpp @@ -428,10 +428,11 @@ nsHttpHandler::AddStandardRequestHeaders(nsHttpHeaderArray *request, nsresult rv; // Add the "User-Agent" header (unless we have blacklisted this site and - // we aren't using a custom user agent; see TenFourFox issue 422). + // we aren't using a custom user agent; see TenFourFox issues 422 and 518). if (mUserAgentOverride || ( !hostLine.EqualsLiteral("i.imgur.com") && !hostLine.EqualsLiteral("imgur.com") && + !hostLine.EqualsLiteral("github.com") && 1)) { rv = request->SetHeader(nsHttp::User_Agent, UserAgent(), false, nsHttpHeaderArray::eVarietyDefault); diff --git a/netwerk/protocol/websocket/WebSocketChannel.cpp b/netwerk/protocol/websocket/WebSocketChannel.cpp index 52b02c634..1243aaf0b 100644 --- a/netwerk/protocol/websocket/WebSocketChannel.cpp +++ b/netwerk/protocol/websocket/WebSocketChannel.cpp @@ -1173,6 +1173,7 @@ WebSocketChannel::WebSocketChannel() : mDynamicOutput(nullptr), mPrivateBrowsing(false), mConnectionLogService(nullptr), + mMutex("WebSocketChannel::mMutex"), mCountRecv(0), mCountSent(0), mAppId(NECKO_NO_APP_ID), @@ -2158,7 +2159,7 @@ WebSocketChannel::PrimeNewOutgoingMessage() if (NS_FAILED(rv)) { LOG(("WebSocketChannel::PrimeNewOutgoingMessage(): " "GenerateRandomBytes failure %x\n", rv)); - StopSession(rv); + AbortSession(rv); return; } mask = * reinterpret_cast(buffer); @@ -2308,10 +2309,26 @@ WebSocketChannel::StopSession(nsresult reason) { LOG(("WebSocketChannel::StopSession() %p [%x]\n", this, reason)); + { + MutexAutoLock lock(mMutex); + if (mStopped) { + return; + } + mStopped = 1; + } + + DoStopSession(reason); +} + +void +WebSocketChannel::DoStopSession(nsresult reason) +{ + LOG(("WebSocketChannel::DoStopSession() %p [%x]\n", this, reason)); + // normally this should be called on socket thread, but it is ok to call it // from OnStartRequest before the socket thread machine has gotten underway - mStopped = 1; + MOZ_ASSERT(mStopped); if (!mOpenedHttpChannel) { // The HTTP channel information will never be used in this case @@ -2378,7 +2395,7 @@ WebSocketChannel::StopSession(nsresult reason) // is set when the server close arrives without waiting for the timeout to // expire. - LOG(("WebSocketChannel::StopSession: Wait for Server TCP close")); + LOG(("WebSocketChannel::DoStopSession: Wait for Server TCP close")); nsresult rv; mLingeringCloseTimer = do_CreateInstance("@mozilla.org/timer;1", &rv); @@ -2414,6 +2431,8 @@ WebSocketChannel::AbortSession(nsresult reason) LOG(("WebSocketChannel::AbortSession() %p [reason %x] stopped = %d\n", this, reason, !!mStopped)); + MOZ_ASSERT(NS_FAILED(reason), "reason must be a failure!"); + // normally this should be called on socket thread, but it is ok to call it // from the main thread before StartWebsocketData() has completed @@ -2428,20 +2447,26 @@ WebSocketChannel::AbortSession(nsresult reason) return; } - if (mStopped) - return; - mStopped = 1; + { + MutexAutoLock lock(mMutex); + if (mStopped) { + return; + } - if (mTransport && reason != NS_BASE_STREAM_CLOSED && !mRequestedClose && - !mClientClosed && !mServerClosed && mConnecting == NOT_CONNECTING) { - mRequestedClose = 1; - mStopOnClose = reason; - mSocketThread->Dispatch( - new OutboundEnqueuer(this, new OutboundMessage(kMsgTypeFin, nullptr)), - nsIEventTarget::DISPATCH_NORMAL); - } else { - StopSession(reason); + if (mTransport && reason != NS_BASE_STREAM_CLOSED && !mRequestedClose && + !mClientClosed && !mServerClosed && mDataStarted) { + mRequestedClose = 1; + mStopOnClose = reason; + mSocketThread->Dispatch( + new OutboundEnqueuer(this, new OutboundMessage(kMsgTypeFin, nullptr)), + nsIEventTarget::DISPATCH_NORMAL); + return; + } + + mStopped = 1; } + + DoStopSession(reason); } // ReleaseSession is called on orderly shutdown @@ -2452,8 +2477,6 @@ WebSocketChannel::ReleaseSession() this, !!mStopped)); MOZ_ASSERT(PR_GetCurrentThread() == gSocketThread, "not socket thread"); - if (mStopped) - return; StopSession(NS_OK); } @@ -2802,9 +2825,19 @@ WebSocketChannel::StartWebsocketData() NS_DISPATCH_NORMAL); } - LOG(("WebSocketChannel::StartWebsocketData() %p", this)); - MOZ_ASSERT(!mDataStarted, "StartWebsocketData twice"); - mDataStarted = 1; + { + MutexAutoLock lock(mMutex); + LOG(("WebSocketChannel::StartWebsocketData() %p", this)); + MOZ_ASSERT(!mDataStarted, "StartWebsocketData twice"); + + if (mStopped) { + LOG(("WebSocketChannel::StartWebsocketData channel already closed, not " + "starting data")); + return NS_ERROR_NOT_AVAILABLE; + } + + mDataStarted = 1; + } LOG(("WebSocketChannel::StartWebsocketData Notifying Listener %p\n", mListenerMT ? mListenerMT->mListener.get() : nullptr)); @@ -3416,35 +3449,46 @@ WebSocketChannel::Close(uint16_t code, const nsACString & reason) // save the networkstats (bug 855949) SaveNetworkStats(true); - if (mRequestedClose) { - return NS_OK; - } + { + MutexAutoLock lock(mMutex); - // The API requires the UTF-8 string to be 123 or less bytes - if (reason.Length() > 123) - return NS_ERROR_ILLEGAL_VALUE; - - mRequestedClose = 1; - mScriptCloseReason = reason; - mScriptCloseCode = code; - - if (!mTransport || mConnecting != NOT_CONNECTING) { - nsresult rv; - if (code == CLOSE_GOING_AWAY) { - // Not an error: for example, tab has closed or navigated away - LOG(("WebSocketChannel::Close() GOING_AWAY without transport.")); - rv = NS_OK; - } else { - LOG(("WebSocketChannel::Close() without transport - error.")); - rv = NS_ERROR_NOT_CONNECTED; + if (mRequestedClose) { + return NS_OK; } - StopSession(rv); - return rv; + + if (mStopped) { + return NS_ERROR_NOT_AVAILABLE; + } + + // The API requires the UTF-8 string to be 123 or less bytes + if (reason.Length() > 123) + return NS_ERROR_ILLEGAL_VALUE; + + mRequestedClose = 1; + mScriptCloseReason = reason; + mScriptCloseCode = code; + + if (mDataStarted) { + return mSocketThread->Dispatch( + new OutboundEnqueuer(this, new OutboundMessage(kMsgTypeFin, nullptr)), + nsIEventTarget::DISPATCH_NORMAL); + } + + mStopped = 1; } - return mSocketThread->Dispatch( - new OutboundEnqueuer(this, new OutboundMessage(kMsgTypeFin, nullptr)), - nsIEventTarget::DISPATCH_NORMAL); + nsresult rv; + if (code == CLOSE_GOING_AWAY) { + // Not an error: for example, tab has closed or navigated away + LOG(("WebSocketChannel::Close() GOING_AWAY without transport.")); + rv = NS_OK; + } else { + LOG(("WebSocketChannel::Close() without transport - error.")); + rv = NS_ERROR_NOT_CONNECTED; + } + + DoStopSession(rv); + return rv; } NS_IMETHODIMP @@ -3773,13 +3817,11 @@ WebSocketChannel::OnInputStreamReady(nsIAsyncInputStream *aStream) } if (NS_FAILED(rv)) { - mTCPClosed = true; AbortSession(rv); return rv; } if (count == 0) { - mTCPClosed = true; AbortSession(NS_BASE_STREAM_CLOSED); return NS_OK; } diff --git a/netwerk/protocol/websocket/WebSocketChannel.h b/netwerk/protocol/websocket/WebSocketChannel.h index de9fed706..c3484ed61 100644 --- a/netwerk/protocol/websocket/WebSocketChannel.h +++ b/netwerk/protocol/websocket/WebSocketChannel.h @@ -160,6 +160,7 @@ private: void ReportConnectionTelemetry(); void StopSession(nsresult reason); + void DoStopSession(nsresult reason); void AbortSession(nsresult reason); void ReleaseSession(); void CleanupConnection(); @@ -295,6 +296,8 @@ private: nsCOMPtr mConnectionLogService; + mozilla::Mutex mMutex; + // These members are used for network per-app metering (bug 855949) // Currently, they are only available on gonk. Atomic mCountRecv;