Bug 1135354 - Crash/Hang when clicking URL with a huge length r=mcmanus

modules/libpref/init/all.js

@@ -1594,6 +1594,9 @@ pref("network.standard-url.escape-utf8", true);
 // UTF-8.
 pref("network.standard-url.encode-utf8", true);
 
+// The maximum allowed length for a URL - 1MB default
+pref("network.standard-url.max-length", 1048576);
+
 // Idle timeout for ftp control connections - 5 minute default
 pref("network.ftp.idleConnectionTimeout", 300);
 

netwerk/base/nsStandardURL.cpp

@@ -788,6 +788,10 @@ nsStandardURL::ParseURL(const char *spec, int32_t specLen)
 {
     nsresult rv;
 
+    if (specLen > net_GetURLMaxLength()) {
+        return NS_ERROR_MALFORMED_URI;
+    }
+
     //
     // parse given URL string
     //
@@ -832,6 +836,10 @@ nsStandardURL::ParsePath(const char *spec, uint32_t pathPos, int32_t pathLen)
 {
     LOG(("ParsePath: %s pathpos %d len %d\n",spec,pathPos,pathLen));
 
+    if (pathLen > net_GetURLMaxLength()) {
+        return NS_ERROR_MALFORMED_URI;
+    }
+
     nsresult rv = mParser->ParsePath(spec + pathPos, pathLen,
                                      &mFilepath.mPos, &mFilepath.mLen,
                                      &mQuery.mPos, &mQuery.mLen,
@@ -1153,6 +1161,10 @@ nsStandardURL::SetSpec(const nsACString &input)
     if (!spec || !*spec)
         return NS_ERROR_MALFORMED_URI;
 
+    if (input.Length() > (uint32_t) net_GetURLMaxLength()) {
+        return NS_ERROR_MALFORMED_URI;
+    }
+
     // Make a backup of the curent URL
     nsStandardURL prevURL(false,false);
     prevURL.CopyMembers(this, eHonorRef);
@@ -2725,6 +2737,10 @@ nsStandardURL::Init(uint32_t urlType,
 {
     ENSURE_MUTABLE();
 
+    if (spec.Length() > (uint32_t) net_GetURLMaxLength()) {
+        return NS_ERROR_MALFORMED_URI;
+    }
+
     InvalidateCache();
 
     switch (urlType) {

netwerk/base/nsURLHelper.cpp

@@ -24,6 +24,7 @@ static bool gInitialized = false;
 static nsIURLParser *gNoAuthURLParser = nullptr;
 static nsIURLParser *gAuthURLParser = nullptr;
 static nsIURLParser *gStdURLParser = nullptr;
+static int32_t gMaxLength = 1048576; // Default: 1MB
 
 static void
 InitGlobals()
@@ -52,6 +53,8 @@ InitGlobals()
     }
 
     gInitialized = true;
+    Preferences::AddIntVarCache(&gMaxLength,
+                                "network.standard-url.max-length", 1048576);
 }
 
 void
@@ -65,6 +68,11 @@ net_ShutdownURLHelper()
     }
 }
 
+int32_t net_GetURLMaxLength()
+{
+    return gMaxLength;
+}
+
 //----------------------------------------------------------------------------
 // nsIURLParser getters
 //----------------------------------------------------------------------------
@@ -148,6 +156,10 @@ net_ParseFileURL(const nsACString &inURL,
 {
     nsresult rv;
 
+    if (inURL.Length() > (uint32_t) gMaxLength) {
+        return NS_ERROR_MALFORMED_URI;
+    }
+
     outDirectory.Truncate();
     outFileBaseName.Truncate();
     outFileExtension.Truncate();

netwerk/base/nsURLHelper.h

@@ -227,4 +227,11 @@ bool net_IsValidIPv4Addr(const char *addr, int32_t addrLen);
  */
 bool net_IsValidIPv6Addr(const char *addr, int32_t addrLen);
 
+
+/**
+ * Returns the max length of a URL. The default is 2083.
+ * Can be changed by pref "network.standard-url.max-length"
+ */
+int32_t net_GetURLMaxLength();
+
 #endif // !nsURLHelper_h__

netwerk/base/nsURLHelperWin.cpp

@@ -51,6 +51,10 @@ net_GetFileFromURLSpec(const nsACString &aURL, nsIFile **result)
 {
     nsresult rv;
 
+    if (aURL.Length() > (uint32_t) net_GetURLMaxLength()) {
+        return NS_ERROR_MALFORMED_URI;
+    }
+
     nsCOMPtr<nsIFile> localFile(
             do_CreateInstance(NS_LOCAL_FILE_CONTRACTID, &rv));
     if (NS_FAILED(rv)) {