Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-25 11:15:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 784315 - fix CSP parser to handle single-token hosts via regex correctly. r=geekboy

Browse Source
This commit is contained in:
Marshall Moutenot 2012-08-27 08:51:02 -07:00
parent cee90e8d4f
commit eb3d6bdd0a
2 changed files with 74 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
content/base/src/CSPUtils.jsm
View File

@ -45,7 +45,7 @@ const R_HOSTCHAR = new RegExp ("[a-zA-Z0-9\\-]", 'i');
// host = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
const R_HOST = new RegExp ("\\*|(((\\*\\.)?" + R_HOSTCHAR.source +
"+)(\\." + R_HOSTCHAR.source +"+)+)",'i');
"+)(\\." + R_HOSTCHAR.source +"+)*)",'i');
// port = ":" ( 1*DIGIT / "*" )
const R_PORT = new RegExp ("(\\:([0-9]+|\\*))", 'i');
@ -996,19 +996,26 @@ CSPSource.fromString = function(aStr, self, enforceSelfChecks) {
}
// check for host-source or ext-host-source match
if (R_HOSTSRC.test(aStr) || R_EXTHOSTSRC.test(aStr)){
if (R_HOSTSRC.test(aStr) || R_EXTHOSTSRC.test(aStr)) {
var schemeMatch = R_GETSCHEME.exec(aStr);
if (!schemeMatch)
// check that the scheme isn't accidentally matching the host. There should
// be '://' if there is a valid scheme in an (EXT)HOSTSRC
if (!schemeMatch || aStr.indexOf("://") == -1) {
sObj._scheme = self.scheme;
else {
schemeMatch = null;
} else {
sObj._scheme = schemeMatch[0];
}
// get array of matches to the R_HOST regular expression
var hostMatch = R_HOST.exec(aStr);
if (!hostMatch) {
if (!hostMatch){
CSPError(CSPLocalizer.getFormatStr("couldntParseInvalidSource", [aStr]));
return null;
}
// host regex gets scheme, so remove scheme from aStr. Add 3 for '://'
if (schemeMatch)
hostMatch = R_HOST.exec(aStr.substring(schemeMatch[0].length + 3));
sObj._host = CSPHost.fromString(hostMatch[0]);
var portMatch = R_PORT.exec(aStr);
if (!portMatch) {

22
content/base/test/unit/test_csputils.js
View File

@ -508,6 +508,28 @@ test(function test_FrameAncestor_defaults() {
do_check_false(cspr.permits("http://subd.self.com:34", SD.FRAME_ANCESTORS));
});
test(function test_FrameAncestor_TLD_defaultPorts() {
var cspr;
var SD = CSPRep.SRC_DIRECTIVES;
var self = "http://self"; //TLD only, no .com or anything.
cspr = CSPRep.fromString("allow 'self'; frame-ancestors 'self' http://foo:80 bar:80 http://three", URI(self));
//"frame-ancestors should default to * not 'allow' value"
do_check_true(cspr.permits("http://self", SD.FRAME_ANCESTORS));
do_check_true(cspr.permits("http://self:80", SD.FRAME_ANCESTORS));
do_check_true(cspr.permits("http://foo", SD.FRAME_ANCESTORS));
do_check_true(cspr.permits("http://foo:80", SD.FRAME_ANCESTORS));
do_check_true(cspr.permits("http://bar", SD.FRAME_ANCESTORS));
do_check_true(cspr.permits("http://three:80", SD.FRAME_ANCESTORS));
do_check_false(cspr.permits("https://foo:400", SD.FRAME_ANCESTORS));
do_check_false(cspr.permits("https://self:34", SD.FRAME_ANCESTORS));
do_check_false(cspr.permits("https://bar", SD.FRAME_ANCESTORS));
do_check_false(cspr.permits("http://three:81", SD.FRAME_ANCESTORS));
do_check_false(cspr.permits("https://three:81", SD.FRAME_ANCESTORS));
});
test(function test_CSP_ReportURI_parsing() {
var cspr;
var SD = CSPRep.SRC_DIRECTIVES;