mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-08 19:04:45 +00:00
Bug 1337629 - Restrict allowed hostname characters r=mcmanus
MozReview-Commit-ID: H8u2C5oSiT9
This commit is contained in:
parent
83ba7c63ab
commit
f2fd6230e6
@ -620,7 +620,7 @@ nsStandardURL::ValidIPv6orHostname(const char *host, uint32_t length)
|
||||
}
|
||||
|
||||
const char *end = host + length;
|
||||
if (end != net_FindCharInSet(host, end, "\t\n\v\f\r #/:?@[\\]")) {
|
||||
if (end != net_FindCharInSet(host, end, CONTROL_CHARACTERS " #/:?@[\\]*<>|\"")) {
|
||||
// We still allow % because it is in the ID of addons.
|
||||
// Any percent encoded ASCII characters that are not allowed in the
|
||||
// hostname are not percent decoded, and will be parsed just fine.
|
||||
|
@ -1,3 +1,5 @@
|
||||
"use strict";
|
||||
|
||||
const StandardURL = Components.Constructor("@mozilla.org/network/standard-url;1",
|
||||
"nsIStandardURL",
|
||||
"init");
|
||||
@ -14,7 +16,7 @@ function symmetricEquality(expect, a, b)
|
||||
/* We don't check port in the loop, because it can be defaulted in
|
||||
some cases. */
|
||||
["spec", "prePath", "scheme", "userPass", "username", "password",
|
||||
"hostPort", "host", "path", "filePath", "param", "query",
|
||||
"hostPort", "host", "path", "filePath", "query",
|
||||
"ref", "directory", "fileName", "fileBaseName", "fileExtension"]
|
||||
.map(function(prop) {
|
||||
dump("Testing '"+ prop + "'\n");
|
||||
@ -438,3 +440,17 @@ add_test(function test_ipv4Normalize()
|
||||
|
||||
run_next_test();
|
||||
});
|
||||
|
||||
add_test(function test_invalidHostChars() {
|
||||
var url = stringToURL("http://example.org/");
|
||||
for (let i = 0; i <= 0x20; i++) {
|
||||
Assert.throws(() => { url.host = "a" + String.fromCharCode(i) + "b"; }, "Trying to set hostname containing char code: " + i);
|
||||
}
|
||||
for (let c of "@[]*<>|:\"") {
|
||||
Assert.throws(() => { url.host = "a" + c; }, "Trying to set hostname containing char: " + c);
|
||||
}
|
||||
|
||||
// It also can't contain /, \, #, ?, but we treat these characters as
|
||||
// hostname separators, so there is no way to set them and fail.
|
||||
run_next_test();
|
||||
});
|
||||
|
Loading…
Reference in New Issue
Block a user