- Patch a security vulnerability (DoS, remote execution) in IDN

(internationalized domain names) subsystem, also known as "hyphen domain name bug" Submitted by: Marcus Grando Obtained from: Mozilla Project CVS, https://bugzilla.mozilla.org/show_bug.cgi?query_format=specific&order=relevance+desc&bug_status=__open__&id=307259 Security: CAN-2005-2871 http://secunia.com/advisories/16764/
author: Pav Lucistnik <pav@FreeBSD.org> 2005-09-10 17:24:31 +0000
committer: Pav Lucistnik <pav@FreeBSD.org> 2005-09-10 17:24:31 +0000
commit: cfffa5699ca4b4120089d01f00b4370fd1890b8f (patch)
tree: 9e39a1b170444b1f1ec27362ce144bd788c796df /www/firefox-devel
parent: 33ee2fced505dd6566ddaa343efaba45be2f4690 (diff)
download: ports-cfffa5699ca4b4120089d01f00b4370fd1890b8f.tar.gz
ports-cfffa5699ca4b4120089d01f00b4370fd1890b8f.zip
2 files changed, 105 insertions, 1 deletions
diff --git a/www/firefox-devel/Makefile b/www/firefox-devel/Makefile
index e4a0fce4a4cf..6dc7d041ef76 100644
--- a/www/firefox-devel/Makefile
+++ b/www/firefox-devel/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	firefox
 PORTVERSION=	1.0.6
-PORTREVISION=	4
+PORTREVISION=	5
 PORTEPOCH=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_MOZILLA}
diff --git a/www/firefox-devel/files/patch-CAN-2005-2871 b/www/firefox-devel/files/patch-CAN-2005-2871
new file mode 100644
index 000000000000..eca8515adbdb
--- /dev/null
+++ b/www/firefox-devel/files/patch-CAN-2005-2871
@@ -0,0 +1,104 @@
+Index: netwerk/base/src/nsStandardURL.cpp
+===================================================================
+RCS file: /cvs/mozilla/netwerk/base/src/nsStandardURL.cpp,v
+retrieving revision 1.60.16.2
+diff -p -u -1 -2 -r1.60.16.2 nsStandardURL.cpp
+--- netwerk/base/src/nsStandardURL.cpp	17 Feb 2005 23:40:53 -0000	1.60.16.2
++++ netwerk/base/src/nsStandardURL.cpp	9 Sep 2005 16:34:46 -0000
+@@ -403,24 +403,25 @@ nsStandardURL::AppendToBuf(char *buf, PR
+ //  4- update url segment positions and lengths
+ nsresult
+ nsStandardURL::BuildNormalizedSpec(const char *spec)
+ {
+     // Assumptions: all member URLSegments must be relative the |spec| argument
+     // passed to this function.
+ 
+     // buffers for holding escaped url segments (these will remain empty unless
+     // escaping is required).
+     nsCAutoString encUsername;
+     nsCAutoString encPassword;
+     nsCAutoString encHost;
++    PRBool useEncHost;
+     nsCAutoString encDirectory;
+     nsCAutoString encBasename;
+     nsCAutoString encExtension;
+     nsCAutoString encParam;
+     nsCAutoString encQuery;
+     nsCAutoString encRef;
+ 
+     //
+     // escape each URL segment, if necessary, and calculate approximate normalized
+     // spec length.
+     //
+     PRInt32 approxLen = 3; // includes room for "://"
+@@ -440,34 +441,36 @@ nsStandardURL::BuildNormalizedSpec(const
+         approxLen += encoder.EncodeSegmentCount(spec, mBasename,  esc_FileBaseName,  encBasename);
+         approxLen += encoder.EncodeSegmentCount(spec, mExtension, esc_FileExtension, encExtension);
+         approxLen += encoder.EncodeSegmentCount(spec, mParam,     esc_Param,         encParam);
+         approxLen += encoder.EncodeSegmentCount(spec, mQuery,     esc_Query,         encQuery);
+         approxLen += encoder.EncodeSegmentCount(spec, mRef,       esc_Ref,           encRef);
+     }
+ 
+     // do not escape the hostname, if IPv6 address literal, mHost will
+     // already point to a [ ] delimited IPv6 address literal.
+     // However, perform Unicode normalization on it, as IDN does.
+     mHostEncoding = eEncoding_ASCII;
+     if (mHost.mLen > 0) {
++        useEncHost = PR_FALSE;
+         const nsCSubstring& tempHost =
+             Substring(spec + mHost.mPos, spec + mHost.mPos + mHost.mLen);
+         if (IsASCII(tempHost))
+             approxLen += mHost.mLen;
+         else {
+             mHostEncoding = eEncoding_UTF8;
+             if (gIDNService &&
+-                NS_SUCCEEDED(gIDNService->Normalize(tempHost, encHost)))
++                NS_SUCCEEDED(gIDNService->Normalize(tempHost, encHost))) {
+                 approxLen += encHost.Length();
+-            else {
++                useEncHost = PR_TRUE;
++            } else {
+                 encHost.Truncate();
+                 approxLen += mHost.mLen;
+             }
+         }
+     }
+ 
+     //
+     // generate the normalized URL string
+     //
+     mSpec.SetLength(approxLen + 32);
+     char *buf;
+     mSpec.BeginWriting(buf);
+@@ -483,25 +486,30 @@ nsStandardURL::BuildNormalizedSpec(const
+     mAuthority.mPos = i;
+ 
+     // append authority
+     if (mUsername.mLen > 0) {
+         i = AppendSegmentToBuf(buf, i, spec, mUsername, &encUsername);
+         if (mPassword.mLen >= 0) {
+             buf[i++] = ':';
+             i = AppendSegmentToBuf(buf, i, spec, mPassword, &encPassword);
+         }
+         buf[i++] = '@';
+     }
+     if (mHost.mLen > 0) {
+-        i = AppendSegmentToBuf(buf, i, spec, mHost, &encHost);
++        if (useEncHost) {
++            mHost.mPos = i;
++            mHost.mLen = encHost.Length();
++            i = AppendToBuf(buf, i, encHost.get(), mHost.mLen);
++        } else
++            i = AppendSegmentToBuf(buf, i, spec, mHost);
+         net_ToLowerCase(buf + mHost.mPos, mHost.mLen);
+         if (mPort != -1 && mPort != mDefaultPort) {
+             nsCAutoString portbuf;
+             portbuf.AppendInt(mPort);
+             buf[i++] = ':';
+             i = AppendToBuf(buf, i, portbuf.get(), portbuf.Length());
+         }
+     }
+ 
+     // record authority length
+     mAuthority.mLen = i - mAuthority.mPos;
+
author	Pav Lucistnik <pav@FreeBSD.org>	2005-09-10 17:24:31 +0000
committer	Pav Lucistnik <pav@FreeBSD.org>	2005-09-10 17:24:31 +0000
commit	cfffa5699ca4b4120089d01f00b4370fd1890b8f (patch)
tree	9e39a1b170444b1f1ec27362ce144bd788c796df /www/firefox-devel
parent	33ee2fced505dd6566ddaa343efaba45be2f4690 (diff)
download	ports-cfffa5699ca4b4120089d01f00b4370fd1890b8f.tar.gz ports-cfffa5699ca4b4120089d01f00b4370fd1890b8f.zip