commit 4d12d7970aee
Author: Gijs Kruitbosch <gijskruitbosch@gmail.com>
Date:   Tue Jan 30 12:07:08 2018 +0000

    Bug 1432870. r=bz, a=lizzard
    
    --HG--
    extra : source : 54491805113acdce065ed6164b524acc411986ef
---
 chrome/nsChromeRegistry.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git chrome/nsChromeRegistry.cpp chrome/nsChromeRegistry.cpp
index 4443b11f93ba..8e81c531c4cf 100644
--- chrome/nsChromeRegistry.cpp
+++ chrome/nsChromeRegistry.cpp
@@ -235,6 +235,12 @@ nsChromeRegistry::Canonify(nsIURL* aChromeURL)
     // path is already unescaped once, but uris can get unescaped twice
     const char* pos = path.BeginReading();
     const char* end = path.EndReading();
+    // Must start with [a-zA-Z0-9].
+    if (!('a' <= *pos && *pos <= 'z') &&
+        !('A' <= *pos && *pos <= 'Z') &&
+        !('0' <= *pos && *pos <= '9')) {
+      return NS_ERROR_DOM_BAD_URI;
+    }
     while (pos < end) {
       switch (*pos) {
         case ':':