packages/firefox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
firefox/CVE-2020-15666.patch

114 lines
3.9 KiB
Diff
Raw Normal View History

fix CVE-2020-15664 CVE-2020-15665 CVE-2020-15666 CVE-2020-15667 CVE-2020-15668 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678
2020-12-18 11:52:37 +08:00
# HG changeset patch
# User Sebastian Streich <sstreich@mozilla.com>
# Date 1594901018 0
# Thu Jul 16 12:03:38 2020 +0000
# Node ID b8f37ab6318150a94022625b0500efce2c456947
# Parent 7e7affa995d31d0325c26d7a9994971e7682f3a0
Bug 1450853 - Use Generic Error for 3rdparty MediaElement r=ckerschb,smaug
***
Add test
Differential Revision: https://phabricator.services.mozilla.com/D80080
diff -r 7e7affa995d3 -r b8f37ab63181 dom/html/HTMLMediaElement.cpp
--- a/dom/html/HTMLMediaElement.cpp Thu Jul 16 12:23:08 2020 +0000
+++ b/dom/html/HTMLMediaElement.cpp Thu Jul 16 12:03:38 2020 +0000
@@ -2354,7 +2354,24 @@
if (mDecoder) {
ShutdownDecoder();
}
- mErrorSink->SetError(MEDIA_ERR_SRC_NOT_SUPPORTED, aErrorDetails);
+
+ bool isThirdPartyLoad = false;
+ nsresult rv = NS_ERROR_NOT_AVAILABLE;
+ if (mSrcAttrTriggeringPrincipal) {
+ rv = mSrcAttrTriggeringPrincipal->IsThirdPartyURI(mLoadingSrc,
+ &isThirdPartyLoad);
+ }
+
+ if (NS_SUCCEEDED(rv) && isThirdPartyLoad) {
+ // aErrorDetails can include sensitive details like MimeType or HTTP Status
+ // Code. In case we're loading a 3rd party resource we should not leak this
+ // and pass a Generic Error Message
+ mErrorSink->SetError(MEDIA_ERR_SRC_NOT_SUPPORTED,
+ NS_LITERAL_CSTRING("Failed to open media"));
+ } else {
+ mErrorSink->SetError(MEDIA_ERR_SRC_NOT_SUPPORTED, aErrorDetails);
+ }
+
RemoveMediaTracks();
ChangeDelayLoadStatus(false);
UpdateAudioChannelPlayingState();
diff -r 7e7affa995d3 -r b8f37ab63181 dom/security/test/general/mochitest.ini
--- a/dom/security/test/general/mochitest.ini Thu Jul 16 12:23:08 2020 +0000
+++ b/dom/security/test/general/mochitest.ini Thu Jul 16 12:03:38 2020 +0000
@@ -63,3 +63,4 @@
[test_sec_fetch_websocket.html]
skip-if = toolkit == 'android' # no websocket support Bug 982828
support-files = file_sec_fetch_websocket_wsh.py
+[test_bug1450853.html]
\ No newline at end of file
diff -r 7e7affa995d3 -r b8f37ab63181 dom/security/test/general/test_bug1450853.html
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dom/security/test/general/test_bug1450853.html Thu Jul 16 12:03:38 2020 +0000
@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1450853
+-->
+<head>
+<meta charset="utf-8">
+<title>Test for Cross-origin resouce status leak via MediaError</title>
+<script src="/tests/SimpleTest/SimpleTest.js"></script>
+<script src="/tests/SimpleTest/ChromeTask.js"></script>
+<link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
+
+<audio autoplay id="audio"></audio>
+
+<script type="application/javascript">
+
+/** Test for Bug 1450853 **/
+CONST_GENERIC_ERROR_MESSAGE = "Failed to open media";
+
+add_task(function() {
+ return new Promise((resolve) => {
+ let audioElement = document.getElementById("audio");
+
+ audioElement.onerror = function() {
+ let err = this.error;
+ let message = err.message;
+ info(`Got Audio Error -> ${message}`);
+ ok(message.includes("404"), "Same-Origin Error Message may contain status data");
+ resolve();
+ };
+ audioElement.src = "/media/test.mp3";
+ });
+});
+
+add_task(function() {
+ return new Promise((resolve) => {
+ let audioElement = document.getElementById("audio");
+
+ audioElement.onerror = function() {
+ let err = this.error;
+ let message = err.message;
+
+ info(`Got Audio Error -> ${message}`);
+ is(message,CONST_GENERIC_ERROR_MESSAGE, "Cross-Origin Error Message is only Generic");
+ resolve();
+ };
+ audioElement.src = "https://example.com/media/test.mp3";
+ });
+});
+
+</script>
+</head>
+
+<body>
+ <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1450853">Mozilla Bug 1450853</a>
+ <iframe width="0" height="0"></iframe>
+ </body>
+</html>
Reference in New Issue Copy Permalink