packages/firefox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
firefox/CVE-2020-26951-1.patch

103 lines
3.5 KiB
Diff
Raw Normal View History

fix cves
2021-01-07 15:15:15 +08:00
# HG changeset patch
# User Henri Sivonen <hsivonen@hsivonen.fi>
# Date 1603457336 0
# Fri Oct 23 12:48:56 2020 +0000
# Node ID 9143f95d5ab3896f5461fa1666500f6fc1f9e73b
# Parent b067b0d3670b37daad95505b87bddca6bb113d11
Bug 1667113. r=smaug
Differential Revision: https://phabricator.services.mozilla.com/D93482
diff -r b067b0d3670b -r 9143f95d5ab3 browser/base/content/test/static/browser_parsable_css.js
--- a/browser/base/content/test/static/browser_parsable_css.js Fri Oct 23 12:48:52 2020 +0000
+++ b/browser/base/content/test/static/browser_parsable_css.js Fri Oct 23 12:48:56 2020 +0000
@@ -496,9 +496,9 @@
checkWhitelist(propNameWhitelist);
// Clean up to avoid leaks:
- iframe.remove();
doc.head.innerHTML = "";
doc = null;
+ iframe.remove();
iframe = null;
win = null;
hiddenFrame.destroy();
diff -r b067b0d3670b -r 9143f95d5ab3 dom/base/nsContentUtils.cpp
--- a/dom/base/nsContentUtils.cpp Fri Oct 23 12:48:52 2020 +0000
+++ b/dom/base/nsContentUtils.cpp Fri Oct 23 12:48:56 2020 +0000
@@ -4817,6 +4817,7 @@
nsIContent* target = aTargetNode;
+ RefPtr<Document> inert;
RefPtr<DocumentFragment> fragment;
// We sanitize if the fragment occurs in a system privileged
// context, an about: page, or if there are explicit sanitization flags.
@@ -4828,8 +4828,12 @@
nodePrincipal->SchemeIs("about") || aFlags >= 0;
if (shouldSanitize) {
if (!AllowsUnsanitizedContentForAboutNewTab(nodePrincipal)) {
- fragment = new (aTargetNode->OwnerDoc()->NodeInfoManager())
- DocumentFragment(aTargetNode->OwnerDoc()->NodeInfoManager());
+ inert = nsContentUtils::CreateInertHTMLDocument(aTargetNode->OwnerDoc());
+ if (!inert) {
+ return NS_ERROR_FAILURE;
+ }
+ fragment = new (inert->NodeInfoManager())
+ DocumentFragment(inert->NodeInfoManager());
target = fragment;
}
}
@@ -4908,22 +4908,7 @@
MOZ_ASSERT(contentsink, "Sink doesn't QI to nsIContentSink!");
sXMLFragmentParser->SetContentSink(contentsink);
- sXMLFragmentSink->SetTargetDocument(aDocument);
- sXMLFragmentSink->SetPreventScriptExecution(aPreventScriptExecution);
-
- nsresult rv = sXMLFragmentParser->ParseFragment(aSourceBuffer, aTagStack);
- if (NS_FAILED(rv)) {
- // Drop the fragment parser and sink that might be in an inconsistent state
- NS_IF_RELEASE(sXMLFragmentParser);
- NS_IF_RELEASE(sXMLFragmentSink);
- return rv;
- }
-
- rv = sXMLFragmentSink->FinishFragmentParsing(aReturn);
-
- sXMLFragmentParser->Reset();
- NS_ENSURE_SUCCESS(rv, rv);
-
+ RefPtr<Document> doc;
nsCOMPtr<nsIPrincipal> nodePrincipal = aDocument->NodePrincipal();
#ifdef DEBUG
@@ -4929,6 +4929,27 @@
// an about: scheme principal.
bool shouldSanitize = nodePrincipal->IsSystemPrincipal() ||
nodePrincipal->SchemeIs("about") || aFlags >= 0;
+ if (shouldSanitize) {
+ doc = nsContentUtils::CreateInertXMLDocument(aDocument);
+ } else {
+ doc = aDocument;
+ }
+
+ sXMLFragmentSink->SetTargetDocument(doc);
+ sXMLFragmentSink->SetPreventScriptExecution(aPreventScriptExecution);
+
+ nsresult rv = sXMLFragmentParser->ParseFragment(aSourceBuffer, aTagStack);
+ if (NS_FAILED(rv)) {
+ // Drop the fragment parser and sink that might be in an inconsistent state
+ NS_IF_RELEASE(sXMLFragmentParser);
+ NS_IF_RELEASE(sXMLFragmentSink);
+ return rv;
+ }
+
+ rv = sXMLFragmentSink->FinishFragmentParsing(aReturn);
+
+ sXMLFragmentParser->Reset();
+ NS_ENSURE_SUCCESS(rv, rv);
if (shouldSanitize) {
uint32_t sanitizationFlags =
Reference in New Issue Copy Permalink