firefox/CVE-2020-26956-3.patch

# HG changeset patch
# User Henri Sivonen <hsivonen@hsivonen.fi>
# Date 1605719936 0
#      Wed Nov 18 17:18:56 2020 +0000
# Node ID 782446e715644da3ca8226d0c3413e3fafb69d6f
# Parent  42be1816b3857a3962cd0ec4be551830b6639aee
Bug 1666300 test - Test SVG style sanitization on paste. r=smaug

Differential Revision: https://phabricator.services.mozilla.com/D93634

diff -r 42be1816b385 -r 782446e71564 editor/libeditor/tests/file_sanitizer_on_paste.sjs
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/editor/libeditor/tests/file_sanitizer_on_paste.sjs	Wed Nov 18 17:18:56 2020 +0000
@@ -0,0 +1,16 @@
+function handleRequest(request, response)
+{
+  if (request.queryString.indexOf("report") != -1) {
+    response.setHeader("Content-Type", "text/javascript", false);
+    if (getState("loaded") == "loaded") {
+      response.write("ok(false, 'There was an attempt to preload the image.');");      
+    } else {
+      response.write("ok(true, 'There was no attempt to preload the image.');");      
+    }
+    response.write("SimpleTest.finish();");
+  } else {
+    setState("loaded", "loaded");
+    response.setHeader("Content-Type", "image/svg", false);
+    response.write("<svg xmlns='http://www.w3.org/2000/svg'>Not supposed to load this</svg>");
+  }
+}
diff -r 42be1816b385 -r 782446e71564 editor/libeditor/tests/mochitest.ini
--- a/editor/libeditor/tests/mochitest.ini	Wed Dec 16 10:40:06 2020 +0200
+++ b/editor/libeditor/tests/mochitest.ini	Wed Nov 18 17:18:56 2020 +0000
@@ -21,6 +21,7 @@
   file_bug966155.html
   file_bug966552.html
   file_select_all_without_body.html
+  file_sanitizer_on_paste.sjs
   green.png
   spellcheck.js

@@ -305,3 +306,4 @@
 [test_selection_move_commands.html]
 [test_pasteImgTextarea.html]
 [test_execCommandPaste_noTarget.html]
+[test_sanitizer_on_paste.html]
diff -r 42be1816b385 -r 782446e71564 editor/libeditor/tests/test_sanitizer_on_paste.html
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/editor/libeditor/tests/test_sanitizer_on_paste.html	Wed Nov 18 17:18:56 2020 +0000
@@ -0,0 +1,48 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test pasting table rows</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script src="/tests/SimpleTest/EventUtils.js"></script>
+  <link rel="stylesheet" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<textarea></textarea>
+<div contenteditable="true">Paste target</div>
+<script>
+  SimpleTest.waitForExplicitFinish();
+  function fail() {
+    ok(false, "Should not run event handlers.");
+  }
+  document.addEventListener('copy', ev => {
+    dump("IN LISTENER\n");
+    const payload = `<svg><style><image href=file_sanitizer_on_paste.sjs onerror=fail() onload=fail()>`
+    
+    ev.preventDefault();
+    ev.clipboardData.setData('text/html', payload);
+    ev.clipboardData.setData('text/plain', payload);
+  });
+
+  document.getElementsByTagName("textarea")[0].focus();
+  synthesizeKey("c", { accelKey: true } /* aEvent*/);
+
+  let div = document.getElementsByTagName("div")[0];
+  div.focus(); 
+  synthesizeKey("v", { accelKey: true } /* aEvent*/);
+
+  let svg = div.firstChild;
+  is(svg.nodeName, "svg", "Node name should be svg");
+
+  let style = svg.firstChild;
+  if (style) {
+    is(style.firstChild, null, "Style should not have child nodes.");
+  } else {
+    ok(false, "Should have gotten a node.");
+  }
+
+  var s = document.createElement("script");
+  s.src = "file_sanitizer_on_paste.sjs?report=1";
+  document.body.appendChild(s);
+</script>
+</body>
\ No newline at end of file
fix cves 2021-01-07 15:15:15 +08:00			`# HG changeset patch`
			`# User Henri Sivonen <hsivonen@hsivonen.fi>`
			`# Date 1605719936 0`
			`# Wed Nov 18 17:18:56 2020 +0000`
			`# Node ID 782446e715644da3ca8226d0c3413e3fafb69d6f`
			`# Parent 42be1816b3857a3962cd0ec4be551830b6639aee`
			`Bug 1666300 test - Test SVG style sanitization on paste. r=smaug`

			`Differential Revision: https://phabricator.services.mozilla.com/D93634`

			`diff -r 42be1816b385 -r 782446e71564 editor/libeditor/tests/file_sanitizer_on_paste.sjs`
			`--- /dev/null Thu Jan 01 00:00:00 1970 +0000`
			`+++ b/editor/libeditor/tests/file_sanitizer_on_paste.sjs Wed Nov 18 17:18:56 2020 +0000`
			`@@ -0,0 +1,16 @@`
			`+function handleRequest(request, response)`
			`+{`
			`+ if (request.queryString.indexOf("report") != -1) {`
			`+ response.setHeader("Content-Type", "text/javascript", false);`
			`+ if (getState("loaded") == "loaded") {`
			`+ response.write("ok(false, 'There was an attempt to preload the image.');");`
			`+ } else {`
			`+ response.write("ok(true, 'There was no attempt to preload the image.');");`
			`+ }`
			`+ response.write("SimpleTest.finish();");`
			`+ } else {`
			`+ setState("loaded", "loaded");`
			`+ response.setHeader("Content-Type", "image/svg", false);`
			`+ response.write("<svg xmlns='http://www.w3.org/2000/svg'>Not supposed to load this</svg>");`
			`+ }`
			`+}`
			`diff -r 42be1816b385 -r 782446e71564 editor/libeditor/tests/mochitest.ini`
			`--- a/editor/libeditor/tests/mochitest.ini Wed Dec 16 10:40:06 2020 +0200`
			`+++ b/editor/libeditor/tests/mochitest.ini Wed Nov 18 17:18:56 2020 +0000`
			`@@ -21,6 +21,7 @@`
			`file_bug966155.html`
			`file_bug966552.html`
			`file_select_all_without_body.html`
			`+ file_sanitizer_on_paste.sjs`
			`green.png`
			`spellcheck.js`

			`@@ -305,3 +306,4 @@`
			`[test_selection_move_commands.html]`
			`[test_pasteImgTextarea.html]`
			`[test_execCommandPaste_noTarget.html]`
			`+[test_sanitizer_on_paste.html]`
			`diff -r 42be1816b385 -r 782446e71564 editor/libeditor/tests/test_sanitizer_on_paste.html`
			`--- /dev/null Thu Jan 01 00:00:00 1970 +0000`
			`+++ b/editor/libeditor/tests/test_sanitizer_on_paste.html Wed Nov 18 17:18:56 2020 +0000`
			`@@ -0,0 +1,48 @@`
			`+<!DOCTYPE HTML>`
			`+<html>`
			`+<head>`
			`+ <meta charset="utf-8">`
			`+ <title>Test pasting table rows</title>`
			`+ <script src="/tests/SimpleTest/SimpleTest.js"></script>`
			`+ <script src="/tests/SimpleTest/EventUtils.js"></script>`
			`+ <link rel="stylesheet" href="/tests/SimpleTest/test.css"/>`
			`+</head>`
			`+<body>`
			`+<textarea></textarea>`
			`+<div contenteditable="true">Paste target</div>`
			`+<script>`
			`+ SimpleTest.waitForExplicitFinish();`
			`+ function fail() {`
			`+ ok(false, "Should not run event handlers.");`
			`+ }`
			`+ document.addEventListener('copy', ev => {`
			`+ dump("IN LISTENER\n");`
			+ const payload = `<svg><style><image href=file_sanitizer_on_paste.sjs onerror=fail() onload=fail()>`
			`+`
			`+ ev.preventDefault();`
			`+ ev.clipboardData.setData('text/html', payload);`
			`+ ev.clipboardData.setData('text/plain', payload);`
			`+ });`
			`+`
			`+ document.getElementsByTagName("textarea")[0].focus();`
			`+ synthesizeKey("c", { accelKey: true } /* aEvent*/);`
			`+`
			`+ let div = document.getElementsByTagName("div")[0];`
			`+ div.focus();`
			`+ synthesizeKey("v", { accelKey: true } /* aEvent*/);`
			`+`
			`+ let svg = div.firstChild;`
			`+ is(svg.nodeName, "svg", "Node name should be svg");`
			`+`
			`+ let style = svg.firstChild;`
			`+ if (style) {`
			`+ is(style.firstChild, null, "Style should not have child nodes.");`
			`+ } else {`
			`+ ok(false, "Should have gotten a node.");`
			`+ }`
			`+`
			`+ var s = document.createElement("script");`
			`+ s.src = "file_sanitizer_on_paste.sjs?report=1";`
			`+ document.body.appendChild(s);`
			`+</script>`
			`+</body>`
			`\ No newline at end of file`