packages/firefox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
firefox/CVE-2020-26951-2.patch

178 lines
5.8 KiB
Diff
Raw Normal View History

fix cves
2021-01-07 15:15:15 +08:00
# HG changeset patch
# User Henri Sivonen <hsivonen@hsivonen.fi>
# Date 1605719930 0
# Wed Nov 18 17:18:50 2020 +0000
# Node ID 027514ba89006dfd5c346c307e46ed8f79e358c1
# Parent 782446e715644da3ca8226d0c3413e3fafb69d6f
Bug 1667113 test - Test innerHTML sanitizer in chrome context. r=smaug
Differential Revision: https://phabricator.services.mozilla.com/D93928
diff -r 782446e71564 -r 027514ba8900 dom/security/test/general/chrome.ini
--- a/dom/security/test/general/chrome.ini Wed Nov 18 17:18:56 2020 +0000
+++ b/dom/security/test/general/chrome.ini Wed Nov 18 17:18:50 2020 +0000
@@ -3,6 +3,8 @@
favicon_bug1277803.ico
bug1277803.html
+[test_innerhtml_sanitizer.html]
+[test_innerhtml_sanitizer.xhtml]
[test_bug1277803.xhtml]
skip-if = os == 'android' || verify
diff -r 782446e71564 -r 027514ba8900 dom/security/test/general/test_innerhtml_sanitizer.html
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dom/security/test/general/test_innerhtml_sanitizer.html Wed Nov 18 17:18:50 2020 +0000
@@ -0,0 +1,74 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta charset=utf-8>
+ <title>Test for Bug 1667113</title>
+ <script src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1667113">Mozilla Bug 1667113</a>
+<div></div>
+<script>
+SimpleTest.waitForExplicitFinish();
+
+// Please note that 'fakeServer' does not exist because the test relies
+// on "csp-on-violate-policy" , and "specialpowers-http-notify-request"
+// which fire if either the request is blocked or fires. The test does
+// not rely on the result of the load.
+
+function fail() {
+ ok(false, "Should not call this")
+}
+
+function examiner() {
+ SpecialPowers.addObserver(this, "csp-on-violate-policy");
+ SpecialPowers.addObserver(this, "specialpowers-http-notify-request");
+}
+examiner.prototype = {
+ observe(subject, topic, data) {
+ if (topic === "csp-on-violate-policy") {
+ let asciiSpec = SpecialPowers.getPrivilegedProps(
+ SpecialPowers.do_QueryInterface(subject, "nsIURI"),
+ "asciiSpec");
+ if (asciiSpec.includes("fakeServer")) {
+ ok (false, "Should not attempt fetch, not even blocked by CSP.");
+ }
+ }
+
+ if (topic === "specialpowers-http-notify-request") {
+ if (data.includes("fakeServer")) {
+ ok (false, "Should not try fetch");
+ }
+ }
+ },
+ remove() {
+ SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+ SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
+ }
+}
+
+window.examiner = new examiner();
+
+let div = document.getElementsByTagName("div")[0];
+div.innerHTML = "<svg><style><title><audio src=fakeServer onerror=fail() onload=fail()>";
+
+let svg = div.firstChild;
+is(svg.nodeName, "svg", "Node name should be svg");
+
+let style = svg.firstChild;
+if (style) {
+ is(style.firstChild, null, "Style should not have child nodes.");
+} else {
+ ok(false, "Should have gotten a node.");
+}
+
+
+SimpleTest.executeSoon(function() {
+ window.examiner.remove();
+ SimpleTest.finish();
+});
+
+</script>
+</body>
+</html>
diff -r 782446e71564 -r 027514ba8900 dom/security/test/general/test_innerhtml_sanitizer.xhtml
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dom/security/test/general/test_innerhtml_sanitizer.xhtml Wed Nov 18 17:18:50 2020 +0000
@@ -0,0 +1,73 @@
+<!DOCTYPE HTML>
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+ <title>Test for Bug 1667113</title>
+ <script src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1667113">Mozilla Bug 1667113</a>
+<div></div>
+<script><![CDATA[
+SimpleTest.waitForExplicitFinish();
+
+// Please note that 'fakeServer' does not exist because the test relies
+// on "csp-on-violate-policy" , and "specialpowers-http-notify-request"
+// which fire if either the request is blocked or fires. The test does
+// not rely on the result of the load.
+
+function fail() {
+ ok(false, "Should not call this")
+}
+
+function examiner() {
+ SpecialPowers.addObserver(this, "csp-on-violate-policy");
+ SpecialPowers.addObserver(this, "specialpowers-http-notify-request");
+}
+examiner.prototype = {
+ observe(subject, topic, data) {
+ if (topic === "csp-on-violate-policy") {
+ let asciiSpec = SpecialPowers.getPrivilegedProps(
+ SpecialPowers.do_QueryInterface(subject, "nsIURI"),
+ "asciiSpec");
+ if (asciiSpec.includes("fakeServer")) {
+ ok (false, "Should not attempt fetch, not even blocked by CSP.");
+ }
+ }
+
+ if (topic === "specialpowers-http-notify-request") {
+ if (data.includes("fakeServer")) {
+ ok (false, "Should not try fetch");
+ }
+ }
+ },
+ remove() {
+ SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+ SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
+ }
+}
+
+window.examiner = new examiner();
+
+let div = document.getElementsByTagName("div")[0];
+div.innerHTML = "<svg xmlns='http://www.w3.org/2000/svg'><style><title><audio xmlns='http://www.w3.org/1999/xhtml' src='fakeServer' onerror='fail()' onload='fail()'></audio></title></style></svg>";
+
+let svg = div.firstChild;
+is(svg.nodeName, "svg", "Node name should be svg");
+
+let style = svg.firstChild;
+if (style) {
+ is(style.firstChild, null, "Style should not have child nodes.");
+} else {
+ ok(false, "Should have gotten a node.");
+}
+
+
+SimpleTest.executeSoon(function() {
+ window.examiner.remove();
+ SimpleTest.finish();
+});
+
+]]></script>
+</body>
+</html>
Reference in New Issue Copy Permalink