firefox/CVE-2020-6811.patch

From c73d875661b96789047dd5cdccff82f1f639924d Mon Sep 17 00:00:00 2001
From: Jan Odvarko <odvarko@gmail.com>
Date: Wed, 12 Feb 2020 11:52:30 +0000
Subject: [PATCH] Bug 1607742 - Escape method argument r=Gijs

Differential Revision: https://phabricator.services.mozilla.com/D60413

--HG--
extra : moz-landing-system : lando
---
devtools/client/shared/curl.js | 33 ++++++++++++++++++++++-----------
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/devtools/client/shared/curl.js b/devtools/client/shared/curl.js
index 30d8382..6d862be 100644
--- a/devtools/client/shared/curl.js
+++ b/devtools/client/shared/curl.js
@@ -59,6 +59,17 @@ const Curl = {
     const utils = CurlUtils;
 
     let command = ["curl"];
+    // Make sure to use the following helpers to sanitize arguments before execution.
+    const addParam = value => {
+      const safe = /^[a-zA-Z-]+$/.test(value) ? value : escapeString(value);
+      command.push(safe);
+    };
+ 
+    const addPostData = value => {
+      const safe = /^[a-zA-Z-]+$/.test(value) ? value : escapeString(value);
+      postData.push(safe);
+    };
+
     const ignoredHeaders = new Set();
 
     // The cURL command is expected to run on the same platform that Firefox runs
@@ -67,7 +78,7 @@ const Curl = {
                        utils.escapeStringWin : utils.escapeStringPosix;
 
     // Add URL.
-    command.push(escapeString(data.url));
+    addParam(data.url);
 
     let postDataText = null;
     const multipartRequest = utils.isMultipartRequest(data);
@@ -77,15 +88,15 @@ const Curl = {
     if (utils.isUrlEncodedRequest(data) ||
           ["PUT", "POST", "PATCH"].includes(data.method)) {
       postDataText = data.postDataText;
-      postData.push("--data");
-      postData.push(escapeString(utils.writePostDataTextParams(postDataText)));
+      addPostData("--data");
+      addPostData(utils.writePostDataTextParams(postDataText));
       ignoredHeaders.add("content-length");
     } else if (multipartRequest) {
       postDataText = data.postDataText;
-      postData.push("--data-binary");
+      addPostData("--data-binary");
       const boundary = utils.getMultipartBoundary(data);
       const text = utils.removeBinaryDataFromMultipartText(postDataText, boundary);
-      postData.push(escapeString(text));
+      addPostData(text);
       ignoredHeaders.add("content-length");
     }
     // curl generates the host header itself based on the given URL
@@ -95,13 +106,13 @@ const Curl = {
     // For servers that supports HEAD.
     // This will fetch the header of a document only.
     if (data.method == "HEAD") {
-      command.push("-I");
+      addParam("-I");
     } else if (!(data.method == "GET" || data.method == "POST")) {
       // Add method.
       // For HEAD, GET and POST requests this is not necessary. GET is the
       // default, if --data or --binary is added POST is used, -I implies HEAD.
-      command.push("-X");
-      command.push(data.method);
+      addParam("-X");
+      addParam(data.method);
     }
 
     // Add request headers.
@@ -113,14 +124,14 @@ const Curl = {
     for (let i = 0; i < headers.length; i++) {
       const header = headers[i];
       if (header.name.toLowerCase() === "accept-encoding") {
-        command.push("--compressed");
+        addParam("--compressed");
         continue;
       }
       if (ignoredHeaders.has(header.name.toLowerCase())) {
         continue;
       }
-      command.push("-H");
-      command.push(escapeString(header.name + ": " + header.value));
+      addParam("-H");
+      addParam(header.name + ": " + header.value);
     }
 
     // Add post data.
-- 
2.23.0