summaryrefslogtreecommitdiff
path: root/gnu/packages/patches/icecat-CVE-2015-0816.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-0816.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0816.patch76
1 files changed, 0 insertions, 76 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-0816.patch b/gnu/packages/patches/icecat-CVE-2015-0816.patch
deleted file mode 100644
index 5632e37eb3..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-0816.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From ae49ed04f54c2f78d6ba7e545e0099602a3270fa Mon Sep 17 00:00:00 2001
-From: Boris Zbarsky <bzbarsky@mit.edu>
-Date: Thu, 19 Mar 2015 18:58:44 -0400
-Subject: [PATCH] Bug 1144991 - Be a bit more restrictive about when a
- URI_IS_UI_RESOURCE source is allowed to link to a URI_IS_UI_RESOURCE URI that
- doesn't have the same scheme. r=bholley, a=abillings
-
----
- caps/src/nsScriptSecurityManager.cpp | 38 +++++++++++++++++++++++++-----------
- 1 file changed, 27 insertions(+), 11 deletions(-)
-
-diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp
-index 3587358..6577b95 100644
---- a/caps/src/nsScriptSecurityManager.cpp
-+++ b/caps/src/nsScriptSecurityManager.cpp
-@@ -770,12 +770,31 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
- NS_ENSURE_SUCCESS(rv, rv);
- if (hasFlags) {
- if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
-+
-+ // For now, don't change behavior for resource:// or moz-icon:// and
-+ // just allow them.
- if (!targetScheme.EqualsLiteral("chrome")) {
-- // for now don't change behavior for resource: or moz-icon:
- return NS_OK;
- }
-
-- // allow load only if chrome package is whitelisted
-+ // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
-+ // target if ALLOW_CHROME is set.
-+ //
-+ // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
-+ // loads (since docshell loads run the loaded content with its origin
-+ // principal). So we're effectively allowing resource://, chrome://,
-+ // and moz-icon:// source URIs to load resource://, chrome://, and
-+ // moz-icon:// files, so long as they're not loading it as a document.
-+ bool sourceIsUIResource;
-+ rv = NS_URIChainHasFlags(sourceBaseURI,
-+ nsIProtocolHandler::URI_IS_UI_RESOURCE,
-+ &sourceIsUIResource);
-+ NS_ENSURE_SUCCESS(rv, rv);
-+ if (sourceIsUIResource) {
-+ return NS_OK;
-+ }
-+
-+ // Allow the load only if the chrome package is whitelisted.
- nsCOMPtr<nsIXULChromeRegistry> reg(do_GetService(
- NS_CHROMEREGISTRY_CONTRACTID));
- if (reg) {
-@@ -787,17 +806,14 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
- }
- }
-
-- // resource: and chrome: are equivalent, securitywise
-- // That's bogus!! Fix this. But watch out for
-- // the view-source stylesheet?
-- bool sourceIsChrome;
-- rv = NS_URIChainHasFlags(sourceBaseURI,
-- nsIProtocolHandler::URI_IS_UI_RESOURCE,
-- &sourceIsChrome);
-- NS_ENSURE_SUCCESS(rv, rv);
-- if (sourceIsChrome) {
-+ // Special-case the hidden window: it's allowed to load
-+ // URI_IS_UI_RESOURCE no matter what. Bug 1145470 tracks removing this.
-+ nsAutoCString sourceSpec;
-+ if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) &&
-+ sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) {
- return NS_OK;
- }
-+
- if (reportErrors) {
- ReportError(nullptr, errorTag, sourceURI, aTargetURI);
- }
---
-2.2.1
-