From b7178dc45d21081ef38795ee2179404a02ac0b2e Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Thu, 2 Apr 2015 01:02:12 -0400 Subject: gnu: icecat: Apply fixes for CVE-2015-{0801,0807,0815,0816}. Actually, CVE-2015-0801 and CVE-2015-0816 were already patched in 4c153a9125fa0913077b06b5ed537958ae4ca163, but the corresponding CVEs were not yet announced. * gnu/packages/patches/icecat-bug-1146339.patch: Rename to ... * gnu/packages/patches/icecat-CVE-2015-0801.patch: ... this. * gnu/packages/patches/icecat-bug-1144991.patch: Rename to ... * gnu/packages/patches/icecat-CVE-2015-0816.patch: ... this. * gnu/packages/patches/icecat-CVE-2015-0807.patch, gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch, gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch, gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch: New files. * gnu-system.am (dist_patch_DATA): Add them, and adapt to renamed files. * gnu/packages/gnuzilla.scm (icecat): Add patches, and adapt to renamed files. --- gnu-system.am | 8 +- gnu/packages/gnuzilla.scm | 10 +- gnu/packages/patches/icecat-CVE-2015-0801.patch | 162 +++++++++++++++++++++ gnu/packages/patches/icecat-CVE-2015-0807.patch | 30 ++++ .../patches/icecat-CVE-2015-0815-pt1.patch | 63 ++++++++ .../patches/icecat-CVE-2015-0815-pt2.patch | 89 +++++++++++ .../patches/icecat-CVE-2015-0815-pt3.patch | 37 +++++ gnu/packages/patches/icecat-CVE-2015-0816.patch | 76 ++++++++++ gnu/packages/patches/icecat-bug-1144991.patch | 76 ---------- gnu/packages/patches/icecat-bug-1146339.patch | 162 --------------------- 10 files changed, 470 insertions(+), 243 deletions(-) create mode 100644 gnu/packages/patches/icecat-CVE-2015-0801.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-0807.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-0816.patch delete mode 100644 gnu/packages/patches/icecat-bug-1144991.patch delete mode 100644 gnu/packages/patches/icecat-bug-1146339.patch diff --git a/gnu-system.am b/gnu-system.am index b760fa0d31..c2a6e2be7d 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -438,9 +438,13 @@ dist_patch_DATA = \ gnu/packages/patches/gtkglext-disable-disable-deprecated.patch \ gnu/packages/patches/hop-bigloo-4.0b.patch \ gnu/packages/patches/icecat-bug-1127780.patch \ - gnu/packages/patches/icecat-bug-1144991.patch \ gnu/packages/patches/icecat-bug-1145870.patch \ - gnu/packages/patches/icecat-bug-1146339.patch \ + gnu/packages/patches/icecat-CVE-2015-0801.patch \ + gnu/packages/patches/icecat-CVE-2015-0807.patch \ + gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch \ + gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch \ + gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch \ + gnu/packages/patches/icecat-CVE-2015-0816.patch \ gnu/packages/patches/icecat-CVE-2015-0817.patch \ gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch \ gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 1e9deb8bff..f4a68fb186 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -225,13 +225,17 @@ (define-public icecat (sha256 (base32 "1rr4axghaypdkrf60i1qp6dz4cd29ya02fs3vyffvp4x9kgcq2dd")) - (patches (map search-patch '("icecat-bug-1127780.patch" + (patches (map search-patch '("icecat-CVE-2015-0815-pt1.patch" + "icecat-CVE-2015-0815-pt2.patch" + "icecat-bug-1127780.patch" + "icecat-CVE-2015-0807.patch" + "icecat-CVE-2015-0815-pt3.patch" "icecat-CVE-2015-0817.patch" - "icecat-bug-1144991.patch" + "icecat-CVE-2015-0816.patch" "icecat-CVE-2015-0818-pt1.patch" "icecat-bug-1145870.patch" "icecat-CVE-2015-0818-pt2.patch" - "icecat-bug-1146339.patch"))))) + "icecat-CVE-2015-0801.patch"))))) (build-system gnu-build-system) (inputs `(("alsa-lib" ,alsa-lib) diff --git a/gnu/packages/patches/icecat-CVE-2015-0801.patch b/gnu/packages/patches/icecat-CVE-2015-0801.patch new file mode 100644 index 0000000000..9d858523b9 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0801.patch @@ -0,0 +1,162 @@ +From 4ca86283a71427f27e810d77c8e75418f6428457 Mon Sep 17 00:00:00 2001 +From: Olli Pettay +Date: Mon, 23 Mar 2015 22:23:53 -0400 +Subject: [PATCH] Bug 1146339 - Do anchor scrolling right before dispatching + popstate/hashchange. r=bz, a=lmandel + +--- + docshell/base/nsDocShell.cpp | 64 +++++++++++++++++++++----------------------- + docshell/base/nsDocShell.h | 1 - + 2 files changed, 30 insertions(+), 35 deletions(-) + +diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp +index bdf88a5cf..efb6a6e 100644 +--- a/docshell/base/nsDocShell.cpp ++++ b/docshell/base/nsDocShell.cpp +@@ -1322,7 +1322,7 @@ nsDocShell::LoadURI(nsIURI * aURI, + + // Note: we allow loads to get through here even if mFiredUnloadEvent is + // true; that case will get handled in LoadInternal or LoadHistoryEntry. +- if (IsPrintingOrPP() || mBlockNavigation) { ++ if (IsPrintingOrPP()) { + return NS_OK; // JS may not handle returning of an error code + } + +@@ -4206,7 +4206,8 @@ bool + nsDocShell::IsNavigationAllowed(bool aDisplayPrintErrorDialog) + { + bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) && +- !mFiredUnloadEvent && !mBlockNavigation; if (!isAllowed) { ++ !mFiredUnloadEvent; ++ if (!isAllowed) { + return false; + } + if (!mContentViewer) { +@@ -8901,8 +8902,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, + + NS_ENSURE_TRUE(!mIsBeingDestroyed, NS_ERROR_NOT_AVAILABLE); + +- NS_ENSURE_TRUE(!mBlockNavigation, NS_ERROR_UNEXPECTED); +- + // wyciwyg urls can only be loaded through history. Any normal load of + // wyciwyg through docshell is illegal. Disallow such loads. + if (aLoadType & LOAD_CMD_NORMAL) { +@@ -9324,19 +9323,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, + GetCurScrollPos(ScrollOrientation_X, &cx); + GetCurScrollPos(ScrollOrientation_Y, &cy); + +- { +- AutoRestore scrollingToAnchor(mBlockNavigation); +- mBlockNavigation = true; +- +- // ScrollToAnchor doesn't necessarily cause us to scroll the window; +- // the function decides whether a scroll is appropriate based on the +- // arguments it receives. But even if we don't end up scrolling, +- // ScrollToAnchor performs other important tasks, such as informing +- // the presShell that we have a new hash. See bug 680257. +- rv = ScrollToAnchor(curHash, newHash, aLoadType); +- NS_ENSURE_SUCCESS(rv, rv); +- } +- + // Reset mLoadType to its original value once we exit this block, + // because this short-circuited load might have started after a + // normal, network load, and we don't want to clobber its load type. +@@ -9424,16 +9410,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, + mOSHE->SetCacheKey(cacheKey); + } + +- /* restore previous position of scroller(s), if we're moving +- * back in history (bug 59774) +- */ +- if (mOSHE && (aLoadType == LOAD_HISTORY || aLoadType == LOAD_RELOAD_NORMAL)) +- { +- nscoord bx, by; +- mOSHE->GetScrollPosition(&bx, &by); +- SetCurScrollPosEx(bx, by); +- } +- + /* Restore the original LSHE if we were loading something + * while short-circuited load was initiated. + */ +@@ -9471,12 +9447,36 @@ nsDocShell::InternalLoad(nsIURI * aURI, + + SetDocCurrentStateObj(mOSHE); + ++ // Inform the favicon service that the favicon for oldURI also ++ // applies to aURI. ++ CopyFavicon(currentURI, aURI, mInPrivateBrowsing); ++ ++ nsRefPtr win = mScriptGlobal ? ++ mScriptGlobal->GetCurrentInnerWindowInternal() : nullptr; ++ ++ // ScrollToAnchor doesn't necessarily cause us to scroll the window; ++ // the function decides whether a scroll is appropriate based on the ++ // arguments it receives. But even if we don't end up scrolling, ++ // ScrollToAnchor performs other important tasks, such as informing ++ // the presShell that we have a new hash. See bug 680257. ++ rv = ScrollToAnchor(curHash, newHash, aLoadType); ++ NS_ENSURE_SUCCESS(rv, rv); ++ ++ /* restore previous position of scroller(s), if we're moving ++ * back in history (bug 59774) ++ */ ++ if (mOSHE && (aLoadType == LOAD_HISTORY || ++ aLoadType == LOAD_RELOAD_NORMAL)) { ++ nscoord bx, by; ++ mOSHE->GetScrollPosition(&bx, &by); ++ SetCurScrollPosEx(bx, by); ++ } ++ + // Dispatch the popstate and hashchange events, as appropriate. + // + // The event dispatch below can cause us to re-enter script and + // destroy the docshell, nulling out mScriptGlobal. Hold a stack + // reference to avoid null derefs. See bug 914521. +- nsRefPtr win = mScriptGlobal; + if (win) { + // Fire a hashchange event URIs differ, and only in their hashes. + bool doHashchange = sameExceptHashes && !curHash.Equals(newHash); +@@ -9492,10 +9492,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, + } + } + +- // Inform the favicon service that the favicon for oldURI also +- // applies to aURI. +- CopyFavicon(currentURI, aURI, mInPrivateBrowsing); +- + return NS_OK; + } + } +@@ -12573,7 +12569,7 @@ nsDocShell::OnLinkClick(nsIContent* aContent, + { + NS_ASSERTION(NS_IsMainThread(), "wrong thread"); + +- if (!IsOKToLoadURI(aURI) || mBlockNavigation) { ++ if (!IsOKToLoadURI(aURI)) { + return NS_OK; + } + +@@ -12629,7 +12625,7 @@ nsDocShell::OnLinkClickSync(nsIContent *aContent, + *aRequest = nullptr; + } + +- if (!IsOKToLoadURI(aURI) || mBlockNavigation) { ++ if (!IsOKToLoadURI(aURI)) { + return NS_OK; + } + +diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h +index be353ee..c191777 100644 +--- a/docshell/base/nsDocShell.h ++++ b/docshell/base/nsDocShell.h +@@ -835,7 +835,6 @@ protected: + bool mInPrivateBrowsing; + bool mUseRemoteTabs; + bool mDeviceSizeIsPageSize; +- bool mBlockNavigation; + + // Because scriptability depends on the mAllowJavascript values of our + // ancestors, we cache the effective scriptability and recompute it when +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0807.patch b/gnu/packages/patches/icecat-CVE-2015-0807.patch new file mode 100644 index 0000000000..833bc36d6b --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0807.patch @@ -0,0 +1,30 @@ +From 1b97832a8ae9983e4f15befe142f5ea0626707f1 Mon Sep 17 00:00:00 2001 +From: Christoph Kerschbaumer +Date: Thu, 19 Feb 2015 13:43:40 -0800 +Subject: [PATCH] Bug 1111834 - CORS request after preflight should not follow + 30x redirect. r=sicking, a=lmandel + +--- + dom/base/Navigator.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/dom/base/Navigator.cpp b/dom/base/Navigator.cpp +index 020e370..727b7cb7 100644 +--- a/dom/base/Navigator.cpp ++++ b/dom/base/Navigator.cpp +@@ -1278,6 +1278,12 @@ Navigator::SendBeacon(const nsAString& aUrl, + !contentType.Equals(APPLICATION_WWW_FORM_URLENCODED) && + !contentType.Equals(MULTIPART_FORM_DATA) && + !contentType.Equals(TEXT_PLAIN)) { ++ ++ // we need to set the sameOriginChecker as a notificationCallback ++ // so we can tell the channel not to follow redirects ++ nsCOMPtr soc = nsContentUtils::GetSameOriginChecker(); ++ channel->SetNotificationCallbacks(soc); ++ + nsCOMPtr preflightChannel; + nsTArray unsafeHeaders; + unsafeHeaders.AppendElement(NS_LITERAL_CSTRING("Content-Type")); +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch new file mode 100644 index 0000000000..1dd5e20c67 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch @@ -0,0 +1,63 @@ +From 6fb9d1d2bee806abb2f67cee05a8573450a017df Mon Sep 17 00:00:00 2001 +From: Steve Fink +Date: Mon, 12 Jan 2015 14:19:27 -0800 +Subject: [PATCH] Bug 1137326 - Fix out of bounds error in + JS_iterateCompartments. r=terrence, a=abillings + +--- + js/src/gc/Zone.h | 11 ++++++----- + js/src/jsapi.h | 5 +++-- + 2 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/js/src/gc/Zone.h b/js/src/gc/Zone.h +index cbbde6b..612defe 100644 +--- a/js/src/gc/Zone.h ++++ b/js/src/gc/Zone.h +@@ -389,21 +389,22 @@ struct CompartmentsInZoneIter + // This is for the benefit of CompartmentsIterT::comp. + friend class mozilla::Maybe; + private: +- JSCompartment **it, **end; ++ JS::Zone *zone; ++ JSCompartment **it; + + CompartmentsInZoneIter() +- : it(nullptr), end(nullptr) ++ : zone(nullptr), it(nullptr) + {} + + public: +- explicit CompartmentsInZoneIter(JS::Zone *zone) { ++ explicit CompartmentsInZoneIter(JS::Zone *zone) : zone(zone) { + it = zone->compartments.begin(); +- end = zone->compartments.end(); + } + + bool done() const { + JS_ASSERT(it); +- return it == end; ++ return it < zone->compartments.begin() || ++ it >= zone->compartments.end(); + } + void next() { + JS_ASSERT(!done()); +diff --git a/js/src/jsapi.h b/js/src/jsapi.h +index 5ae1f86..40fdb37 100644 +--- a/js/src/jsapi.h ++++ b/js/src/jsapi.h +@@ -1780,9 +1780,10 @@ JS_LeaveCompartment(JSContext *cx, JSCompartment *oldCompartment); + typedef void (*JSIterateCompartmentCallback)(JSRuntime *rt, void *data, JSCompartment *compartment); + + /* +- * This function calls |compartmentCallback| on every compartment. Beware that ++ * This function calls |compartmentCallback| on every compartment. Beware that + * there is no guarantee that the compartment will survive after the callback +- * returns. ++ * returns. Also, if the callback can GC, there is no guarantee that every ++ * compartment will be visited. + */ + extern JS_PUBLIC_API(void) + JS_IterateCompartments(JSRuntime *rt, void *data, +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch new file mode 100644 index 0000000000..0a0cbed177 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch @@ -0,0 +1,89 @@ +From f6d39ec03896eaf5d30d79d8165263c98e957749 Mon Sep 17 00:00:00 2001 +From: Nathan Froyd +Date: Fri, 6 Feb 2015 16:19:36 -0500 +Subject: [PATCH] Bug 1036515 - Narrow the scope of unlocking mMonitor in + nsTimerImpl::PostTimerEvents. r=bsmedberg, a=abillings + +--- + xpcom/threads/TimerThread.cpp | 55 ++++++++++++++++++++++--------------------- + 1 file changed, 28 insertions(+), 27 deletions(-) + +diff --git a/xpcom/threads/TimerThread.cpp b/xpcom/threads/TimerThread.cpp +index bd586c9..b95846f 100644 +--- a/xpcom/threads/TimerThread.cpp ++++ b/xpcom/threads/TimerThread.cpp +@@ -239,43 +239,44 @@ NS_IMETHODIMP TimerThread::Run() + RemoveTimerInternal(timer); + timer = nullptr; + ++#ifdef DEBUG_TIMERS ++ if (PR_LOG_TEST(GetTimerLog(), PR_LOG_DEBUG)) { ++ PR_LOG(GetTimerLog(), PR_LOG_DEBUG, ++ ("Timer thread woke up %fms from when it was supposed to\n", ++ fabs((now - timerRef->mTimeout).ToMilliseconds()))); ++ } ++#endif ++ + { + // We release mMonitor around the Fire call to avoid deadlock. + MonitorAutoUnlock unlock(mMonitor); + +-#ifdef DEBUG_TIMERS +- if (PR_LOG_TEST(GetTimerLog(), PR_LOG_DEBUG)) { +- PR_LOG(GetTimerLog(), PR_LOG_DEBUG, +- ("Timer thread woke up %fms from when it was supposed to\n", +- fabs((now - timerRef->mTimeout).ToMilliseconds()))); +- } +-#endif + + // We are going to let the call to PostTimerEvent here handle the + // release of the timer so that we don't end up releasing the timer + // on the TimerThread instead of on the thread it targets. + timerRef = nsTimerImpl::PostTimerEvent(timerRef.forget()); ++ } + +- if (timerRef) { +- // We got our reference back due to an error. +- // Unhook the nsRefPtr, and release manually so we can get the +- // refcount. +- nsrefcnt rc = timerRef.forget().take()->Release(); +- (void)rc; +- +- // The nsITimer interface requires that its users keep a reference +- // to the timers they use while those timers are initialized but +- // have not yet fired. If this ever happens, it is a bug in the +- // code that created and used the timer. +- // +- // Further, note that this should never happen even with a +- // misbehaving user, because nsTimerImpl::Release checks for a +- // refcount of 1 with an armed timer (a timer whose only reference +- // is from the timer thread) and when it hits this will remove the +- // timer from the timer thread and thus destroy the last reference, +- // preventing this situation from occurring. +- MOZ_ASSERT(rc != 0, "destroyed timer off its target thread!"); +- } ++ if (timerRef) { ++ // We got our reference back due to an error. ++ // Unhook the nsRefPtr, and release manually so we can get the ++ // refcount. ++ nsrefcnt rc = timerRef.forget().take()->Release(); ++ (void)rc; ++ ++ // The nsITimer interface requires that its users keep a reference ++ // to the timers they use while those timers are initialized but ++ // have not yet fired. If this ever happens, it is a bug in the ++ // code that created and used the timer. ++ // ++ // Further, note that this should never happen even with a ++ // misbehaving user, because nsTimerImpl::Release checks for a ++ // refcount of 1 with an armed timer (a timer whose only reference ++ // is from the timer thread) and when it hits this will remove the ++ // timer from the timer thread and thus destroy the last reference, ++ // preventing this situation from occurring. ++ MOZ_ASSERT(rc != 0, "destroyed timer off its target thread!"); + } + + if (mShutdown) +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch new file mode 100644 index 0000000000..5ac053df78 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch @@ -0,0 +1,37 @@ +From e7fc74f6a281c12a4a406f2dd20ff2c27a61484d Mon Sep 17 00:00:00 2001 +From: Brian Hackett +Date: Sun, 8 Mar 2015 22:10:01 -0400 +Subject: [PATCH] Bug 1138199. r=billm, a=lmandel + +--- + js/src/ds/LifoAlloc.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/js/src/ds/LifoAlloc.h b/js/src/ds/LifoAlloc.h +index 7617cf5..b112353 100644 +--- a/js/src/ds/LifoAlloc.h ++++ b/js/src/ds/LifoAlloc.h +@@ -193,14 +193,14 @@ class LifoAlloc + + // Append used chunks to the end of this LifoAlloc. We act as if all the + // chunks in |this| are used, even if they're not, so memory may be wasted. +- void appendUsed(BumpChunk *start, BumpChunk *latest, BumpChunk *end) { +- JS_ASSERT(start && latest && end); ++ void appendUsed(BumpChunk *otherFirst, BumpChunk *otherLatest, BumpChunk *otherLast) { ++ JS_ASSERT(otherFirst && otherLatest && otherLast); + if (last) +- last->setNext(start); ++ last->setNext(otherFirst); + else +- first = latest = start; +- last = end; +- this->latest = latest; ++ first = otherFirst; ++ latest = otherLatest; ++ last = otherLast; + } + + void incrementCurSize(size_t size) { +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0816.patch b/gnu/packages/patches/icecat-CVE-2015-0816.patch new file mode 100644 index 0000000000..5632e37eb3 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0816.patch @@ -0,0 +1,76 @@ +From ae49ed04f54c2f78d6ba7e545e0099602a3270fa Mon Sep 17 00:00:00 2001 +From: Boris Zbarsky +Date: Thu, 19 Mar 2015 18:58:44 -0400 +Subject: [PATCH] Bug 1144991 - Be a bit more restrictive about when a + URI_IS_UI_RESOURCE source is allowed to link to a URI_IS_UI_RESOURCE URI that + doesn't have the same scheme. r=bholley, a=abillings + +--- + caps/src/nsScriptSecurityManager.cpp | 38 +++++++++++++++++++++++++----------- + 1 file changed, 27 insertions(+), 11 deletions(-) + +diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp +index 3587358..6577b95 100644 +--- a/caps/src/nsScriptSecurityManager.cpp ++++ b/caps/src/nsScriptSecurityManager.cpp +@@ -770,12 +770,31 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, + NS_ENSURE_SUCCESS(rv, rv); + if (hasFlags) { + if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) { ++ ++ // For now, don't change behavior for resource:// or moz-icon:// and ++ // just allow them. + if (!targetScheme.EqualsLiteral("chrome")) { +- // for now don't change behavior for resource: or moz-icon: + return NS_OK; + } + +- // allow load only if chrome package is whitelisted ++ // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE ++ // target if ALLOW_CHROME is set. ++ // ++ // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell ++ // loads (since docshell loads run the loaded content with its origin ++ // principal). So we're effectively allowing resource://, chrome://, ++ // and moz-icon:// source URIs to load resource://, chrome://, and ++ // moz-icon:// files, so long as they're not loading it as a document. ++ bool sourceIsUIResource; ++ rv = NS_URIChainHasFlags(sourceBaseURI, ++ nsIProtocolHandler::URI_IS_UI_RESOURCE, ++ &sourceIsUIResource); ++ NS_ENSURE_SUCCESS(rv, rv); ++ if (sourceIsUIResource) { ++ return NS_OK; ++ } ++ ++ // Allow the load only if the chrome package is whitelisted. + nsCOMPtr reg(do_GetService( + NS_CHROMEREGISTRY_CONTRACTID)); + if (reg) { +@@ -787,17 +806,14 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, + } + } + +- // resource: and chrome: are equivalent, securitywise +- // That's bogus!! Fix this. But watch out for +- // the view-source stylesheet? +- bool sourceIsChrome; +- rv = NS_URIChainHasFlags(sourceBaseURI, +- nsIProtocolHandler::URI_IS_UI_RESOURCE, +- &sourceIsChrome); +- NS_ENSURE_SUCCESS(rv, rv); +- if (sourceIsChrome) { ++ // Special-case the hidden window: it's allowed to load ++ // URI_IS_UI_RESOURCE no matter what. Bug 1145470 tracks removing this. ++ nsAutoCString sourceSpec; ++ if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) && ++ sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) { + return NS_OK; + } ++ + if (reportErrors) { + ReportError(nullptr, errorTag, sourceURI, aTargetURI); + } +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-bug-1144991.patch b/gnu/packages/patches/icecat-bug-1144991.patch deleted file mode 100644 index 5632e37eb3..0000000000 --- a/gnu/packages/patches/icecat-bug-1144991.patch +++ /dev/null @@ -1,76 +0,0 @@ -From ae49ed04f54c2f78d6ba7e545e0099602a3270fa Mon Sep 17 00:00:00 2001 -From: Boris Zbarsky -Date: Thu, 19 Mar 2015 18:58:44 -0400 -Subject: [PATCH] Bug 1144991 - Be a bit more restrictive about when a - URI_IS_UI_RESOURCE source is allowed to link to a URI_IS_UI_RESOURCE URI that - doesn't have the same scheme. r=bholley, a=abillings - ---- - caps/src/nsScriptSecurityManager.cpp | 38 +++++++++++++++++++++++++----------- - 1 file changed, 27 insertions(+), 11 deletions(-) - -diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp -index 3587358..6577b95 100644 ---- a/caps/src/nsScriptSecurityManager.cpp -+++ b/caps/src/nsScriptSecurityManager.cpp -@@ -770,12 +770,31 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, - NS_ENSURE_SUCCESS(rv, rv); - if (hasFlags) { - if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) { -+ -+ // For now, don't change behavior for resource:// or moz-icon:// and -+ // just allow them. - if (!targetScheme.EqualsLiteral("chrome")) { -- // for now don't change behavior for resource: or moz-icon: - return NS_OK; - } - -- // allow load only if chrome package is whitelisted -+ // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE -+ // target if ALLOW_CHROME is set. -+ // -+ // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell -+ // loads (since docshell loads run the loaded content with its origin -+ // principal). So we're effectively allowing resource://, chrome://, -+ // and moz-icon:// source URIs to load resource://, chrome://, and -+ // moz-icon:// files, so long as they're not loading it as a document. -+ bool sourceIsUIResource; -+ rv = NS_URIChainHasFlags(sourceBaseURI, -+ nsIProtocolHandler::URI_IS_UI_RESOURCE, -+ &sourceIsUIResource); -+ NS_ENSURE_SUCCESS(rv, rv); -+ if (sourceIsUIResource) { -+ return NS_OK; -+ } -+ -+ // Allow the load only if the chrome package is whitelisted. - nsCOMPtr reg(do_GetService( - NS_CHROMEREGISTRY_CONTRACTID)); - if (reg) { -@@ -787,17 +806,14 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, - } - } - -- // resource: and chrome: are equivalent, securitywise -- // That's bogus!! Fix this. But watch out for -- // the view-source stylesheet? -- bool sourceIsChrome; -- rv = NS_URIChainHasFlags(sourceBaseURI, -- nsIProtocolHandler::URI_IS_UI_RESOURCE, -- &sourceIsChrome); -- NS_ENSURE_SUCCESS(rv, rv); -- if (sourceIsChrome) { -+ // Special-case the hidden window: it's allowed to load -+ // URI_IS_UI_RESOURCE no matter what. Bug 1145470 tracks removing this. -+ nsAutoCString sourceSpec; -+ if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) && -+ sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) { - return NS_OK; - } -+ - if (reportErrors) { - ReportError(nullptr, errorTag, sourceURI, aTargetURI); - } --- -2.2.1 - diff --git a/gnu/packages/patches/icecat-bug-1146339.patch b/gnu/packages/patches/icecat-bug-1146339.patch deleted file mode 100644 index 9d858523b9..0000000000 --- a/gnu/packages/patches/icecat-bug-1146339.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 4ca86283a71427f27e810d77c8e75418f6428457 Mon Sep 17 00:00:00 2001 -From: Olli Pettay -Date: Mon, 23 Mar 2015 22:23:53 -0400 -Subject: [PATCH] Bug 1146339 - Do anchor scrolling right before dispatching - popstate/hashchange. r=bz, a=lmandel - ---- - docshell/base/nsDocShell.cpp | 64 +++++++++++++++++++++----------------------- - docshell/base/nsDocShell.h | 1 - - 2 files changed, 30 insertions(+), 35 deletions(-) - -diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp -index bdf88a5cf..efb6a6e 100644 ---- a/docshell/base/nsDocShell.cpp -+++ b/docshell/base/nsDocShell.cpp -@@ -1322,7 +1322,7 @@ nsDocShell::LoadURI(nsIURI * aURI, - - // Note: we allow loads to get through here even if mFiredUnloadEvent is - // true; that case will get handled in LoadInternal or LoadHistoryEntry. -- if (IsPrintingOrPP() || mBlockNavigation) { -+ if (IsPrintingOrPP()) { - return NS_OK; // JS may not handle returning of an error code - } - -@@ -4206,7 +4206,8 @@ bool - nsDocShell::IsNavigationAllowed(bool aDisplayPrintErrorDialog) - { - bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) && -- !mFiredUnloadEvent && !mBlockNavigation; if (!isAllowed) { -+ !mFiredUnloadEvent; -+ if (!isAllowed) { - return false; - } - if (!mContentViewer) { -@@ -8901,8 +8902,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, - - NS_ENSURE_TRUE(!mIsBeingDestroyed, NS_ERROR_NOT_AVAILABLE); - -- NS_ENSURE_TRUE(!mBlockNavigation, NS_ERROR_UNEXPECTED); -- - // wyciwyg urls can only be loaded through history. Any normal load of - // wyciwyg through docshell is illegal. Disallow such loads. - if (aLoadType & LOAD_CMD_NORMAL) { -@@ -9324,19 +9323,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, - GetCurScrollPos(ScrollOrientation_X, &cx); - GetCurScrollPos(ScrollOrientation_Y, &cy); - -- { -- AutoRestore scrollingToAnchor(mBlockNavigation); -- mBlockNavigation = true; -- -- // ScrollToAnchor doesn't necessarily cause us to scroll the window; -- // the function decides whether a scroll is appropriate based on the -- // arguments it receives. But even if we don't end up scrolling, -- // ScrollToAnchor performs other important tasks, such as informing -- // the presShell that we have a new hash. See bug 680257. -- rv = ScrollToAnchor(curHash, newHash, aLoadType); -- NS_ENSURE_SUCCESS(rv, rv); -- } -- - // Reset mLoadType to its original value once we exit this block, - // because this short-circuited load might have started after a - // normal, network load, and we don't want to clobber its load type. -@@ -9424,16 +9410,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, - mOSHE->SetCacheKey(cacheKey); - } - -- /* restore previous position of scroller(s), if we're moving -- * back in history (bug 59774) -- */ -- if (mOSHE && (aLoadType == LOAD_HISTORY || aLoadType == LOAD_RELOAD_NORMAL)) -- { -- nscoord bx, by; -- mOSHE->GetScrollPosition(&bx, &by); -- SetCurScrollPosEx(bx, by); -- } -- - /* Restore the original LSHE if we were loading something - * while short-circuited load was initiated. - */ -@@ -9471,12 +9447,36 @@ nsDocShell::InternalLoad(nsIURI * aURI, - - SetDocCurrentStateObj(mOSHE); - -+ // Inform the favicon service that the favicon for oldURI also -+ // applies to aURI. -+ CopyFavicon(currentURI, aURI, mInPrivateBrowsing); -+ -+ nsRefPtr win = mScriptGlobal ? -+ mScriptGlobal->GetCurrentInnerWindowInternal() : nullptr; -+ -+ // ScrollToAnchor doesn't necessarily cause us to scroll the window; -+ // the function decides whether a scroll is appropriate based on the -+ // arguments it receives. But even if we don't end up scrolling, -+ // ScrollToAnchor performs other important tasks, such as informing -+ // the presShell that we have a new hash. See bug 680257. -+ rv = ScrollToAnchor(curHash, newHash, aLoadType); -+ NS_ENSURE_SUCCESS(rv, rv); -+ -+ /* restore previous position of scroller(s), if we're moving -+ * back in history (bug 59774) -+ */ -+ if (mOSHE && (aLoadType == LOAD_HISTORY || -+ aLoadType == LOAD_RELOAD_NORMAL)) { -+ nscoord bx, by; -+ mOSHE->GetScrollPosition(&bx, &by); -+ SetCurScrollPosEx(bx, by); -+ } -+ - // Dispatch the popstate and hashchange events, as appropriate. - // - // The event dispatch below can cause us to re-enter script and - // destroy the docshell, nulling out mScriptGlobal. Hold a stack - // reference to avoid null derefs. See bug 914521. -- nsRefPtr win = mScriptGlobal; - if (win) { - // Fire a hashchange event URIs differ, and only in their hashes. - bool doHashchange = sameExceptHashes && !curHash.Equals(newHash); -@@ -9492,10 +9492,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, - } - } - -- // Inform the favicon service that the favicon for oldURI also -- // applies to aURI. -- CopyFavicon(currentURI, aURI, mInPrivateBrowsing); -- - return NS_OK; - } - } -@@ -12573,7 +12569,7 @@ nsDocShell::OnLinkClick(nsIContent* aContent, - { - NS_ASSERTION(NS_IsMainThread(), "wrong thread"); - -- if (!IsOKToLoadURI(aURI) || mBlockNavigation) { -+ if (!IsOKToLoadURI(aURI)) { - return NS_OK; - } - -@@ -12629,7 +12625,7 @@ nsDocShell::OnLinkClickSync(nsIContent *aContent, - *aRequest = nullptr; - } - -- if (!IsOKToLoadURI(aURI) || mBlockNavigation) { -+ if (!IsOKToLoadURI(aURI)) { - return NS_OK; - } - -diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h -index be353ee..c191777 100644 ---- a/docshell/base/nsDocShell.h -+++ b/docshell/base/nsDocShell.h -@@ -835,7 +835,6 @@ protected: - bool mInPrivateBrowsing; - bool mUseRemoteTabs; - bool mDeviceSizeIsPageSize; -- bool mBlockNavigation; - - // Because scriptability depends on the mAllowJavascript values of our - // ancestors, we cache the effective scriptability and recompute it when --- -2.2.1 - -- cgit v1.2.3