guix/gnu/packages/patches/icecat-CVE-2015-0816.patch

From ae49ed04f54c2f78d6ba7e545e0099602a3270fa Mon Sep 17 00:00:00 2001
From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Thu, 19 Mar 2015 18:58:44 -0400
Subject: [PATCH] Bug 1144991 - Be a bit more restrictive about when a
 URI_IS_UI_RESOURCE source is allowed to link to a URI_IS_UI_RESOURCE URI that
 doesn't have the same scheme. r=bholley, a=abillings

---
 caps/src/nsScriptSecurityManager.cpp | 38 +++++++++++++++++++++++++-----------
 1 file changed, 27 insertions(+), 11 deletions(-)

diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp
index 3587358..6577b95 100644
--- a/caps/src/nsScriptSecurityManager.cpp
+++ b/caps/src/nsScriptSecurityManager.cpp
@@ -770,12 +770,31 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
     NS_ENSURE_SUCCESS(rv, rv);
     if (hasFlags) {
         if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
+
+            // For now, don't change behavior for resource:// or moz-icon:// and
+            // just allow them.
             if (!targetScheme.EqualsLiteral("chrome")) {
-                // for now don't change behavior for resource: or moz-icon:
                 return NS_OK;
             }
 
-            // allow load only if chrome package is whitelisted
+            // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
+            // target if ALLOW_CHROME is set.
+            //
+            // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
+            // loads (since docshell loads run the loaded content with its origin
+            // principal). So we're effectively allowing resource://, chrome://,
+            // and moz-icon:// source URIs to load resource://, chrome://, and
+            // moz-icon:// files, so long as they're not loading it as a document.
+            bool sourceIsUIResource;
+            rv = NS_URIChainHasFlags(sourceBaseURI,
+                                     nsIProtocolHandler::URI_IS_UI_RESOURCE,
+                                     &sourceIsUIResource);
+            NS_ENSURE_SUCCESS(rv, rv);
+            if (sourceIsUIResource) {
+                return NS_OK;
+            }
+
+            // Allow the load only if the chrome package is whitelisted.
             nsCOMPtr<nsIXULChromeRegistry> reg(do_GetService(
                                                  NS_CHROMEREGISTRY_CONTRACTID));
             if (reg) {
@@ -787,17 +806,14 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
             }
         }
 
-        // resource: and chrome: are equivalent, securitywise
-        // That's bogus!!  Fix this.  But watch out for
-        // the view-source stylesheet?
-        bool sourceIsChrome;
-        rv = NS_URIChainHasFlags(sourceBaseURI,
-                                 nsIProtocolHandler::URI_IS_UI_RESOURCE,
-                                 &sourceIsChrome);
-        NS_ENSURE_SUCCESS(rv, rv);
-        if (sourceIsChrome) {
+        // Special-case the hidden window: it's allowed to load
+        // URI_IS_UI_RESOURCE no matter what.  Bug 1145470 tracks removing this.
+        nsAutoCString sourceSpec;
+        if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) &&
+            sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) {
             return NS_OK;
         }
+
         if (reportErrors) {
             ReportError(nullptr, errorTag, sourceURI, aTargetURI);
         }
-- 
2.2.1
gnu: icecat: Apply fixes for CVE-2015-{0817,0818} and other selected bugs. * gnu/packages/patches/icecat-CVE-2015-0817.patch, gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch, gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch, gnu/packages/patches/icecat-bug-1127780.patch, gnu/packages/patches/icecat-bug-1144991.patch, gnu/packages/patches/icecat-bug-1145870.patch, gnu/packages/patches/icecat-bug-1146339.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat): Add patches. 2015-03-25 12:20:49 +00:00			`From ae49ed04f54c2f78d6ba7e545e0099602a3270fa Mon Sep 17 00:00:00 2001`
			`From: Boris Zbarsky <bzbarsky@mit.edu>`
			`Date: Thu, 19 Mar 2015 18:58:44 -0400`
			`Subject: [PATCH] Bug 1144991 - Be a bit more restrictive about when a`
			`URI_IS_UI_RESOURCE source is allowed to link to a URI_IS_UI_RESOURCE URI that`
			`doesn't have the same scheme. r=bholley, a=abillings`

			`---`
			`caps/src/nsScriptSecurityManager.cpp \| 38 +++++++++++++++++++++++++-----------`
			`1 file changed, 27 insertions(+), 11 deletions(-)`

			`diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp`
			`index 3587358..6577b95 100644`
			`--- a/caps/src/nsScriptSecurityManager.cpp`
			`+++ b/caps/src/nsScriptSecurityManager.cpp`
			`@@ -770,12 +770,31 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,`
			`NS_ENSURE_SUCCESS(rv, rv);`
			`if (hasFlags) {`
			`if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {`
			`+`
			`+ // For now, don't change behavior for resource:// or moz-icon:// and`
			`+ // just allow them.`
			`if (!targetScheme.EqualsLiteral("chrome")) {`
			`- // for now don't change behavior for resource: or moz-icon:`
			`return NS_OK;`
			`}`

			`- // allow load only if chrome package is whitelisted`
			`+ // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE`
			`+ // target if ALLOW_CHROME is set.`
			`+ //`
			`+ // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell`
			`+ // loads (since docshell loads run the loaded content with its origin`
			`+ // principal). So we're effectively allowing resource://, chrome://,`
			`+ // and moz-icon:// source URIs to load resource://, chrome://, and`
			`+ // moz-icon:// files, so long as they're not loading it as a document.`
			`+ bool sourceIsUIResource;`
			`+ rv = NS_URIChainHasFlags(sourceBaseURI,`
			`+ nsIProtocolHandler::URI_IS_UI_RESOURCE,`
			`+ &sourceIsUIResource);`
			`+ NS_ENSURE_SUCCESS(rv, rv);`
			`+ if (sourceIsUIResource) {`
			`+ return NS_OK;`
			`+ }`
			`+`
			`+ // Allow the load only if the chrome package is whitelisted.`
			`nsCOMPtr<nsIXULChromeRegistry> reg(do_GetService(`
			`NS_CHROMEREGISTRY_CONTRACTID));`
			`if (reg) {`
			`@@ -787,17 +806,14 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,`
			`}`
			`}`

			`- // resource: and chrome: are equivalent, securitywise`
			`- // That's bogus!! Fix this. But watch out for`
			`- // the view-source stylesheet?`
			`- bool sourceIsChrome;`
			`- rv = NS_URIChainHasFlags(sourceBaseURI,`
			`- nsIProtocolHandler::URI_IS_UI_RESOURCE,`
			`- &sourceIsChrome);`
			`- NS_ENSURE_SUCCESS(rv, rv);`
			`- if (sourceIsChrome) {`
			`+ // Special-case the hidden window: it's allowed to load`
			`+ // URI_IS_UI_RESOURCE no matter what. Bug 1145470 tracks removing this.`
			`+ nsAutoCString sourceSpec;`
			`+ if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) &&`
			`+ sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) {`
			`return NS_OK;`
			`}`
			`+`
			`if (reportErrors) {`
			`ReportError(nullptr, errorTag, sourceURI, aTargetURI);`
			`}`
			`--`
			`2.2.1`