diff options
| author | Mark H Weaver <mhw@netris.org> | 2024-11-27 06:14:55 -0500 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2024-11-27 06:14:55 -0500 |
| commit | 306c589a92599638c843d32beaa4119961330d6c (patch) | |
| tree | acc3b84d305ca8acbc58de22a316ac46f1cc8d3b | |
| parent | 61e7d0cd0c4201f0264faee81a884ad37ea51447 (diff) | |
Fix CVE-2024-11695.
* data/patches/CVE-2024-11695.patch: New file.
| -rw-r--r-- | data/patches/CVE-2024-11695.patch | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/data/patches/CVE-2024-11695.patch b/data/patches/CVE-2024-11695.patch new file mode 100644 index 0000000..aef984e --- /dev/null +++ b/data/patches/CVE-2024-11695.patch @@ -0,0 +1,91 @@ +Fixes CVE-2024-11695 (URL Bar Spoofing via Manipulated Punycode and Whitespace Characters) +Based on <https://hg.mozilla.org/releases/mozilla-esr128/rev/e6099586845f23c0f85fe29a636980e57d206897> +Adapted to ESR 115 by Mark H Weaver <mhw@netris.org> + +# HG changeset patch +# User Marco Bonardo <mbonardo@mozilla.com> +# Date 1731417582 0 +# Node ID e6099586845f23c0f85fe29a636980e57d206897 +# Parent 3b50417aca257bfb30f3277f915fc400aa83c7c7 +Bug 1925496. a=dmeehan + +Original Revision: https://phabricator.services.mozilla.com/D228315 + +Differential Revision: https://phabricator.services.mozilla.com/D228568 + +diff --git a/browser/components/urlbar/UrlbarInput.sys.mjs b/browser/components/urlbar/UrlbarInput.sys.mjs +--- a/browser/components/urlbar/UrlbarInput.sys.mjs ++++ b/browser/components/urlbar/UrlbarInput.sys.mjs +@@ -4001,22 +4001,23 @@ function losslessDecodeURI(aURI) { + // U+2028-2029: line and paragraph separators + // U+2800: braille empty pattern + // U+FFFC: object replacement character + // Encode any trailing whitespace that may be part of a pasted URL, so that it + // doesn't get eaten away by the location bar (bug 410726). + // Encode all adjacent space chars (U+0020), to prevent spoofing attempts + // where they would push part of the URL to overflow the location bar + // (bug 1395508). A single space, or the last space if the are many, is +- // preserved to maintain readability of certain urls. We only do this for the +- // common space, because others may be eaten when copied to the clipboard, so +- // it's safer to preserve them encoded. ++ // preserved to maintain readability of certain urls if it's not followed by a ++ // control or separator character. We only do this for the common space, ++ // because others may be eaten when copied to the clipboard,so it's safer to ++ // preserve them encoded. + value = value.replace( + // eslint-disable-next-line no-control-regex +- /[\u0000-\u001f\u007f-\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u2800\u3000\ufffc]|[\r\n\t]|\u0020(?=\u0020)|\s$/g, ++ /[[\p{Separator}--\u0020]\p{Control}\u2800\ufffc]|\u0020(?=[\p{Other}\p{Separator}])|\s$/gv, + encodeURIComponent + ); + + // Encode characters that are ignorable, can't be rendered usefully, or may + // confuse users. + // + // Default ignorable characters; ZWNJ (U+200C) and ZWJ (U+200D) are excluded + // per bug 582186: +@@ -4028,19 +4029,20 @@ function losslessDecodeURI(aURI) { + // U+061C, U+200E, U+200F, U+202A-202E, U+2066-2069 + // Other format characters in the Cf category that are unlikely to be rendered + // usefully: + // U+0600-0605, U+08E2, U+110BD (U+D804 + U+DCBD), + // U+110CD (U+D804 + U+DCCD), U+13430-13438 (U+D80D + U+DC30-DC38), + // U+1BCA0-1BCA3 (U+D82F + U+DCA0-DCA3) + // Mimicking UI parts: + // U+1F50F-1F513 (U+D83D + U+DD0F-DD13), U+1F6E1 (U+D83D + U+DEE1) ++ // Unassigned codepoints, sometimes shown as empty glyphs. + value = value.replace( + // eslint-disable-next-line no-misleading-character-class +- /[\u00ad\u034f\u061c\u06dd\u070f\u115f\u1160\u17b4\u17b5\u180b-\u180e\u200b\u200e\u200f\u202a-\u202e\u2060-\u206f\u3164\u0600-\u0605\u08e2\ufe00-\ufe0f\ufeff\uffa0\ufff0-\ufffb]|\ud804[\udcbd\udccd]|\ud80d[\udc30-\udc38]|\ud82f[\udca0-\udca3]|\ud834[\udd73-\udd7a]|[\udb40-\udb43][\udc00-\udfff]|\ud83d[\udd0f-\udd13\udee1]/g, ++ /[\u00ad\u034f\u061c\u06dd\u070f\u115f\u1160\u17b4\u17b5\u180b-\u180e\u200b\u200e\u200f\u202a-\u202e\u2060-\u206f\u3164\u0600-\u0605\u08e2\ufe00-\ufe0f\ufeff\uffa0\ufff0-\ufffb\p{Unassigned}\p{Private_Use}]|\ud804[\udcbd\udccd]|\ud80d[\udc30-\udc38]|\ud82f[\udca0-\udca3]|\ud834[\udd73-\udd7a]|[\udb40-\udb43][\udc00-\udfff]|\ud83d[\udd0f-\udd13\udee1]/gv, + encodeURIComponent + ); + return value; + } + + /** + * Handles copy and cut commands for the urlbar. + */ +diff --git a/browser/components/urlbar/tests/browser/browser_copying.js b/browser/components/urlbar/tests/browser/browser_copying.js +--- a/browser/components/urlbar/tests/browser/browser_copying.js ++++ b/browser/components/urlbar/tests/browser/browser_copying.js +@@ -247,17 +247,17 @@ var tests = [ + }, + { + loadURL: "http://example.com/a%E3%80%80test", + expectedURL: "example.com/a%E3%80%80test", + copyExpected: "http://example.com/a%E3%80%80test", + }, + { + loadURL: "http://example.com/a%20%C2%A0test", +- expectedURL: "example.com/a %C2%A0test", ++ expectedURL: "example.com/a%20%C2%A0test", + copyExpected: "http://example.com/a%20%C2%A0test", + }, + { + loadURL: "http://example.com/%20%20%20", + expectedURL: "example.com/%20%20%20", + copyExpected: "http://example.com/%20%20%20", + }, + { + |