#593: M1607742 M1684490 + updated TLDs, pins, HSTS

2020-02-18 20:53:57 -08:00 · 2020-02-18 20:53:57 -08:00 · 67706e1f63
parent 1cdef889be
commit 67706e1f63
6 changed files with 2722 additions and 1676 deletions
--- a/devtools/client/shared/Curl.jsm
+++ b/devtools/client/shared/Curl.jsm
@ -63,6 +63,18 @@ this.Curl = {
    let utils = CurlUtils;

    let command = ["curl"];
+
+    // Make sure to use the following helpers to sanitize arguments before execution.
+    const addParam = value => {
+      const safe = /^[a-zA-Z-]+$/.test(value) ? value : escapeString(value);
+      command.push(safe);
+    };
+
+    const addPostData = value => {
+      const safe = /^[a-zA-Z-]+$/.test(value) ? value : escapeString(value);
+      data.push(safe);
+    };
+
    let ignoredHeaders = new Set();

    // The cURL command is expected to run on the same platform that Firefox runs
@ -71,7 +83,7 @@ this.Curl = {
                       utils.escapeStringWin : utils.escapeStringPosix;

    // Add URL.
-    command.push(escapeString(aData.url));
+    addParam(aData.url);

    let postDataText = null;
    let multipartRequest = utils.isMultipartRequest(aData);
@ -80,15 +92,15 @@ this.Curl = {
    let data = [];
    if (utils.isUrlEncodedRequest(aData) || aData.method == "PUT") {
      postDataText = aData.postDataText;
-      data.push("--data");
-      data.push(escapeString(utils.writePostDataTextParams(postDataText)));
+      addPostData("--data");
+      addPostData(utils.writePostDataTextParams(postDataText));
      ignoredHeaders.add("Content-Length");
    } else if (multipartRequest) {
      postDataText = aData.postDataText;
-      data.push("--data-binary");
+      addPostData("--data-binary");
      let boundary = utils.getMultipartBoundary(aData);
      let text = utils.removeBinaryDataFromMultipartText(postDataText, boundary);
-      data.push(escapeString(text));
+      addPostData(text);
      ignoredHeaders.add("Content-Length");
    }

@ -96,20 +108,20 @@ this.Curl = {
    // For GET and POST requests this is not necessary as GET is the
    // default. If --data or --binary is added POST is the default.
    if (!(aData.method == "GET" || aData.method == "POST")) {
-      command.push("-X");
-      command.push(aData.method);
+      addParam("-X");
+      addParam(aData.method);
    }

    // Add -I (HEAD)
    // For servers that supports HEAD.
    // This will fetch the header of a document only.
    if (aData.method == "HEAD") {
-      command.push("-I");
+      addParam("-I");
    }

    // Add http version.
    if (aData.httpVersion && aData.httpVersion != DEFAULT_HTTP_VERSION) {
-      command.push("--" + aData.httpVersion.split("/")[1]);
+      addParam("--" + aData.httpVersion.split("/")[1]);
    }

    // Add request headers.
@ -121,14 +133,14 @@ this.Curl = {
    for (let i = 0; i < headers.length; i++) {
      let header = headers[i];
      if (header.name === "Accept-Encoding"){
-        command.push("--compressed");
+        addParam("--compressed");
        continue;
      }
      if (ignoredHeaders.has(header.name)) {
        continue;
      }
-      command.push("-H");
-      command.push(escapeString(header.name + ": " + header.value));
+      addParam("-H");
+      addParam(header.name + ": " + header.value);
    }

    // Add post data.
--- a/netwerk/dns/effective_tld_names.dat
+++ b/netwerk/dns/effective_tld_names.dat
@ -982,8 +982,19 @@ fi
 // TODO: Check for updates (expected to be phased out around Q1/2009)
 aland.fi

-// fj : https://en.wikipedia.org/wiki/.fj
-*.fj
+// fj : http://domains.fj/
+// Submitted by registry <garth.miller@cocca.org.nz> 2020-02-11
+fj
+ac.fj
+biz.fj
+com.fj
+gov.fj
+info.fj
+mil.fj
+name.fj 
+net.fj
+org.fj
+pro.fj

 // fk : https://en.wikipedia.org/wiki/.fk
 *.fk
@ -7074,7 +7085,7 @@ org.zw

 // newGTLDs

-// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2020-02-01T17:46:27Z
+// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2020-02-06T17:49:42Z
 // This list is auto-generated, don't edit it manually.
 // aaa : 2015-02-26 American Automobile Association, Inc.
 aaa
@ -10532,7 +10543,7 @@ xin
 // xn--nyqy26a : 2014-11-07 Stable Tone Limited
 健康

-// xn--otu796d : 2017-08-06 Internet DotTrademark Organisation Limited
+// xn--otu796d : 2017-08-06 Jiang Yu Liang Cai Technology Company Limited
 招聘

 // xn--p1acf : 2013-12-12 Rusnames Limited
--- a/netwerk/protocol/ftp/nsFtpConnectionThread.cpp
+++ b/netwerk/protocol/ftp/nsFtpConnectionThread.cpp
@ -85,6 +85,7 @@ nsFtpState::nsFtpState()
    , mAnonymous(true)
    , mRetryPass(false)
    , mStorReplyReceived(false)
+    , mRlist1xxReceived(false)
    , mInternalError(NS_OK)
    , mReconnectAndLoginAgain(false)
    , mCacheConnection(true)
@ -1187,15 +1188,18 @@ nsFtpState::S_list() {
 FTP_STATE
 nsFtpState::R_list() {
    if (mResponseCode/100 == 1) {
+        mRlist1xxReceived = true;
+
        // OK, time to start reading from the data connection.
        if (mDataStream && HasPendingCallback())
            mDataStream->AsyncWait(this, 0, 0, CallbackTarget());
        return FTP_READ_BUF;
    }

-    if (mResponseCode/100 == 2) {
+    if (mResponseCode/100 == 2 && mRlist1xxReceived) {
        //(DONE)
        mNextState = FTP_COMPLETE;
+        mRlist1xxReceived = false;
        return FTP_COMPLETE;
    }
    return FTP_ERROR;
--- a/netwerk/protocol/ftp/nsFtpConnectionThread.h
+++ b/netwerk/protocol/ftp/nsFtpConnectionThread.h
@ -185,6 +185,8 @@ private:
    bool                mRetryPass;     // retrying the password
    bool                mStorReplyReceived; // FALSE if waiting for STOR
                                            // completion status from server
+    bool                mRlist1xxReceived;  // TRUE if we have received a LIST
+                                            // 1xx response from the server
    nsresult            mInternalError; // represents internal state errors
    bool                mReconnectAndLoginAgain;
    bool                mCacheConnection;
--- a/security/manager/ssl/StaticHPKPins.h
+++ b/security/manager/ssl/StaticHPKPins.h
@ -686,7 +686,6 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
  { "chrome-devtools-frontend.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
  { "chrome.com", true, false, false, -1, &kPinset_google_root_pems },
  { "chrome.google.com", true, false, false, -1, &kPinset_google_root_pems },
-  { "chromereporting-pa.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
  { "chromiumbugs.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
  { "chromiumcodereview.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
  { "cl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
@ -1083,7 +1082,6 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
  { "torproject.org", false, false, false, -1, &kPinset_tor },
  { "touch.facebook.com", true, false, false, -1, &kPinset_facebook },
  { "tr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
-  { "translate.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
  { "tv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
  { "tw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
  { "twimg.com", true, false, false, -1, &kPinset_twitterCDN },
@ -1133,8 +1131,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
  { "zh.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
 };

-// Pinning Preload List Length = 488;
+// Pinning Preload List Length = 486;

 static const int32_t kUnknownId = -1;

-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1588253180115000);
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1590413552686000);
--- a/security/manager/ssl/nsSTSPreloadList.inc
+++ b/security/manager/ssl/nsSTSPreloadList.inc