#593: M1607742 M1684490 + updated TLDs, pins, HSTS

devtools/client/shared/Curl.jsm

@@ -63,6 +63,18 @@ this.Curl = {
     let utils = CurlUtils;
 
     let command = ["curl"];
+
+    // Make sure to use the following helpers to sanitize arguments before execution.
+    const addParam = value => {
+      const safe = /^[a-zA-Z-]+$/.test(value) ? value : escapeString(value);
+      command.push(safe);
+    };
+
+    const addPostData = value => {
+      const safe = /^[a-zA-Z-]+$/.test(value) ? value : escapeString(value);
+      data.push(safe);
+    };
+
     let ignoredHeaders = new Set();
 
     // The cURL command is expected to run on the same platform that Firefox runs
@@ -71,7 +83,7 @@ this.Curl = {
                        utils.escapeStringWin : utils.escapeStringPosix;
 
     // Add URL.
-    command.push(escapeString(aData.url));
+    addParam(aData.url);
 
     let postDataText = null;
     let multipartRequest = utils.isMultipartRequest(aData);
@@ -80,15 +92,15 @@ this.Curl = {
     let data = [];
     if (utils.isUrlEncodedRequest(aData) || aData.method == "PUT") {
       postDataText = aData.postDataText;
-      data.push("--data");
+      addPostData("--data");
-      data.push(escapeString(utils.writePostDataTextParams(postDataText)));
+      addPostData(utils.writePostDataTextParams(postDataText));
       ignoredHeaders.add("Content-Length");
     } else if (multipartRequest) {
       postDataText = aData.postDataText;
-      data.push("--data-binary");
+      addPostData("--data-binary");
       let boundary = utils.getMultipartBoundary(aData);
       let text = utils.removeBinaryDataFromMultipartText(postDataText, boundary);
-      data.push(escapeString(text));
+      addPostData(text);
       ignoredHeaders.add("Content-Length");
     }
 
@@ -96,20 +108,20 @@ this.Curl = {
     // For GET and POST requests this is not necessary as GET is the
     // default. If --data or --binary is added POST is the default.
     if (!(aData.method == "GET" || aData.method == "POST")) {
-      command.push("-X");
+      addParam("-X");
-      command.push(aData.method);
+      addParam(aData.method);
     }
 
     // Add -I (HEAD)
     // For servers that supports HEAD.
     // This will fetch the header of a document only.
     if (aData.method == "HEAD") {
-      command.push("-I");
+      addParam("-I");
     }
 
     // Add http version.
     if (aData.httpVersion && aData.httpVersion != DEFAULT_HTTP_VERSION) {
-      command.push("--" + aData.httpVersion.split("/")[1]);
+      addParam("--" + aData.httpVersion.split("/")[1]);
     }
 
     // Add request headers.
@@ -121,14 +133,14 @@ this.Curl = {
     for (let i = 0; i < headers.length; i++) {
       let header = headers[i];
       if (header.name === "Accept-Encoding"){
-        command.push("--compressed");
+        addParam("--compressed");
         continue;
       }
       if (ignoredHeaders.has(header.name)) {
         continue;
       }
-      command.push("-H");
+      addParam("-H");
-      command.push(escapeString(header.name + ": " + header.value));
+      addParam(header.name + ": " + header.value);
     }
 
     // Add post data.

netwerk/dns/effective_tld_names.dat

@@ -982,8 +982,19 @@ fi
 // TODO: Check for updates (expected to be phased out around Q1/2009)
 aland.fi
 
-// fj : https://en.wikipedia.org/wiki/.fj
+// fj : http://domains.fj/
-*.fj
+// Submitted by registry <garth.miller@cocca.org.nz> 2020-02-11
+fj
+ac.fj
+biz.fj
+com.fj
+gov.fj
+info.fj
+mil.fj
+name.fj 
+net.fj
+org.fj
+pro.fj
 
 // fk : https://en.wikipedia.org/wiki/.fk
 *.fk
@@ -7074,7 +7085,7 @@ org.zw
 
 // newGTLDs
 
-// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2020-02-01T17:46:27Z
+// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2020-02-06T17:49:42Z
 // This list is auto-generated, don't edit it manually.
 // aaa : 2015-02-26 American Automobile Association, Inc.
 aaa
@@ -10532,7 +10543,7 @@ xin
 // xn--nyqy26a : 2014-11-07 Stable Tone Limited
 健康
 
-// xn--otu796d : 2017-08-06 Internet DotTrademark Organisation Limited
+// xn--otu796d : 2017-08-06 Jiang Yu Liang Cai Technology Company Limited
 招聘
 
 // xn--p1acf : 2013-12-12 Rusnames Limited

netwerk/protocol/ftp/nsFtpConnectionThread.cpp

@@ -85,6 +85,7 @@ nsFtpState::nsFtpState()
     , mAnonymous(true)
     , mRetryPass(false)
     , mStorReplyReceived(false)
+    , mRlist1xxReceived(false)
     , mInternalError(NS_OK)
     , mReconnectAndLoginAgain(false)
     , mCacheConnection(true)
@@ -1187,15 +1188,18 @@ nsFtpState::S_list() {
 FTP_STATE
 nsFtpState::R_list() {
     if (mResponseCode/100 == 1) {
+        mRlist1xxReceived = true;
+
         // OK, time to start reading from the data connection.
         if (mDataStream && HasPendingCallback())
             mDataStream->AsyncWait(this, 0, 0, CallbackTarget());
         return FTP_READ_BUF;
     }
 
-    if (mResponseCode/100 == 2) {
+    if (mResponseCode/100 == 2 && mRlist1xxReceived) {
         //(DONE)
         mNextState = FTP_COMPLETE;
+        mRlist1xxReceived = false;
         return FTP_COMPLETE;
     }
     return FTP_ERROR;

netwerk/protocol/ftp/nsFtpConnectionThread.h

@@ -185,6 +185,8 @@ private:
     bool                mRetryPass;     // retrying the password
     bool                mStorReplyReceived; // FALSE if waiting for STOR
                                             // completion status from server
+    bool                mRlist1xxReceived;  // TRUE if we have received a LIST
+                                            // 1xx response from the server
     nsresult            mInternalError; // represents internal state errors
     bool                mReconnectAndLoginAgain;
     bool                mCacheConnection;

security/manager/ssl/StaticHPKPins.h

@@ -686,7 +686,6 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
   { "chrome-devtools-frontend.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
   { "chrome.com", true, false, false, -1, &kPinset_google_root_pems },
   { "chrome.google.com", true, false, false, -1, &kPinset_google_root_pems },
-  { "chromereporting-pa.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
   { "chromiumbugs.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
   { "chromiumcodereview.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
   { "cl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
@@ -1083,7 +1082,6 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
   { "torproject.org", false, false, false, -1, &kPinset_tor },
   { "touch.facebook.com", true, false, false, -1, &kPinset_facebook },
   { "tr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
-  { "translate.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
   { "tv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
   { "tw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
   { "twimg.com", true, false, false, -1, &kPinset_twitterCDN },
@@ -1133,8 +1131,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
   { "zh.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
 };
 
-// Pinning Preload List Length = 488;
+// Pinning Preload List Length = 486;
 
 static const int32_t kUnknownId = -1;
 
-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1588253180115000);
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1590413552686000);