Macintosh-SW
/
tenfourfox
mirror of https://github.com/classilla/tenfourfox.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

#654: M1746720 M1737816 M1746011 M1739957 M1740985+backbugs M1742421, update HSTS, TLDs

This commit is contained in:
Cameron Kaiser 2022-02-24 10:06:45 -08:00
parent fd2b82f13a
commit 861ae8f628
10 changed files with 1128 additions and 2287 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
dom/events/EventListenerManager.cpp
View File

@ -24,6 +24,7 @@
#include "mozilla/dom/Element.h"
#include "mozilla/dom/Event.h"
#include "mozilla/dom/EventTargetBinding.h"
#include "mozilla/ScopeExit.h"
#include "mozilla/TimelineConsumers.h"
#include "mozilla/EventTimelineMarker.h"
@ -712,6 +713,8 @@ EventListenerManager::SetEventHandler(nsIAtom* aName,
bool aPermitUntrustedEvents,
Element* aElement)
{
auto removeEventHandler = MakeScopeExit([&] { RemoveEventHandler(aName, EmptyString()); });
nsCOMPtr<nsIDocument> doc;
nsCOMPtr<nsIScriptGlobalObject> global =
GetScriptGlobalAndDocument(getter_AddRefs(doc));
@ -786,6 +789,8 @@ EventListenerManager::SetEventHandler(nsIAtom* aName,
NS_ENSURE_TRUE(context, NS_ERROR_FAILURE);
NS_ENSURE_STATE(global->GetGlobalJSObject());
removeEventHandler.release();
Listener* listener = SetEventHandlerInternal(aName,
EmptyString(),
TypedEventHandler(),

3
dom/media/ADTSDemuxer.cpp
View File

@ -852,8 +852,9 @@ ADTSTrackDemuxer::Read(uint8_t* aBuffer, int64_t aOffset, int32_t aSize)
const int64_t streamLen = StreamLength();
if (mInfo && streamLen > 0) {
int64_t max = streamLen > aOffset ? streamLen - aOffset : 0;
// Prevent blocking reads after successful initialization.
aSize = std::min<int64_t>(aSize, streamLen - aOffset);
aSize = std::min<int64_t>(aSize, max);
}
uint32_t read = 0;

3
dom/media/MP3Demuxer.cpp
View File

@ -655,7 +655,8 @@ MP3TrackDemuxer::Read(uint8_t* aBuffer, int64_t aOffset, int32_t aSize) {
const int64_t streamLen = StreamLength();
if (mInfo && streamLen > 0) {
// Prevent blocking reads after successful initialization.
aSize = std::min<int64_t>(aSize, streamLen - aOffset);
uint64_t max = streamLen > aOffset ? streamLen - aOffset : 0;
aSize = std::min<int64_t>(aSize, max);
}
uint32_t read = 0;

2
dom/workers/ScriptLoader.cpp
View File

@ -1993,12 +1993,14 @@ void ReportLoadError(JSContext* aCx, nsresult aLoadResult)
case NS_ERROR_FILE_NOT_FOUND:
case NS_ERROR_NOT_AVAILABLE:
case NS_ERROR_CORRUPTED_CONTENT:
Throw(aCx, NS_ERROR_DOM_NETWORK_ERR);
break;
case NS_ERROR_MALFORMED_URI:
aLoadResult = NS_ERROR_DOM_SYNTAX_ERR;
// fall through
case NS_ERROR_DOM_BAD_URI:
case NS_ERROR_DOM_SECURITY_ERR:
case NS_ERROR_DOM_SYNTAX_ERR:
Throw(aCx, aLoadResult);

34
dom/xslt/xslt/txMozillaXMLOutput.cpp
View File

@ -236,19 +236,6 @@ txMozillaXMLOutput::endDocument(nsresult aResult)
}
}
if (!mRefreshString.IsEmpty()) {
nsPIDOMWindow *win = mDocument->GetWindow();
if (win) {
nsCOMPtr<nsIRefreshURI> refURI =
do_QueryInterface(win->GetDocShell());
if (refURI) {
refURI->SetupRefreshURIFromHeader(mDocument->GetDocBaseURI(),
mDocument->NodePrincipal(),
mRefreshString);
}
}
}
if (mNotifier) {
mNotifier->OnTransformEnd();
}
@ -747,30 +734,13 @@ txMozillaXMLOutput::endHTMLElement(nsIContent* aElement)
return NS_OK;
}
else if (mCreatingNewDocument && aElement->IsHTMLElement(nsGkAtoms::meta)) {
// handle HTTP-EQUIV data
nsAutoString httpEquiv;
aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::httpEquiv, httpEquiv);
if (!httpEquiv.IsEmpty()) {
nsAutoString value;
aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::content, value);
if (!value.IsEmpty()) {
nsContentUtils::ASCIIToLower(httpEquiv);
nsCOMPtr<nsIAtom> header = do_GetAtom(httpEquiv);
processHTTPEquiv(header, value);
}
}
}
return NS_OK;
}
void txMozillaXMLOutput::processHTTPEquiv(nsIAtom* aHeader, const nsString& aValue)
{
// For now we only handle "refresh". There's a longer list in
// HTMLContentSink::ProcessHeaderData
if (aHeader == nsGkAtoms::refresh)
LossyCopyUTF16toASCII(aValue, mRefreshString);
MOZ_CRASH("Don't call processHTTPEquiv, see bug 1746720");
}
nsresult

88
netwerk/dns/effective_tld_names.dat
View File

@ -9,7 +9,7 @@
// ===BEGIN ICANN DOMAINS===
// ac : https://en.wikipedia.org/wiki/.ac
// ac : http://nic.ac/rules.htm
ac
com.ac
edu.ac
@ -865,6 +865,7 @@ gov.cx
// cy : http://www.nic.cy/
// Submitted by registry Panayiotou Fotia <cydns@ucy.ac.cy>
// namespace policies URL https://www.nic.cy/portal//sites/default/files/symfonia_gia_eggrafi.pdf
cy
ac.cy
biz.cy
@ -872,10 +873,9 @@ com.cy
ekloges.cy
gov.cy
ltd.cy
name.cy
mil.cy
net.cy
org.cy
parliament.cy
press.cy
pro.cy
tm.cy
@ -1366,7 +1366,7 @@ info
int
eu.int
// io : http://www.nic.io/rules.html
// io : http://www.nic.io/rules.htm
// list of other 2nd level tlds ?
io
com.io
@ -3765,11 +3765,10 @@ org.kw
// ky : http://www.icta.ky/da_ky_reg_dom.php
// Confirmed by registry <kysupport@perimeterusa.com> 2008-06-17
ky
edu.ky
gov.ky
com.ky
org.ky
edu.ky
net.ky
org.ky
// kz : https://en.wikipedia.org/wiki/.kz
// see also: http://www.nic.kz/rules/index.jsp
@ -6037,7 +6036,7 @@ gov.sg
edu.sg
per.sg
// sh : http://www.nic.sh/registrar.html
// sh : http://nic.sh/rules.htm
sh
com.sh
net.sh
@ -7132,7 +7131,7 @@ org.zw
// newGTLDs
// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2021-12-04T15:13:28Z
// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2022-02-18T15:13:38Z
// This list is auto-generated, don't edit it manually.
// aaa : 2015-02-26 American Automobile Association, Inc.
aaa
@ -7527,7 +7526,7 @@ bosch
// bostik : 2015-05-28 Bostik SA
bostik
// boston : 2015-12-10 Boston TLD Management, LLC
// boston : 2015-12-10 Registry Services, LLC
boston
// bot : 2014-12-18 Amazon Registry Services, Inc.
@ -7557,9 +7556,6 @@ brother
// brussels : 2014-02-06 DNS.be vzw
brussels
// budapest : 2013-11-21 Minds + Machines Group Limited
budapest
// bugatti : 2015-07-23 Bugatti International SA
bugatti
@ -7596,7 +7592,7 @@ call
// calvinklein : 2015-07-30 PVH gTLD Holdings LLC
calvinklein
// cam : 2016-04-21 AC Webconnecting Holding B.V.
// cam : 2016-04-21 Cam Connecting SARL
cam
// camera : 2013-08-27 Binky Moon, LLC
@ -7869,9 +7865,6 @@ cruise
// cruises : 2013-12-05 Binky Moon, LLC
cruises
// csc : 2014-09-25 Alliance-One Services, Inc.
csc
// cuisinella : 2014-04-03 SCHMIDT GROUPE S.A.S.
cuisinella
@ -8871,9 +8864,6 @@ live
// living : 2015-07-30 Lifestyle Domain Holdings, Inc.
living
// lixil : 2015-03-19 LIXIL Group Corporation
lixil
// llc : 2017-12-14 Afilias Limited
llc
@ -9012,7 +9002,7 @@ menu
// merckmsd : 2016-07-14 MSD Registry Holdings, Inc.
merckmsd
// miami : 2013-12-19 Minds + Machines Group Limited
// miami : 2013-12-19 Registry Services, LLC
miami
// microsoft : 2014-12-18 Microsoft Corporation
@ -10815,6 +10805,10 @@ myasustor.com
// Submitted by Sam Smyth <devloop@atlassian.com>
cdn.prod.atlassian-dev.net
// Authentick UG (haftungsbeschränkt) : https://authentick.net
// Submitted by Lukas Reschke <lukas@authentick.net>
translated.page
// AVM : https://avm.de
// Submitted by Andreas Weise <a.weise@avm.de>
myfritz.net
@ -10868,6 +10862,10 @@ theshop.jp
shopselect.net
base.shop
// Beget Ltd
// Submitted by Lev Nekrasov <lnekrasov@beget.com>
*.beget.app
// BetaInABox
// Submitted by Adrian <adrian@betainabox.com>
betainabox.com
@ -11109,6 +11107,10 @@ cloudns.us
// Submitted by Angelo Gladding <angelo@lahacker.net>
cnpy.gdn
// Codeberg e. V. : https://codeberg.org
// Submitted by Moritz Marquardt <git@momar.de>
codeberg.page
// CoDNS B.V.
co.nl
co.no
@ -11240,6 +11242,11 @@ dedyn.io
*.rss.my.id
*.diher.solutions
// Discord Inc : https://discord.com
// Submitted by Sahn Lam <slam@discordapp.com>
discordsays.com
discordsez.com
// DNS Africa Ltd https://dns.business
// Submitted by Calvin Browne <calvin@dns.business>
jozi.biz
@ -11964,10 +11971,21 @@ futuremailing.at
*.kunden.ortsinfo.at
*.statics.cloud
// GDS : https://www.gov.uk/service-manual/operations/operating-servicegovuk-subdomains
// Submitted by David Illsley <david.illsley@digital.cabinet-office.gov.uk>
// GDS : https://www.gov.uk/service-manual/technology/managing-domain-names
// Submitted by Stephen Ford <hostmaster@digital.cabinet-office.gov.uk>
independent-commission.uk
independent-inquest.uk
independent-inquiry.uk
independent-panel.uk
independent-review.uk
public-inquiry.uk
royal-commission.uk
service.gov.uk
// CDDO : https://www.gov.uk/guidance/get-an-api-domain-on-govuk
// Submitted by Jamie Tanna <jamie.tanna@digital.cabinet-office.gov.uk>
api.gov.uk
// Gehirn Inc. : https://www.gehirn.co.jp/
// Submitted by Kohei YOSHIDA <tech@gehirn.co.jp>
gehirn.ne.jp
@ -12437,6 +12455,10 @@ js.org
kaas.gg
khplay.nl
// Kapsi : https://kapsi.fi
// Submitted by Tomi Juntunen <erani@kapsi.fi>
kapsi.fi
// Keyweb AG : https://www.keyweb.de
// Submitted by Martin Dannehl <postmaster@keymachine.de>
keymachine.de
@ -13046,6 +13068,10 @@ pleskns.com
// Submitted by Maximilian Schieder <maxi@zeug.co>
dyn53.io
// Porter : https://porter.run/
// Submitted by Rudraksh MK <rudi@porter.run>
onporter.run
// Positive Codes Technology Company : http://co.bn/faq.html
// Submitted by Zulfais <pc@co.bn>
co.bn
@ -13207,6 +13233,10 @@ itcouldbewor.se
// Submitted by Jennifer Herting <jchits@rit.edu>
git-pages.rit.edu
// Rocky Enterprise Software Foundation : https://resf.org
// Submitted by Neil Hanlon <neil@resf.org>
rocky.page
// Rusnames Limited: http://rusnames.ru/
// Submitted by Sergey Zotov <admin@rusnames.ru>
биз.рус
@ -13483,6 +13513,10 @@ gdynia.pl
med.pl
sopot.pl
// team.blue https://team.blue
// Submitted by Cedric Dubois <cedric.dubois@team.blue>
site.tb-hosting.com
// Teckids e.V. : https://www.teckids.org
// Submitted by Dominik George <dominik.george@teckids.org>
edugit.io
@ -13686,6 +13720,10 @@ me.vu
// Submitted by Serhii Rostilo <sergey@rostilo.kiev.ua>
v.ua
// Vultr Objects : https://www.vultr.com/products/object-storage/
// Submitted by Niels Maumenee <storage@vultr.com>
*.vultrobjects.com
// Waffle Computer Inc., Ltd. : https://docs.waffleinfo.com
// Submitted by Masayuki Note <masa@blade.wafflecell.com>
wafflecell.com
@ -13735,6 +13773,10 @@ wmcloud.org
panel.gg
daemon.panel.gg
// Wizard Zines : https://wizardzines.com
// Submitted by Julia Evans <julia@wizardzines.com>
messwithdns.com
// WoltLab GmbH : https://www.woltlab.com
// Submitted by Tim Düsterhus <security@woltlab.cloud>
woltlab-demo.com

2
security/manager/ssl/StaticHPKPins.h
View File

@ -1149,4 +1149,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
static const int32_t kUnknownId = -1;
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1648464588021000);
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1654167021983000);

3170
security/manager/ssl/nsSTSPreloadList.inc
View File

File diff suppressed because it is too large Load Diff

106
security/pkix/lib/pkixocsp.cpp
View File

@ -28,14 +28,22 @@
#include "pkixcheck.h"
#include "pkixutil.h"
namespace {
const size_t SHA1_DIGEST_LENGTH = 160 / 8;
} // unnamed namespace
namespace mozilla { namespace pkix {
inline size_t DigestAlgorithmToSizeInBytes(DigestAlgorithm digestAlgorithm) {
switch (digestAlgorithm) {
case DigestAlgorithm::sha1:
return 160 / 8;
case DigestAlgorithm::sha256:
return 256 / 8;
case DigestAlgorithm::sha384:
return 384 / 8;
case DigestAlgorithm::sha512:
return 512 / 8;
MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
}
}
// These values correspond to the tag values in the ASN.1 CertStatus
enum class CertStatus : uint8_t {
Good = der::CONTEXT_SPECIFIC | 0,
@ -172,10 +180,12 @@ static inline Result CertID(Reader& input,
const Context& context,
/*out*/ bool& match);
static Result MatchKeyHash(TrustDomain& trustDomain,
DigestAlgorithm hashAlgorithm,
Input issuerKeyHash,
Input issuerSubjectPublicKeyInfo,
/*out*/ bool& match);
static Result KeyHash(TrustDomain& trustDomain,
DigestAlgorithm hashAlgorithm,
Input subjectPublicKeyInfo,
/*out*/ uint8_t* hashBuf, size_t hashBufSize);
@ -204,7 +214,7 @@ MatchResponderID(TrustDomain& trustDomain,
if (rv != Success) {
return rv;
}
return MatchKeyHash(trustDomain, keyHash,
return MatchKeyHash(trustDomain, DigestAlgorithm::sha1, keyHash,
potentialSignerSubjectPublicKeyInfo, match);
}
@ -715,36 +725,36 @@ CertID(Reader& input, const Context& context, /*out*/ bool& match)
return Success;
}
// TODO: support SHA-2 hashes.
if (hashAlgorithm != DigestAlgorithm::sha1) {
// Again, not interested in this response. Consume input, return success.
input.SkipToEnd();
return Success;
}
if (issuerNameHash.GetLength() != SHA1_DIGEST_LENGTH) {
size_t hashAlgorithmLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
if (issuerNameHash.GetLength() != hashAlgorithmLength) {
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
}
// From http://tools.ietf.org/html/rfc6960#section-4.1.1:
// "The hash shall be calculated over the DER encoding of the
// issuer's name field in the certificate being checked."
uint8_t hashBuf[SHA1_DIGEST_LENGTH];
uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
if (hashAlgorithmLength > sizeof(hashBuf)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
rv = context.trustDomain.DigestBuf(context.certID.issuer,
DigestAlgorithm::sha1, hashBuf,
sizeof(hashBuf));
hashAlgorithm, hashBuf,
hashAlgorithmLength);
if (rv != Success) {
return rv;
}
Input computed;
rv = computed.Init(hashBuf, hashAlgorithmLength);
if (rv != Success) {
return rv;
}
Input computed(hashBuf);
if (!InputsAreEqual(computed, issuerNameHash)) {
// Again, not interested in this response. Consume input, return success.
input.SkipToEnd();
return Success;
}
return MatchKeyHash(context.trustDomain, issuerKeyHash,
return MatchKeyHash(context.trustDomain, hashAlgorithm, issuerKeyHash,
context.certID.issuerSubjectPublicKeyInfo, match);
}
@ -758,30 +768,53 @@ CertID(Reader& input, const Context& context, /*out*/ bool& match)
// -- BIT STRING subjectPublicKey [excluding
// -- the tag, length, and number of unused
// -- bits] in the responder's certificate)
//
// From https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1:
// CertID ::= SEQUENCE {
// hashAlgorithm AlgorithmIdentifier,
// issuerNameHash OCTET STRING, -- Hash of issuer's DN
// issuerKeyHash OCTET STRING, -- Hash of issuer's public key
// serialNumber CertificateSerialNumber }
// ...
// o hashAlgorithm is the hash algorithm used to generate the
// issuerNameHash and issuerKeyHash values.
// ...
// o issuerKeyHash is the hash of the issuer's public key. The hash
// shall be calculated over the value (excluding tag and length) of
// the subject public key field in the issuer's certificate.
static Result
MatchKeyHash(TrustDomain& trustDomain, Input keyHash,
const Input subjectPublicKeyInfo, /*out*/ bool& match)
MatchKeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
Input keyHash, const Input subjectPublicKeyInfo,
/*out*/ bool& match)
{
if (keyHash.GetLength() != SHA1_DIGEST_LENGTH) {
size_t hashLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
if (keyHash.GetLength() != hashLength) {
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
}
static uint8_t hashBuf[SHA1_DIGEST_LENGTH];
Result rv = KeyHash(trustDomain, subjectPublicKeyInfo, hashBuf,
sizeof hashBuf);
static uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
if (hashLength > MAX_DIGEST_SIZE_IN_BYTES) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
Result rv = KeyHash(trustDomain, hashAlgorithm, subjectPublicKeyInfo,
hashBuf, hashLength);
if (rv != Success) {
return rv;
}
Input computed;
rv = computed.Init(hashBuf, hashLength);
if (rv != Success) {
return rv;
}
Input computed(hashBuf);
match = InputsAreEqual(computed, keyHash);
return Success;
}
// TODO(bug 966856): support SHA-2 hashes
Result
KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
/*out*/ uint8_t* hashBuf, size_t hashBufSize)
KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
const Input subjectPublicKeyInfo, /*out*/ uint8_t* hashBuf,
size_t hashBufSize)
{
if (!hashBuf || hashBufSize != SHA1_DIGEST_LENGTH) {
if (!hashBuf || hashBufSize != DigestAlgorithmToSizeInBytes(hashAlgorithm)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
@ -814,8 +847,8 @@ KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
return rv;
}
return trustDomain.DigestBuf(subjectPublicKey, DigestAlgorithm::sha1,
hashBuf, hashBufSize);
return trustDomain.DigestBuf(subjectPublicKey, hashAlgorithm, hashBuf,
hashBufSize);
}
Result
@ -865,8 +898,6 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
// and thus more likely to fit within the 255 byte limit for OCSP GET that
// is specified in RFC 5019 Section 5.
// Bug 966856: Add the id-pkix-ocsp-pref-sig-algs extension.
// Since we don't know whether the OCSP responder supports anything other
// than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and
// issuerKeyHash.
@ -930,7 +961,8 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
// reqCert.issuerKeyHash (OCTET STRING)
*d++ = 0x04;
*d++ = hashLen;
rv = KeyHash(trustDomain, certID.issuerSubjectPublicKeyInfo, d, hashLen);
rv = KeyHash(trustDomain, DigestAlgorithm::sha1,
certID.issuerSubjectPublicKeyInfo, d, hashLen);
if (rv != Success) {
return rv;
}

2
widget/cocoa/nsCocoaWindow.mm
View File

@ -1272,6 +1272,8 @@ NS_METHOD nsCocoaWindow::SetSizeMode(nsSizeMode aMode)
[mWindow deminiaturize:nil];
else if (previousMode == nsSizeMode_Maximized && [mWindow isZoomed])
[mWindow zoom:nil];
else if (previousMode == nsSizeMode_Fullscreen)
MakeFullScreen(false);
}
else if (aMode == nsSizeMode_Minimized) {
if (![mWindow isMiniaturized])