packages/mozjs78
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix cves

Browse Source
This commit is contained in:
sun_hai_10 2024-04-08 20:26:32 +08:00
parent 94d5b0bd3a
commit f16b820f3c
4 changed files with 293 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
backport-CVE-2023-23599.patch Normal file
View File

@ -0,0 +1,42 @@
From fd34a58ac999727dde9fbe909953e1a9b5e34b04 Mon Sep 17 00:00:00 2001
From: s30028044 <sunhai10@huawei.com>
Date: Mon, 8 Apr 2024 19:41:26 +0800
Subject: [PATCH] CVE-2023-23599
---
devtools/client/netmonitor/test/browser_net_curl-utils.js | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/devtools/client/netmonitor/test/browser_net_curl-utils.js b/devtools/client/netmonitor/test/browser_net_curl-utils.js
index dbca31b..5258f5c 100644
--- a/devtools/client/netmonitor/test/browser_net_curl-utils.js
+++ b/devtools/client/netmonitor/test/browser_net_curl-utils.js
@@ -307,10 +307,10 @@ function testEscapeStringWin() {
"Double quotes should be escaped."
);
- const percentSigns = "%AppData%";
+ const percentSigns = "%TEMP% %@foo% %2XX% %_XX% %?XX%";
is(
CurlUtils.escapeStringWin(percentSigns),
- '""%"AppData"%""',
+ '"^%^TEMP^% ^%^@foo^% ^%^2XX^% ^%^_XX^% ^%?XX^%"',
"Percent signs should be escaped."
);
@@ -321,10 +321,10 @@ function testEscapeStringWin() {
"Backslashes should be escaped."
);
- const newLines = "line1\r\nline2\r\nline3";
+ const newLines = "line1\r\nline2\r\rline3\n\nline4";
is(
CurlUtils.escapeStringWin(newLines),
- '"line1"^\u000d\u000A\u000d\u000A"line2"^\u000d\u000A\u000d\u000A"line3"',
+ '"line1"^\r\n\r\n"line2"^\r\n\r\n""^\r\n\r\n"line3"^\r\n\r\n""^\r\n\r\n"line4"',
"Newlines should be escaped."
);
}
--
2.27.0

118
backport-CVE-2023-23601.patch Normal file
View File

@ -0,0 +1,118 @@
From 5d3ed1e2012322bff7593b7a508f89203d9cd3f9 Mon Sep 17 00:00:00 2001
From: s30028044 <sunhai10@huawei.com>
Date: Mon, 8 Apr 2024 19:50:07 +0800
Subject: [PATCH] CVE-2023-23601
---
dom/base/ContentAreaDropListener.jsm | 25 +++++++------------------
dom/events/DataTransfer.cpp | 11 +++++++++++
dom/events/DataTransfer.h | 3 +++
dom/webidl/DataTransfer.webidl | 7 +++++++
4 files changed, 28 insertions(+), 18 deletions(-)
diff --git a/dom/base/ContentAreaDropListener.jsm b/dom/base/ContentAreaDropListener.jsm
index 26764ac..adce0e1 100644
--- a/dom/base/ContentAreaDropListener.jsm
+++ b/dom/base/ContentAreaDropListener.jsm
@@ -261,30 +261,19 @@ ContentAreaDropListener.prototype = {
return true;
}
- let sourceNode = dataTransfer.mozSourceNode;
- if (!sourceNode) {
+ // If this is an external drag, allow drop.
+ let sourceWC = dataTransfer.sourceWindowContext;
+ if (!sourceWC) {
return true;
}
- // don't allow a drop of a node from the same document onto this one
- let sourceDocument = sourceNode.ownerDocument;
- let eventDocument = aEvent.originalTarget.ownerDocument;
- if (sourceDocument == eventDocument) {
+ // If drag source and drop target are in the same top window, don't allow.
+ let eventWC =
+ aEvent.originalTarget.ownerGlobal.browsingContext.currentWindowContext;
+ if (eventWC && sourceWC.topWindowContext == eventWC.topWindowContext) {
return false;
}
- // also check for nodes in other child or sibling frames by checking
- // if both have the same top window.
- if (sourceDocument && eventDocument) {
- if (sourceDocument.defaultView == null) {
- return true;
- }
- let sourceRoot = sourceDocument.defaultView.top;
- if (sourceRoot && sourceRoot == eventDocument.defaultView.top) {
- return false;
- }
- }
-
return true;
},
diff --git a/dom/events/DataTransfer.cpp b/dom/events/DataTransfer.cpp
index 4c623a2..e725e8d 100644
--- a/dom/events/DataTransfer.cpp
+++ b/dom/events/DataTransfer.cpp
@@ -435,6 +435,17 @@ already_AddRefed<nsINode> DataTransfer::GetMozSourceNode() {
return sourceNode.forget();
}
+already_AddRefed<WindowContext> DataTransfer::GetSourceWindowContext() {
+ nsCOMPtr<nsIDragSession> dragSession = nsContentUtils::GetDragSession();
+ if (!dragSession) {
+ return nullptr;
+ }
+
+ RefPtr<WindowContext> sourceWindowContext;
+ dragSession->GetSourceWindowContext(getter_AddRefs(sourceWindowContext));
+ return sourceWindowContext.forget();
+}
+
already_AddRefed<DOMStringList> DataTransfer::MozTypesAt(
uint32_t aIndex, CallerType aCallerType, ErrorResult& aRv) const {
// Only the first item is valid for clipboard events
diff --git a/dom/events/DataTransfer.h b/dom/events/DataTransfer.h
index 1d3305e..c086e02 100644
--- a/dom/events/DataTransfer.h
+++ b/dom/events/DataTransfer.h
@@ -40,6 +40,7 @@ class FileList;
class Promise;
template <typename T>
class Optional;
+class WindowContext;
#define NS_DATATRANSFER_IID \
{ \
@@ -257,6 +258,8 @@ class DataTransfer final : public nsISupports, public nsWrapperCache {
already_AddRefed<nsINode> GetMozSourceNode();
+ already_AddRefed<WindowContext> GetSourceWindowContext();
+
/*
* Integer version of dropEffect, set to one of the constants in
* nsIDragService.
diff --git a/dom/webidl/DataTransfer.webidl b/dom/webidl/DataTransfer.webidl
index f37bcf7..ac019a5 100644
--- a/dom/webidl/DataTransfer.webidl
+++ b/dom/webidl/DataTransfer.webidl
@@ -159,6 +159,13 @@ partial interface DataTransfer {
[UseCounter]
readonly attribute Node? mozSourceNode;
+ /**
+ * The window context that mouse was pressed over to begin the drag. For
+ * external drags, this will be null.
+ */
+ [ChromeOnly]
+ readonly attribute WindowContext? sourceWindowContext;
+
/**
* The URI spec of the triggering principal. This may be different than
* sourceNode's principal when sourceNode is xul:browser and the drag is
--
2.27.0

125
backport-CVE-2023-23602.patch Normal file
View File

@ -0,0 +1,125 @@
From 09cd706b37d396636546c8a402fe8ca7438716c4 Mon Sep 17 00:00:00 2001
From: s30028044 <sunhai10@huawei.com>
Date: Mon, 8 Apr 2024 20:02:38 +0800
Subject: [PATCH] CVE-2023-23602
---
dom/websocket/WebSocket.cpp | 39 ++++++++++++++++++++++++-------------
1 file changed, 25 insertions(+), 14 deletions(-)
diff --git a/dom/websocket/WebSocket.cpp b/dom/websocket/WebSocket.cpp
index caa60d9cd5..59aca1d227 100644
--- a/dom/websocket/WebSocket.cpp
+++ b/dom/websocket/WebSocket.cpp
@@ -120,7 +120,8 @@ class WebSocketImpl final : public nsIInterfaceRequestor,
bool IsTargetThread() const;
nsresult Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal,
- nsIPrincipal* aPrincipal, bool aIsServerSide,
+ nsIPrincipal* aPrincipal, const Maybe<ClientInfo>& aClientInfo,
+ nsICSPEventListener* aCSPEventListener, bool aIsServerSide,
const nsAString& aURL, nsTArray<nsString>& aProtocolArray,
const nsACString& aScriptFile, uint32_t aScriptLine,
uint32_t aScriptColumn);
@@ -979,6 +980,7 @@ class WebSocketMainThreadRunnable : public WorkerMainThreadRunnable {
class InitRunnable final : public WebSocketMainThreadRunnable {
public:
InitRunnable(WorkerPrivate* aWorkerPrivate, WebSocketImpl* aImpl,
+ const Maybe<mozilla::dom::ClientInfo>& aClientInfo,
bool aIsServerSide, const nsAString& aURL,
nsTArray<nsString>& aProtocolArray,
const nsACString& aScriptFile, uint32_t aScriptLine,
@@ -986,6 +988,7 @@ class InitRunnable final : public WebSocketMainThreadRunnable {
: WebSocketMainThreadRunnable(aWorkerPrivate,
NS_LITERAL_CSTRING("WebSocket :: init")),
mImpl(aImpl),
+ mClientInfo(aClientInfo),
mIsServerSide(aIsServerSide),
mURL(aURL),
mProtocolArray(aProtocolArray),
@@ -1015,10 +1018,10 @@ class InitRunnable final : public WebSocketMainThreadRunnable {
return true;
}
- mErrorCode =
- mImpl->Init(jsapi.cx(), mWorkerPrivate->GetPrincipal(),
- doc->NodePrincipal(), mIsServerSide, mURL, mProtocolArray,
- mScriptFile, mScriptLine, mScriptColumn);
+ mErrorCode = mImpl->Init(
+ jsapi.cx(), mWorkerPrivate->GetPrincipal(), doc->NodePrincipal(),
+ mClientInfo, mWorkerPrivate->CSPEventListener(), mIsServerSide, mURL,
+ mProtocolArray, mScriptFile, mScriptLine, mScriptColumn);
return true;
}
@@ -1028,7 +1031,8 @@ class InitRunnable final : public WebSocketMainThreadRunnable {
mErrorCode =
mImpl->Init(nullptr, mWorkerPrivate->GetPrincipal(),
- aTopLevelWorkerPrivate->GetPrincipal(), mIsServerSide, mURL,
+ aTopLevelWorkerPrivate->GetPrincipal(), mClientInfo,
+ mWorkerPrivate->CSPEventListener(), mIsServerSide, mURL,
mProtocolArray, mScriptFile, mScriptLine, mScriptColumn);
return true;
}
@@ -1036,6 +1040,7 @@ class InitRunnable final : public WebSocketMainThreadRunnable {
// Raw pointer. This worker runnable runs synchronously.
WebSocketImpl* mImpl;
+ Maybe<ClientInfo> mClientInfo;
bool mIsServerSide;
const nsAString& mURL;
nsTArray<nsString>& mProtocolArray;
@@ -1230,9 +1235,8 @@ already_AddRefed<WebSocket> WebSocket::ConstructorCommon(
}
aRv = webSocketImpl->Init(aGlobal.Context(), loadingPrincipal, principal,
- !!aTransportProvider, aUrl, protocolArray,
- EmptyCString(), 0, 0);
-
+ Nothing(), nullptr, !!aTransportProvider, aUrl,
+ protocolArray, ""_ns, 0, 0);
if (NS_WARN_IF(aRv.Failed())) {
return nullptr;
}
@@ -1256,8 +1260,9 @@ already_AddRefed<WebSocket> WebSocket::ConstructorCommon(
}
RefPtr<InitRunnable> runnable = new InitRunnable(
- workerPrivate, webSocketImpl, !!aTransportProvider, aUrl, protocolArray,
- nsDependentCString(file.get()), lineno, column);
+ workerPrivate, webSocketImpl,
+ workerPrivate->GlobalScope()->GetClientInfo(), !!aTransportProvider,
+ aUrl, protocolArray, nsDependentCString(file.get()), lineno, column);
runnable->Dispatch(Canceling, aRv);
if (NS_WARN_IF(aRv.Failed())) {
return nullptr;
@@ -1443,8 +1448,10 @@ void WebSocket::DisconnectFromOwner() {
//-----------------------------------------------------------------------------
nsresult WebSocketImpl::Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal,
- nsIPrincipal* aPrincipal, bool aIsServerSide,
- const nsAString& aURL,
+ nsIPrincipal* aPrincipal,
+ const Maybe<ClientInfo>& aClientInfo,
+ nsICSPEventListener* aCSPEventListener,
+ bool aIsServerSide, const nsAString& aURL,
nsTArray<nsString>& aProtocolArray,
const nsACString& aScriptFile,
uint32_t aScriptLine, uint32_t aScriptColumn) {
@@ -1537,7 +1544,11 @@ nsresult WebSocketImpl::Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal,
aPrincipal, // loading principal
aPrincipal, // triggering principal
originDoc, nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
- nsIContentPolicy::TYPE_WEBSOCKET);
+ nsIContentPolicy::TYPE_WEBSOCKET, aClientInfo);
+
+ if (aCSPEventListener) {
+ secCheckLoadInfo->SetCspEventListener(aCSPEventListener);
+ }
int16_t shouldLoad = nsIContentPolicy::ACCEPT;
rv = NS_CheckContentLoadPolicy(uri, secCheckLoadInfo, EmptyCString(),
--
2.27.0

9
mozjs78.spec
View File

@ -2,7 +2,7 @@
Name: mozjs%{major} Name: mozjs%{major}
Version: 78.4.0 Version: 78.4.0
Release: 2 Release: 3
Summary: SpiderMonkey JavaScript library Summary: SpiderMonkey JavaScript library
License: MPLv2.0 and MPLv1.1 and BSD and GPLv2+ and GPLv3+ and LGPLv2+ and AFL and ASL 2.0 License: MPLv2.0 and MPLv1.1 and BSD and GPLv2+ and GPLv3+ and LGPLv2+ and AFL and ASL 2.0
URL: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey URL: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey
@ -23,6 +23,10 @@ Patch08: spidermonkey_checks_disable.patch
Patch09: Update-syn-and-proc-macro2-so-that-Firefox-can-build-on-Rust-nightly-again.patch Patch09: Update-syn-and-proc-macro2-so-that-Firefox-can-build-on-Rust-nightly-again.patch
Patch10: Fix-build-with-rust-nightly.patch Patch10: Fix-build-with-rust-nightly.patch
Patch11: backport-CVE-2023-23599.patch
Patch12: backport-CVE-2023-23601.patch
Patch13: backport-CVE-2023-23602.patch
BuildRequires: autoconf213 cargo clang-devel gcc gcc-c++ perl-devel pkgconfig(libffi) pkgconfig(zlib) BuildRequires: autoconf213 cargo clang-devel gcc gcc-c++ perl-devel pkgconfig(libffi) pkgconfig(zlib)
BuildRequires: python3-devel python3-six readline-devel zip nasm llvm llvm-devel icu rust BuildRequires: python3-devel python3-six readline-devel zip nasm llvm llvm-devel icu rust
@ -101,6 +105,9 @@ popd
%doc js/src/README.html %doc js/src/README.html
%changelog %changelog
* Mon Apr 08 2024 sunhai <sunhai10@huawei.com> - 78.4.0-3
- fix CVEs
* Tue May 11 2021 zhanzhimin <zhanzhimin@huawei.com> - 78.4.0-2 * Tue May 11 2021 zhanzhimin <zhanzhimin@huawei.com> - 78.4.0-2
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA