From owner-cvs-all  Fri May  3 22:26:15 2002
Delivered-To: cvs-all@freebsd.org
Received: from gyros.marcuscom.com (rdu57-17-158.nc.rr.com [66.57.17.158])
	by hub.freebsd.org (Postfix) with ESMTP
	id AA23D37B416; Fri,  3 May 2002 22:25:54 -0700 (PDT)
Received: from gyros.marcuscom.com (localhost [127.0.0.1])
	by gyros.marcuscom.com (8.12.3/8.12.3) with ESMTP id g445Plnh014077;
	Sat, 4 May 2002 01:25:47 -0400 (EDT)
	(envelope-from marcus@FreeBSD.org)
Received: (from marcus@localhost)
	by gyros.marcuscom.com (8.12.3/8.12.3/Submit) id g445PkV4014076;
	Sat, 4 May 2002 01:25:46 -0400 (EDT)
X-Authentication-Warning: gyros.marcuscom.com: marcus set sender to marcus@FreeBSD.org using -f
Subject: Re: cvs commit: ports/www/mozilla Makefile
From: Joe Marcus Clarke <marcus@FreeBSD.org>
To: Trevor Johnson <trevor@jpj.net>
Cc: Martin Blapp <mbr@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org, security-officer@FreeBSD.org, gnome@FreeBSD.org
In-Reply-To: <1020485590.279.8.camel@gyros.marcuscom.com>
References: <20020503201627.M2148-100000@blues.jpj.net> 
	<1020485590.279.8.camel@gyros.marcuscom.com>
Content-Type: multipart/mixed; boundary="=-jZHronSFbexPApOaXgiR"
X-Mailer: Ximian Evolution 1.0.3 
Date: 04 May 2002 01:25:46 -0400
Message-Id: <1020489946.279.11.camel@gyros.marcuscom.com>
Mime-Version: 1.0
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


--=-jZHronSFbexPApOaXgiR
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Sat, 2002-05-04 at 00:13, Joe Marcus Clarke wrote:
> On Fri, 2002-05-03 at 20:17, Trevor Johnson wrote:
> > On Fri, 3 May 2002, Martin Blapp wrote:
> > 
> > > mbr         2002/05/03 07:57:34 PDT
> > >
> > >   Modified files:
> > >     www/mozilla          Makefile
> > >   Log:
> > >   Mark forbidden because of security bug.
> > >
> > >   Approved by:    no response from: maintainer
> > >
> > >   Revision  Changes    Path
> > >   1.98      +2 -0      ports/www/mozilla/Makefile
> > 
> > What about mozilla-embedded and galeon?
> 
> mozilla-embedded is covered by the FORBIDDEN message in mozilla.  Galeon
> is also (though indirectly).  I'm looking at trying to correct the seg
> fault when the patch is applied.  Hopefully, we can get all the ports
> unFORBIDDEN soon.

Speak of the devil ;-).  I think this patch corrects not only the
security hole, but also the resulting seg fault from the initial patch. 
Please test if you can, and let me know.  It worked for me.

Joe

> 
> Joe
> 
> > -- 
> > Trevor Johnson
> > 
> > 
> -- 
> PGP Key: http://www.marcuscom.com/pgp.asc


--=-jZHronSFbexPApOaXgiR
Content-Disposition: attachment; filename=patch-security_fix
Content-Transfer-Encoding: quoted-printable
Content-Type: text/x-patch; name=patch-security_fix; charset=ISO8859-1

Index: uriloader/base/nsDocLoader.cpp
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/mozilla/uriloader/base/nsDocLoader.cpp,v
retrieving revision 3.251
diff -u -r3.251 nsDocLoader.cpp
--- uriloader/base/nsDocLoader.cpp	17 Apr 2002 03:48:37 -0000	3.251
+++ uriloader/base/nsDocLoader.cpp	30 Apr 2002 19:02:19 -0000
@@ -1263,6 +1263,7 @@
     rv =3D aNewChannel->GetURI(getter_AddRefs(newURI));
     if (NS_FAILED(rv)) return rv;
=20
+#ifdef HTTP_DOESNT_CALL_CHECKLOADURI
     // verify that this is a legal redirect
     nsCOMPtr<nsIScriptSecurityManager> securityManager =3D=20
              do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
@@ -1270,6 +1271,7 @@
     rv =3D securityManager->CheckLoadURI(oldURI, newURI,
                                        nsIScriptSecurityManager::DISALLOW_=
FROM_MAIL);
     if (NS_FAILED(rv)) return rv;
+#endif
=20
     nsLoadFlags loadFlags =3D 0;
     PRInt32 stateFlags =3D nsIWebProgressListener::STATE_REDIRECTING |
Index: netwerk/protocol/http/src/Makefile.in
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/mozilla/netwerk/protocol/http/src/Makefile.in,v
retrieving revision 1.56
diff -u -r1.56 Makefile.in
--- netwerk/protocol/http/src/Makefile.in	19 Apr 2002 22:25:18 -0000	1.56
+++ netwerk/protocol/http/src/Makefile.in	30 Apr 2002 19:02:19 -0000
@@ -36,6 +36,8 @@
 		  intl \
 		  exthandler \
 		  caps \
+		  xpconnect \
+		  js \
 		  $(NULL)
=20
 CPPSRCS		=3D \
Index: netwerk/protocol/http/src/nsHttpChannel.cpp
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp,v
retrieving revision 1.114
diff -u -r1.114 nsHttpChannel.cpp
--- netwerk/protocol/http/src/nsHttpChannel.cpp	26 Apr 2002 22:50:50 -0000	=
1.114
+++ netwerk/protocol/http/src/nsHttpChannel.cpp	30 Apr 2002 19:02:19 -0000
@@ -34,6 +34,7 @@
 #include "nsISupportsPrimitives.h"
 #include "nsIURL.h"
 #include "nsIMIMEService.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsCExternalHandlerService.h"
 #include "nsMimeTypes.h"
 #include "nsNetUtil.h"
@@ -1465,6 +1466,15 @@
         rv =3D ioService->NewURI(nsDependentCString(location), nsnull, mUR=
I,
                                getter_AddRefs(newURI));
         if (NS_FAILED(rv)) return rv;
+
+        // verify that this is a legal redirect
+        nsCOMPtr<nsIScriptSecurityManager> securityManager =3D=20
+                 do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
+        if (securityManager) {
+            rv =3D securityManager->CheckLoadURI(mURI, newURI,
+                                               nsIScriptSecurityManager::D=
ISALLOW_FROM_MAIL);
+            if (NS_FAILED(rv)) return rv;
+        }
=20
         // Kill the current cache entry if we are redirecting
         // back to ourself.
--- htmlparser/src/CNavDTD.cpp.orig	Sat May  4 00:32:17 2002
+++ htmlparser/src/CNavDTD.cpp	Sat May  4 01:14:59 2002
@@ -473,14 +473,14 @@
=20
   nsresult result =3D NS_OK;
=20
-  if (aTokenizer && mSink && aParser) {
+  if (aTokenizer && aParser) {
     nsITokenizer*  oldTokenizer =3D mTokenizer;
=20
     mTokenizer      =3D aTokenizer;
     mParser         =3D (nsParser*)aParser;
     mTokenAllocator =3D mTokenizer->GetTokenAllocator();
    =20
-
+    if (mSink) {
     if (mBodyContext->GetCount() =3D=3D 0) {
       CStartToken* theToken=3Dnsnull;
       if(ePlainText=3D=3DmDocType) {
@@ -537,6 +537,7 @@
       }
     }//while
     mTokenizer =3D oldTokenizer;
+    }
   }
=20
   return result;

--=-jZHronSFbexPApOaXgiR--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message