diff options
| author | Mark H Weaver <mhw@netris.org> | 2016-03-12 15:07:41 -0500 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2016-03-12 15:07:41 -0500 |
| commit | 2c9f0b077018d2cac599bd2f466769cd5ffd3adc (patch) | |
| tree | 57471e07a36c096bc9223b2fc76cced32eafa04b /gnu/packages/patches/icecat-CVE-2016-1954.patch | |
| parent | f5a9103991531d17bd1d5a944dcec1c49fb9f395 (diff) | |
| parent | 9591e11a4c87982943c9eb527b3b1d72aab8cc08 (diff) | |
| download | guix-2c9f0b077018d2cac599bd2f466769cd5ffd3adc.tar guix-2c9f0b077018d2cac599bd2f466769cd5ffd3adc.tar.gz | |
Merge branch 'master' into security-updates
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2016-1954.patch')
| -rw-r--r-- | gnu/packages/patches/icecat-CVE-2016-1954.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-1954.patch b/gnu/packages/patches/icecat-CVE-2016-1954.patch new file mode 100644 index 0000000000..bbb4b3217c --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1954.patch @@ -0,0 +1,32 @@ +Copied from upstream: +https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/a5c4c18849b4 + +# HG changeset patch +# User Christoph Kerschbaumer <mozilla@christophkerschbaumer.com> +# Date 1456157874 28800 +# Node ID a5c4c18849b486ef8693e20421b69239a2cbe574 +# Parent e93aeb25e2a44df8d22f5a065b4410620e2c8730 +Bug 1243178: CSP - Skip sending reports for non http schemes (r=dveditz) a=ritu + +diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp +--- a/dom/security/nsCSPContext.cpp ++++ b/dom/security/nsCSPContext.cpp +@@ -798,16 +798,17 @@ nsCSPContext::SendReports(nsISupports* a + (NS_SUCCEEDED(reportURI->SchemeIs("https", &isHttpScheme)) && isHttpScheme); + + if (!isHttpScheme) { + const char16_t* params[] = { reportURIs[r].get() }; + CSP_LogLocalizedStr(NS_LITERAL_STRING("reportURInotHttpsOrHttp2").get(), + params, ArrayLength(params), + aSourceFile, aScriptSample, aLineNum, 0, + nsIScriptError::errorFlag, "CSP", mInnerWindowID); ++ continue; + } + + // make sure this is an anonymous request (no cookies) so in case the + // policy URI is injected, it can't be abused for CSRF. + nsLoadFlags flags; + rv = reportChannel->GetLoadFlags(&flags); + NS_ENSURE_SUCCESS(rv, rv); + flags |= nsIRequest::LOAD_ANONYMOUS; + |