From 2a9444045bb385e9ddbe953d56c2ceb430f22d3c Mon Sep 17 00:00:00 2001
From: pav <pav@FreeBSD.org>
Date: Sat, 10 Sep 2005 17:24:31 +0000
Subject: - Patch a security vulnerability (DoS, remote execution) in IDN  
 (internationalized domain names) subsystem, also known as "hyphen domain  
 name bug"

Submitted by:	Marcus Grando
Obtained from:	Mozilla Project CVS,
		https://bugzilla.mozilla.org/show_bug.cgi?query_format=specific&order=relevance+desc&bug_status=__open__&id=307259
Security:	CAN-2005-2871
		http://secunia.com/advisories/16764/
---
 www/mozilla-devel/Makefile                  |  2 +-
 www/mozilla-devel/files/patch-CAN-2005-2871 | 92 +++++++++++++++++++++++++++++
 2 files changed, 93 insertions(+), 1 deletion(-)
 create mode 100644 www/mozilla-devel/files/patch-CAN-2005-2871

(limited to 'www/mozilla-devel')

diff --git a/www/mozilla-devel/Makefile b/www/mozilla-devel/Makefile
index 6dd0c27..a08080b 100644
--- a/www/mozilla-devel/Makefile
+++ b/www/mozilla-devel/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME?=	mozilla
 PORTVERSION=	1.8.b1
-PORTREVISION?=	4
+PORTREVISION?=	5
 PORTEPOCH?=	2
 CATEGORIES?=	www
 MASTER_SITES=	${MASTER_SITE_MOZILLA}
diff --git a/www/mozilla-devel/files/patch-CAN-2005-2871 b/www/mozilla-devel/files/patch-CAN-2005-2871
new file mode 100644
index 0000000..0fd2cc6
--- /dev/null
+++ b/www/mozilla-devel/files/patch-CAN-2005-2871
@@ -0,0 +1,92 @@
+Index: netwerk/base/src/nsStandardURL.cpp
+===================================================================
+RCS file: /cvs/mozilla/netwerk/base/src/nsStandardURL.cpp,v
+retrieving revision 1.82
+diff -p -u -1 -2 -r1.82 nsStandardURL.cpp
+--- netwerk/base/src/nsStandardURL.cpp	20 Jun 2005 05:23:20 -0000	1.82
++++ netwerk/base/src/nsStandardURL.cpp	9 Sep 2005 16:34:42 -0000
+@@ -458,24 +458,25 @@ nsStandardURL::AppendToBuf(char *buf, PR
+ //  4- update url segment positions and lengths
+ nsresult
+ nsStandardURL::BuildNormalizedSpec(const char *spec)
+ {
+     // Assumptions: all member URLSegments must be relative the |spec| argument
+     // passed to this function.
+ 
+     // buffers for holding escaped url segments (these will remain empty unless
+     // escaping is required).
+     nsCAutoString encUsername;
+     nsCAutoString encPassword;
+     nsCAutoString encHost;
++    PRBool useEncHost;
+     nsCAutoString encDirectory;
+     nsCAutoString encBasename;
+     nsCAutoString encExtension;
+     nsCAutoString encParam;
+     nsCAutoString encQuery;
+     nsCAutoString encRef;
+ 
+     //
+     // escape each URL segment, if necessary, and calculate approximate normalized
+     // spec length.
+     //
+     PRInt32 approxLen = 3; // includes room for "://"
+@@ -497,25 +498,25 @@ nsStandardURL::BuildNormalizedSpec(const
+         approxLen += encoder.EncodeSegmentCount(spec, mParam,     esc_Param,         encParam);
+         approxLen += encoder.EncodeSegmentCount(spec, mQuery,     esc_Query,         encQuery);
+         approxLen += encoder.EncodeSegmentCount(spec, mRef,       esc_Ref,           encRef);
+     }
+ 
+     // do not escape the hostname, if IPv6 address literal, mHost will
+     // already point to a [ ] delimited IPv6 address literal.
+     // However, perform Unicode normalization on it, as IDN does.
+     mHostEncoding = eEncoding_ASCII;
+     if (mHost.mLen > 0) {
+         const nsCSubstring& tempHost =
+             Substring(spec + mHost.mPos, spec + mHost.mPos + mHost.mLen);
+-        if (NormalizeIDN(tempHost, encHost))
++        if ((useEncHost = NormalizeIDN(tempHost, encHost)))
+             approxLen += encHost.Length();
+         else
+             approxLen += mHost.mLen;
+     }
+ 
+     //
+     // generate the normalized URL string
+     //
+     mSpec.SetLength(approxLen + 32);
+     char *buf;
+     mSpec.BeginWriting(buf);
+     PRUint32 i = 0;
+@@ -530,25 +531,30 @@ nsStandardURL::BuildNormalizedSpec(const
+     mAuthority.mPos = i;
+ 
+     // append authority
+     if (mUsername.mLen > 0) {
+         i = AppendSegmentToBuf(buf, i, spec, mUsername, &encUsername);
+         if (mPassword.mLen >= 0) {
+             buf[i++] = ':';
+             i = AppendSegmentToBuf(buf, i, spec, mPassword, &encPassword);
+         }
+         buf[i++] = '@';
+     }
+     if (mHost.mLen > 0) {
+-        i = AppendSegmentToBuf(buf, i, spec, mHost, &encHost);
++        if (useEncHost) {
++            mHost.mPos = i;
++            mHost.mLen = encHost.Length();
++            i = AppendToBuf(buf, i, encHost.get(), mHost.mLen);
++        } else
++            i = AppendSegmentToBuf(buf, i, spec, mHost);
+         net_ToLowerCase(buf + mHost.mPos, mHost.mLen);
+         if (mPort != -1 && mPort != mDefaultPort) {
+             nsCAutoString portbuf;
+             portbuf.AppendInt(mPort);
+             buf[i++] = ':';
+             i = AppendToBuf(buf, i, portbuf.get(), portbuf.Length());
+         }
+     }
+ 
+     // record authority length
+     mAuthority.mLen = i - mAuthority.mPos;
+ 
-- 
cgit v1.1