Bug 1399325 - Do not allow parsed URLs to exceed max length
When normalizing the spec, some characters get percent encoded, so even if the original input was shorter than the max length, the final result could be longer.
MozReview-Commit-ID: 78IDM7Hoa55
--- a/netwerk/base/nsStandardURL.cpp
+++ b/netwerk/base/nsStandardURL.cpp
@@ -775,16 +775,22 @@ nsStandardURL::BuildNormalizedSpec(const
URLSegment path(mPath);
URLSegment filepath(mFilepath);
URLSegment directory(mDirectory);
URLSegment basename(mBasename);
URLSegment extension(mExtension);
URLSegment query(mQuery);
URLSegment ref(mRef);
+ // The encoded string could be longer than the original input, so we need
+ // to check the final URI isn't longer than the max length.
+ if (approxLen + 1 > (uint32_t) net_GetURLMaxLength()) {
+ return NS_ERROR_MALFORMED_URI;
+ }
+
//
// generate the normalized URL string
//
// approxLen should be correct or 1 high
if (!mSpec.SetLength(approxLen+1, fallible)) // buf needs a trailing '\0' below
return NS_ERROR_OUT_OF_MEMORY;
char *buf;
mSpec.BeginWriting(buf);
@@ -925,16 +931,19 @@ nsStandardURL::BuildNormalizedSpec(const
coalesceFlag = (netCoalesceFlags) (coalesceFlag
| NET_COALESCE_ALLOW_RELATIVE_ROOT
| NET_COALESCE_DOUBLE_SLASH_IS_ROOT);
}
CoalescePath(coalesceFlag, buf + mDirectory.mPos);
}
mSpec.SetLength(strlen(buf));
NS_ASSERTION(mSpec.Length() <= approxLen, "We've overflowed the mSpec buffer!");
+ MOZ_ASSERT(mSpec.Length() <= (uint32_t) net_GetURLMaxLength(),
+ "The spec should never be this long, we missed a check.");
+
return NS_OK;
}
bool
nsStandardURL::SegmentIs(const URLSegment &seg, const char *val, bool ignoreCase)
{
// one or both may be null
if (!val || mSpec.IsEmpty())