[Pkg-mozext-commits] [itsalltext] 449/459: Be even more paranoid with filenames

David Prévot taffit at moszumanska.debian.org
Tue Feb 24 23:26:47 UTC 2015 

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch master
in repository itsalltext.

commit 625326305833ddb1aaa2b03b9b97bdb39f676939
Author: Christian Höltje <docwhat at gerf.org>
Date:   Sun Feb 22 01:27:11 2015 -0500

    Be even more paranoid with filenames
    
    Filenames can be very tricky.  I don't fully trust
    `encodeURIComponent()` to catch all bad characters.
    
    This isn't perfect and will do weird things to pathnames of Unicode
    characters, but at least it won't open up security holes.
---
 src/chrome/content/cacheobj.js | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/chrome/content/cacheobj.js b/src/chrome/content/cacheobj.js
index 4aee3b4..568f174 100644
--- a/src/chrome/content/cacheobj.js
+++ b/src/chrome/content/cacheobj.js
@@ -27,6 +27,7 @@ function CacheObj(node) {
     var that = this,
     hitch_re = /^hitched_/,
     doc = node.ownerDocument,
+    starting_urlname,
     urlname,
     hash,
     method,
@@ -88,7 +89,13 @@ function CacheObj(node) {
     ).slice(0, 10);
 
     /* Determine the local filename for the document. */
-    for (urlname = doc.location.host + doc.location.pathname; ;) {
+
+    starting_urlname = (doc.location.host + doc.location.pathname)
+        .replace(/[\/\\]/g, '_')
+        .replace(/\.\.+/g, '.')
+        .replace(/[^a-z0-9_.-]+/gi, '');
+    //disabled-debug -- itsalltext.debug("starting_urlname:", starting_urlname);
+    for (urlname = starting_urlname; ;) {
         that.base_filename = [window.encodeURIComponent(urlname), hash].join('.');
         try {
             // Hope isWritable() would work here, but it throws
@@ -606,7 +613,7 @@ CacheObj.prototype.update = function () {
             var event = this.node.ownerDocument.createEvent("HTMLEvents");
             event.initEvent('change', true, false);
             this.node.dispatchEvent(event);
-            
+
             var inputEvent = this.node.ownerDocument.createEvent("HTMLEvents");
             inputEvent.initEvent('input', true, false);
             this.node.dispatchEvent(inputEvent);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-mozext/itsalltext.git

More information about the Pkg-mozext-commits mailing list