From a4855e03ec5534135ffdb8e0f24553029a7cfcd0 Mon Sep 17 00:00:00 2001
From: "ben%bengoodger.com" <ben%bengoodger.com>
Date: Tue, 23 Sep 2003 19:34:25 +0000
Subject: [PATCH] Fix Firebird bugs

217195 (patch by Jesse Ruderman) - security hole in markLinkVisited (exploited with link.href usage)

219875 (patch by Mike Connor) - localize strings for provisional security UI in Advanced Options panel
---
 browser/base/content/contentAreaUtils.js         | 16 ++++++++++++----
 .../prefwindow/content/pref-advanced.xul         |  8 ++------
 .../prefwindow/locale/pref-advanced.dtd          |  2 ++
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/browser/base/content/contentAreaUtils.js b/browser/base/content/contentAreaUtils.js
index b70778c9f79a..29d5c058dd54 100644
--- a/browser/base/content/contentAreaUtils.js
+++ b/browser/base/content/contentAreaUtils.js
@@ -105,10 +105,18 @@ function markLinkVisited(href, linkNode)
                                .getService(Components.interfaces.nsIGlobalHistory);
    if (!globalHistory.isVisited(href)) {
      globalHistory.addPage(href);
-     var oldHref = linkNode.href;
-     linkNode.href = "";
-     linkNode.href = oldHref;
-   }    
+     var oldHref = linkNode.getAttribute("href");
+     if (typeof oldHref == "string") {
+       // Use setAttribute instead of direct assignment.
+       // (bug 217195, bug 187195)
+       linkNode.setAttribute("href", "");
+       linkNode.setAttribute("href", oldHref);
+     }
+     else {
+       // Converting to string implicitly would be a 
+       // minor security hole (similar to bug 202994).
+     }
+   }
 }
 
 function urlSecurityCheck(url, doc) 
diff --git a/browser/components/prefwindow/content/pref-advanced.xul b/browser/components/prefwindow/content/pref-advanced.xul
index 6bba808d6124..82f7aea278db 100644
--- a/browser/components/prefwindow/content/pref-advanced.xul
+++ b/browser/components/prefwindow/content/pref-advanced.xul
@@ -185,9 +185,7 @@
     
 #ifdef PROVISIONAL_SECURITY_UI
     <expander id="certs" label="&certs.label;" open="false" persist="open" clearhidden="true">      
-      <description>This section is PROVISIONAL and will change or disappear in future releases!
-                   It exists here now only to provide this functionality where no other access point
-                   is available.</description>
+      <description>&securityUIDisclaimer.label;</description>
       <groupbox align="start">
         <caption label="&SSLClientAuthMethod;"/>
         <description>&certselect.description;</description>
@@ -227,9 +225,7 @@
     </expander>
     
     <expander id="validation" label="&validation.label;" open="false" persist="open" clearhidden="true">      
-      <description>This section is PROVISIONAL and will change or disappear in future releases!
-                   It exists here now only to provide this functionality where no other access point
-                   is available.</description>
+      <description>&securityUIDisclaimer.label;</description>
       <groupbox>
         <caption label="&validation.crl.label;"/>
         <description>&validation.crl.description;</description>
diff --git a/browser/components/prefwindow/locale/pref-advanced.dtd b/browser/components/prefwindow/locale/pref-advanced.dtd
index dd39aaec5179..9dc2a3ee4338 100644
--- a/browser/components/prefwindow/locale/pref-advanced.dtd
+++ b/browser/components/prefwindow/locale/pref-advanced.dtd
@@ -19,6 +19,8 @@
 <!ENTITY linksOnlyTypeAheadFind.label "to search links only">
 
 <!-- PROVISIONAL SECURITY UI ONLY -->
+<!ENTITY securityUIDisclaimer.label   "This section is PROVISIONAL and will change or disappear in future releases! It exists here now only to provide this functionality where no other access point is available.">
+
 <!-- Certs -->
 <!ENTITY certs.label                  "Certificates">
 <!ENTITY SSLClientAuthMethod          "Client Certificate Selection">