Bug 777687: make handling of broken %-escapes in RFC2231/5987 encoding more draconian. r=jduell

2012-11-28 06:48:00 -08:00 · 2012-11-28 06:48:00 -08:00 · aad44d7880
--- a/netwerk/mime/nsMIMEHeaderParamImpl.cpp
+++ b/netwerk/mime/nsMIMEHeaderParamImpl.cpp
@ -134,6 +134,29 @@ void RemoveQuotedStringEscapes(char *src)
  *dst = 0;
 }

+// true is character is a hex digit
+bool IsHexDigit(char aChar)
+{
+  char c = aChar;
+
+  return (c >= 'a' && c <= 'f') ||
+         (c >= 'A' && c <= 'F') ||
+         (c >= '0' && c <= '9');
+}
+
+// validate that a C String containing %-escapes is syntactically valid
+bool IsValidPercentEscaped(const char *aValue, PRInt32 len)
+{
+  for (PRInt32 i = 0; i < len; i++) {
+    if (aValue[i] == '%') {
+      if (!IsHexDigit(aValue[i + 1]) || !IsHexDigit(aValue[i + 2])) {
+        return false;
+      }
+    }
+  }
+  return true;
+}
+
 // Support for continuations (RFC 2231, Section 3)

 // only a sane number supported
@ -577,6 +600,10 @@ nsMIMEHeaderParamImpl::DoParameterInternal(const char *aHeaderValue,
        // non-empty value part
        if (rawValLength > 0) {
          if (!caseBResult && caseB) {
+            if (!IsValidPercentEscaped(rawValStart, rawValLength)) {
+              goto increment_str;
+            }
+
            // allocate buffer for the raw value
            char *tmpResult = (char *) nsMemory::Clone(rawValStart, rawValLength + 1);
            if (!tmpResult) {
@ -744,16 +771,6 @@ bool IsRFC5987AttrChar(char aChar)
          c == '_' || c == '`' || c == '|' || c == '~');
 }

-// true is character is a hex digit
-bool IsHexDigit(char aChar)
-{
-  char c = aChar;
-
-  return (c >= 'a' && c <= 'f') ||
-         (c >= 'A' && c <= 'F') ||
-         (c >= '0' && c <= '9');
-}
-
 // percent-decode a value
 // returns false on failure
 bool PercentDecode(nsACString& aValue)
--- a/netwerk/test/unit/test_MIME_params.js
+++ b/netwerk/test/unit/test_MIME_params.js
@ -408,6 +408,14 @@ var tests = [
  ["attachment filename=foo", 
   "attachment", Cr.NS_ERROR_INVALID_ARG], 

+  // Bug 777687: handling of broken %escapes
+
+  ["attachment; filename*=UTF-8''f%oo; filename=bar", 
+   "attachment", "bar"], 
+
+  ["attachment; filename*=UTF-8''foo%; filename=bar", 
+   "attachment", "bar"], 
+
  // Bug 783502 - xpcshell test netwerk/test/unit/test_MIME_params.js fails on AddressSanitizer
  ['attachment; filename="\\b\\a\\', 
   "attachment", "ba\\"],