Fixes bug 83401. r=gagan, darin, sr=vidur, a=blizzard. Add port blacklisting to necko

chrome/src/nsChromeProtocolHandler.cpp

@@ -513,6 +513,14 @@ nsChromeProtocolHandler::GetDefaultPort(PRInt32 *result)
     return NS_OK;
 }
 
+NS_IMETHODIMP 
+nsChromeProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
+
 NS_IMETHODIMP
 nsChromeProtocolHandler::NewURI(const char *aSpec, nsIURI *aBaseURI,
                                 nsIURI **result)

directory/xpcom/base/src/nsLDAPProtocolHandler.cpp

@@ -128,3 +128,14 @@ nsLDAPProtocolHandler::NewChannel(nsIURI* uri,
 
     return NS_OK;
 }
+
+NS_IMETHODIMP 
+nsLDAPProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    if (port == 389 || port == 636)  // 636 is LDAP/SSL
+        *_retval = PR_TRUE;
+    else
+        *_retval = PR_FALSE;
+    return NS_OK;
+}
+

docshell/base/nsDocShell.cpp

@@ -4665,6 +4665,31 @@ nsresult nsDocShell::DoChannelLoad(nsIChannel * aChannel,
     rv = aURILoader->OpenURI(aChannel,
                              aLoadCmd,
                              NS_STATIC_CAST(nsIDocShell *, this));
+    
+    if (rv == NS_ERROR_PORT_ACCESS_NOT_ALLOWED) {
+        nsCOMPtr<nsIPrompt> prompter;
+        nsCOMPtr<nsIStringBundle> stringBundle;
+
+        GetInterface(NS_GET_IID(nsIPrompt), getter_AddRefs(prompter));
+        if (!prompter) return rv;
+
+        nsCOMPtr<nsIStringBundleService> sbs(do_GetService(NS_STRINGBUNDLE_CONTRACTID));
+        if (!sbs) return rv;
+
+        sbs->CreateBundle("chrome://necko/locale/necko.properties", 
+                          getter_AddRefs(stringBundle));
+
+        if (!stringBundle)
+            return NS_ERROR_FAILURE;
+
+        nsXPIDLString messageStr;
+        stringBundle->GetStringFromName(NS_LITERAL_STRING("DeniedPortAccess").get(),
+                                            getter_Copies(messageStr));
+
+        prompter->Alert(nsnull, messageStr);
+
+    }
+    
     return rv;
 }
 

dom/src/jsurl/nsJSProtocolHandler.cpp

@@ -494,6 +494,14 @@ nsJSProtocolHandler::NewChannel(nsIURI* uri, nsIChannel* *result)
     return NS_OK;
 }
 
+NS_IMETHODIMP 
+nsJSProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 
 static nsModuleComponentInfo gJSModuleInfo[] = {

extensions/datetime/nsDateTimeChannel.cpp

@@ -23,6 +23,7 @@
 // datetime implementation
 
 #include "nsDateTimeChannel.h"
+#include "nsNetUtil.h"
 #include "nsIServiceManager.h"
 #include "nsILoadGroup.h"
 #include "nsIInterfaceRequestor.h"
@@ -157,6 +158,9 @@ NS_IMETHODIMP
 nsDateTimeChannel::Open(nsIInputStream **_retval)
 {
     nsresult rv = NS_OK;
+    rv = NS_CheckPortSafety(mPort, "datetime");
+    if (NS_FAILED(rv))
+      return rv;
 
     NS_WITH_SERVICE(nsISocketTransportService, socketService, kSocketTransportServiceCID, &rv);
     if (NS_FAILED(rv)) return rv;
@@ -175,6 +179,9 @@ NS_IMETHODIMP
 nsDateTimeChannel::AsyncOpen(nsIStreamListener *aListener, nsISupports *ctxt)
 {
     nsresult rv = NS_OK;
+    rv = NS_CheckPortSafety(mPort, "datetime");
+    if (NS_FAILED(rv))
+      return rv;
 
     NS_WITH_SERVICE(nsISocketTransportService, socketService, kSocketTransportServiceCID, &rv);
     if (NS_FAILED(rv)) return rv;

extensions/datetime/nsDateTimeHandler.cpp

@@ -114,4 +114,14 @@ nsDateTimeHandler::NewChannel(nsIURI* url, nsIChannel* *result)
     return NS_OK;
 }
 
+
+NS_IMETHODIMP 
+nsDateTimeHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    if (port == DATETIME_PORT)
+        *_retval = PR_TRUE;
+    else
+        *_retval = PR_FALSE;
+    return NS_OK;
+}
 ////////////////////////////////////////////////////////////////////////////////

extensions/finger/nsFingerChannel.cpp

@@ -188,6 +188,10 @@ nsFingerChannel::Open(nsIInputStream **_retval)
 {
     nsresult rv = NS_OK;
 
+    rv = NS_CheckPortSafety(mPort, "finger");
+    if (NS_FAILED(rv))
+      return rv;
+
     NS_WITH_SERVICE(nsISocketTransportService, socketService, kSocketTransportServiceCID, &rv);
     if (NS_FAILED(rv)) return rv;
 
@@ -206,6 +210,10 @@ nsFingerChannel::AsyncOpen(nsIStreamListener *aListener, nsISupports *ctxt)
 {
     nsresult rv = NS_OK;
 
+    rv = NS_CheckPortSafety(mPort, "finger");
+    if (NS_FAILED(rv))
+      return rv;
+
     NS_WITH_SERVICE(nsISocketTransportService, socketService, kSocketTransportServiceCID, &rv);
     if (NS_FAILED(rv)) return rv;
 

extensions/finger/nsFingerHandler.cpp

@@ -114,4 +114,13 @@ nsFingerHandler::NewChannel(nsIURI* url, nsIChannel* *result)
     return NS_OK;
 }
 
+NS_IMETHODIMP 
+nsFingerHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    if (port == FINGER_PORT)
+        *_retval = PR_TRUE;
+    else
+        *_retval = PR_FALSE;
+    return NS_OK;
+}
 ////////////////////////////////////////////////////////////////////////////////

mailnews/addrbook/src/nsAddbookProtocolHandler.cpp

@@ -153,6 +153,14 @@ NS_IMETHODIMP nsAddbookProtocolHandler::NewURI(const char *aSpec, nsIURI *aBaseU
   return rv;
 }
 
+NS_IMETHODIMP 
+nsAddbookProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
+
 NS_IMETHODIMP
 nsAddbookProtocolHandler::GenerateHTMLOutputChannel( char *aHtmlOutput,
                                                      PRInt32  aHtmlOutputSize,

mailnews/base/util/nsMsgProtocol.cpp

@@ -430,6 +430,21 @@ NS_IMETHODIMP nsMsgProtocol::Open(nsIInputStream **_retval)
 
 NS_IMETHODIMP nsMsgProtocol::AsyncOpen(nsIStreamListener *listener, nsISupports *ctxt)
 {
+    PRInt32 port;
+    nsresult rv = m_url->GetPort(&port);
+    if (NS_FAILED(rv))
+        return rv;
+    
+    nsXPIDLCString scheme;
+    rv = m_url->GetScheme(getter_Copies(scheme));
+    if (NS_FAILED(rv))
+        return rv;
+    
+
+    rv = NS_CheckPortSafety(port, scheme);
+    if (NS_FAILED(rv))
+        return rv;
+
 	// set the stream listener and then load the url
 	m_channelContext = ctxt;
 	m_channelListener = listener;

mailnews/compose/src/nsSmtpService.cpp

@@ -26,6 +26,7 @@
 #include "nsIPref.h"
 #include "nsIIOService.h"
 #include "nsNetCID.h"
+#include "nsNetUtil.h"
 
 #include "nsSmtpService.h"
 #include "nsIMsgMailSession.h"
@@ -257,6 +258,14 @@ NS_IMETHODIMP nsSmtpService::GetDefaultPort(PRInt32 *aDefaultPort)
 	return rv; 	
 }
 
+NS_IMETHODIMP 
+nsSmtpService::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // allow smtp to run on any port
+    *_retval = PR_TRUE;
+    return NS_OK;
+}
+
 //////////////////////////////////////////////////////////////////////////
 // This is just a little stub channel class for mailto urls. Mailto urls
 // don't really have any data for the stream calls in nsIChannel to make much sense.
@@ -338,6 +347,15 @@ NS_IMETHODIMP nsMailtoChannel::Open(nsIInputStream **_retval)
 
 NS_IMETHODIMP nsMailtoChannel::AsyncOpen(nsIStreamListener *listener, nsISupports *ctxt)
 {
+  PRInt32 port;
+  nsresult rv = m_url->GetPort(&port);
+  if (NS_FAILED(rv))
+      return rv;
+ 
+  rv = NS_CheckPortSafety(port, "mailto");
+  if (NS_FAILED(rv))
+      return rv;
+
   mStatus = listener->OnStartRequest(this, ctxt);
 
   // If OnStartRequest(...) failed, then propagate the error code...

mailnews/imap/src/nsImapProtocol.cpp

@@ -7161,6 +7161,16 @@ PRBool nsImapMockChannel::ReadFromLocalCache()
 NS_IMETHODIMP nsImapMockChannel::AsyncOpen(nsIStreamListener *listener, nsISupports *ctxt)
 {
   nsresult rv = NS_OK;
+  
+  PRInt32 port;
+  rv = m_url->GetPort(&port);
+  if (NS_FAILED(rv))
+      return rv;
+ 
+  rv = NS_CheckPortSafety(port, "imap");
+  if (NS_FAILED(rv))
+      return rv;
+    
   // set the stream listener and then load the url
   m_channelContext = ctxt;
   m_channelListener = listener;

mailnews/imap/src/nsImapService.cpp

@@ -2845,6 +2845,13 @@ NS_IMETHODIMP nsImapService::GetDefaultPort(PRInt32 *aDefaultPort)
     return NS_OK;
 }
 
+NS_IMETHODIMP nsImapService::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // allow imap to run on any port
+    *_retval = PR_TRUE;
+    return NS_OK;
+}
+
 NS_IMETHODIMP nsImapService::GetDefaultDoBiff(PRBool *aDoBiff)
 {
     NS_ENSURE_ARG_POINTER(aDoBiff);

mailnews/local/src/nsMailboxService.cpp

@@ -455,6 +455,13 @@ NS_IMETHODIMP nsMailboxService::GetDefaultPort(PRInt32 *aDefaultPort)
 	return rv; 	
 }
 
+NS_IMETHODIMP nsMailboxService::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
+
 NS_IMETHODIMP nsMailboxService::NewURI(const char *aSpec, nsIURI *aBaseURI, nsIURI **_retval)
 {
 	nsCOMPtr<nsIMailboxUrl> aMsgUrl;

mailnews/local/src/nsPop3Protocol.cpp

@@ -34,6 +34,7 @@
 #endif 
 
 #include "msgCore.h"    // precompiled header...
+#include "nsNetUtil.h"
 #include "nspr.h"
 #include "nsCRT.h"
 #include "plbase64.h"
@@ -636,6 +637,15 @@ nsresult nsPop3Protocol::LoadUrl(nsIURI* aURL, nsISupports * /* aConsumer */)
 	nsCOMPtr<nsIURL> url = do_QueryInterface(aURL, &rv);
 	if (NS_FAILED(rv)) return rv;
 
+    PRInt32 port;
+    rv = url->GetPort(&port);
+    if (NS_FAILED(rv))
+        return rv;
+
+    rv = NS_CheckPortSafety(port, "pop3");
+    if (NS_FAILED(rv))
+        return rv;
+
 	nsXPIDLCString queryPart;
 	rv = url->GetQuery(getter_Copies(queryPart));
 	NS_ASSERTION(NS_SUCCEEDED(rv), "unable to get the url spect");

mailnews/local/src/nsPop3Service.cpp

@@ -312,6 +312,15 @@ NS_IMETHODIMP nsPop3Service::GetDefaultPort(PRInt32 *aDefaultPort)
 	return NS_OK;
 }
 
+NS_IMETHODIMP nsPop3Service::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    if (port == POP3_PORT || port == 593)  // 593 is POP3/SSL
+        *_retval = PR_TRUE;
+    else
+        *_retval = PR_FALSE;
+    return NS_OK;
+}
+
 NS_IMETHODIMP nsPop3Service::GetDefaultDoBiff(PRBool *aDoBiff)
 {
     NS_ENSURE_ARG_POINTER(aDoBiff);

mailnews/news/src/nsNNTPProtocol.cpp

@@ -33,6 +33,7 @@
 #include "msgCore.h"    // precompiled header...
 #include "MailNewsTypes.h"
 #include "nntpCore.h"
+#include "nsNetUtil.h"
 
 #include "nsIMsgHdr.h"
 #include "nsNNTPProtocol.h"
@@ -892,6 +893,15 @@ NS_IMETHODIMP nsNNTPProtocol::AsyncOpen(nsIStreamListener *listener, nsISupports
   nsCOMPtr<nsIMsgMailNewsUrl> mailnewsUrl = do_QueryInterface(m_runningURL, &rv);
   NS_ENSURE_SUCCESS(rv,rv);
 
+  PRInt32 port;
+  rv = mailnewsUrl->GetPort(&port);
+  if (NS_FAILED(rv))
+      return rv;
+ 
+  rv = NS_CheckPortSafety(port, "news");
+  if (NS_FAILED(rv))
+      return rv;
+
   m_channelContext = ctxt;
   m_channelListener = listener;
   m_runningURL->GetNewsAction(&m_newsAction);

mailnews/news/src/nsNntpService.cpp

@@ -1200,6 +1200,15 @@ NS_IMETHODIMP nsNntpService::GetDefaultPort(PRInt32 *aDefaultPort)
 	return NS_OK;
 }
 
+NS_IMETHODIMP nsNntpService::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    if (port == NEWS_PORT || port == 995 || port == 532) // port 995 is NNTP/SSL, 532 is netnews
+        *_retval = PR_TRUE;
+    else
+        *_retval = PR_FALSE;
+    return NS_OK;
+}
+
 NS_IMETHODIMP
 nsNntpService::GetDefaultServerPort(PRBool isSecure, PRInt32 *aDefaultPort)
 {

modules/libjar/nsJARProtocolHandler.cpp

@@ -159,4 +159,13 @@ nsJARProtocolHandler::NewChannel(nsIURI* uri, nsIChannel* *result)
     return NS_OK;
 }
 
+
+NS_IMETHODIMP 
+nsJARProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
+
 ////////////////////////////////////////////////////////////////////////////////

modules/libpr0n/decoders/icon/nsIconProtocolHandler.cpp

@@ -61,6 +61,14 @@ NS_IMETHODIMP nsIconProtocolHandler::GetDefaultPort(PRInt32 *result)
   return NS_OK;
 }
 
+
+NS_IMETHODIMP nsIconProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
+
 NS_IMETHODIMP nsIconProtocolHandler::NewURI(const char *aSpec, nsIURI *aBaseURI, nsIURI **result) 
 {
   // no concept of a relative icon url

modules/libpref/src/init/all.js

@@ -244,6 +244,14 @@ pref("offline.download.download_messages",  0);
 pref("offline.prompt_synch_on_exit",            true);
 pref("offline.news.download.use_days",          0);
 
+// If there is ever a security firedrill that requires
+// us to block certian ports global, this is the pref 
+// to use.  Is is a comma delimited list of port numbers
+// for example:
+//   pref("network.security.ports.banned", "1,2,3,4,5");
+// prevents necko connecting to ports 1-5 unless the protocol
+// overrides.
+
 pref("network.hosts.smtp_server",           "mail");
 pref("network.hosts.pop_server",            "mail");
 pref("network.protocols.useSystemDefaults",   false); // set to true if user links should use system default handlers

netwerk/base/public/netCore.h

@@ -50,6 +50,9 @@
 #define NS_ERROR_OFFLINE \
     NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_NETWORK, 16)
 
+#define NS_ERROR_PORT_ACCESS_NOT_ALLOWED \
+    NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_NETWORK, 19)
+
 #undef NS_NET
 #ifdef _IMPL_NS_NET
 #if defined(XP_PC) && !defined(XP_OS2)

netwerk/base/public/nsIIOService.idl

@@ -91,6 +91,16 @@ interface nsIIOService : nsISupports
      */
     attribute boolean offline;
 
+    /**
+     * Checks if a port number is banned.
+     *
+     * |allowPort| will check a list of "known-to-do-bad-things" port numbers.  If the 
+     * given port is found on the blacklist, |allowPort| will ask the protocol handler
+     * if it wishes to override. Scheme can be null. 
+     */
+     
+    boolean allowPort(in long port, in string scheme);
+
     ////////////////////////////////////////////////////////////////////////////
     // URL parsing utilities
 

netwerk/base/public/nsIProtocolHandler.idl

@@ -57,6 +57,18 @@ interface nsIProtocolHandler : nsISupports
      * will be used as the originalURI instead.
      */
     nsIChannel newChannel(in nsIURI aURI);
+
+    /**
+     * Allows a protocol to override blacklisted ports.
+     *
+     * |allowPort| will be called when there is an attempt to connect to a port 
+     * that is blacklisted.  For example, for most protocols, port 25 (Simple Mail
+     * Transfer) is banned.  When a url containing this "known-to-do-bad-things" 
+     * port number is encountered, this function will be called to ask if the 
+     * protocol handler wants to override the band.  
+     */
+     
+    boolean allowPort(in long port, in string scheme);
 };
 
 %{C++

netwerk/base/public/nsNetUtil.h

@@ -630,4 +630,30 @@ NS_AsyncReadToStream(nsIRequest **aRequest,
                                  aRequest);
 }
 
+inline nsresult
+NS_CheckPortSafety(PRInt32 port, const char* scheme = nsnull, nsIIOService* ioService = nsnull)
+{
+    nsresult rv;
+
+    nsCOMPtr<nsIIOService> serv;
+    if (ioService == nsnull) {
+        serv = do_GetIOService(&rv);
+        if (NS_FAILED(rv)) return rv;
+        ioService = serv.get();
+    }
+
+    PRBool allow;
+    
+    rv = ioService->AllowPort(port, scheme, &allow);
+    if (NS_FAILED(rv)) {
+        NS_ERROR("NS_CheckPortSafety: ioService->AllowPort failed\n");
+        return rv;
+    }
+    
+    if (!allow)
+        return NS_ERROR_PORT_ACCESS_NOT_ALLOWED;
+
+    return NS_OK;
+}
+
 #endif // nsNetUtil_h__

netwerk/base/src/nsIOService.cpp

@@ -36,6 +36,7 @@
 #include "netCore.h"
 #include "nsIObserverService.h"
 #include "nsIHttpProtocolHandler.h"
+#include "nsIPref.h"
 
 static NS_DEFINE_CID(kFileTransportService, NS_FILETRANSPORTSERVICE_CID);
 static NS_DEFINE_CID(kEventQueueService, NS_EVENTQUEUESERVICE_CID);
@@ -43,6 +44,71 @@ static NS_DEFINE_CID(kSocketTransportServiceCID, NS_SOCKETTRANSPORTSERVICE_CID);
 static NS_DEFINE_CID(kDNSServiceCID, NS_DNSSERVICE_CID);
 static NS_DEFINE_CID(kErrorServiceCID, NS_ERRORSERVICE_CID);
 static NS_DEFINE_CID(kProtocolProxyServiceCID, NS_PROTOCOLPROXYSERVICE_CID);
+static NS_DEFINE_CID(kPrefServiceCID, NS_PREF_CID);
+// A general port blacklist.  Connections to these ports will not be avoided unless 
+// the protocol overrides.
+//
+// TODO: I am sure that there are more ports to be added.  
+//       This cut is based on the classic mozilla codebase
+
+PRInt32 gBadPortList[] = { 
+  1,    // tcpmux          
+  7,    // echo     
+  9,    // discard          
+  11,   // systat   
+  13,   // daytime          
+  15,   // netstat  
+  17,   // qotd             
+  19,   // chargen  
+  20,   // ftp-data         
+  21,   // ftp-cntl 
+  22,   // ssh              
+  23,   // telnet   
+  25,   // smtp     
+  37,   // time     
+  42,   // name     
+  43,   // nicname  
+  53,   // domain  
+  70,   // gopher
+  77,   // priv-rjs 
+  79,   // finger   
+  87,   // ttylink  
+  95,   // supdup   
+  101,  // hostriame
+  102,  // iso-tsap 
+  103,  // gppitnp  
+  104,  // acr-nema 
+  109,  // pop2     
+  110,  // pop3     
+  111,  // sunrpc   
+  113,  // auth     
+  115,  // sftp     
+  117,  // uucp-path
+  119,  // nntp     
+  123,  // NTP
+  135,  // loc-srv / epmap         
+  139,  // netbios
+  143,  // imap2  
+  179,  // BGP
+  389,  // ldap        
+  512,  // print / exec          
+  513,  // login         
+  514,  // shell         
+  515,  // printer         
+  526,  // tempo         
+  530,  // courier        
+  531,  // Chat         
+  532,  // netnews        
+  540,  // uucp       
+  556,  // remotefs    
+  587,  //
+  601,  //       
+  1080, // SOCKS
+  2049, // nfs
+  4045, // lockd
+  6000, // x11        
+  0,    // This MUST be zero so that we can populating the array
+};
 
 ////////////////////////////////////////////////////////////////////////////////
 
@@ -90,25 +156,76 @@ nsIOService::Init()
 
     // XXX hack until xpidl supports error info directly (http://bugzilla.mozilla.org/show_bug.cgi?id=13423)
     nsCOMPtr<nsIErrorService> errorService = do_GetService(kErrorServiceCID, &rv);
-    if (NS_SUCCEEDED(rv)) {
-        rv = errorService->RegisterErrorStringBundle(NS_ERROR_MODULE_NETWORK, NECKO_MSGS_URL);
-        if (NS_FAILED(rv)) return rv;
-        rv = errorService->RegisterErrorStringBundleKey(NS_NET_STATUS_READ_FROM, "ReadFrom");
-        if (NS_FAILED(rv)) return rv;
-        rv = errorService->RegisterErrorStringBundleKey(NS_NET_STATUS_WROTE_TO, "WroteTo");
-        if (NS_FAILED(rv)) return rv;
-        rv = errorService->RegisterErrorStringBundleKey(NS_NET_STATUS_RESOLVING_HOST, "ResolvingHost");
-        if (NS_FAILED(rv)) return rv;
-        rv = errorService->RegisterErrorStringBundleKey(NS_NET_STATUS_CONNECTED_TO, "ConnectedTo");
-        if (NS_FAILED(rv)) return rv;
-        rv = errorService->RegisterErrorStringBundleKey(NS_NET_STATUS_SENDING_TO, "SendingTo");
-        if (NS_FAILED(rv)) return rv;
-        rv = errorService->RegisterErrorStringBundleKey(NS_NET_STATUS_RECEIVING_FROM, "ReceivingFrom");
-        if (NS_FAILED(rv)) return rv;
-        rv = errorService->RegisterErrorStringBundleKey(NS_NET_STATUS_CONNECTING_TO, "ConnectingTo");
-        if (NS_FAILED(rv)) return rv;
+    if (NS_FAILED(rv)) 
+        return rv;
+    
+    rv = errorService->RegisterErrorStringBundle(NS_ERROR_MODULE_NETWORK, NECKO_MSGS_URL);
+    if (NS_FAILED(rv)) return rv;
+    rv = errorService->RegisterErrorStringBundleKey(NS_NET_STATUS_READ_FROM, "ReadFrom");
+    if (NS_FAILED(rv)) return rv;
+    rv = errorService->RegisterErrorStringBundleKey(NS_NET_STATUS_WROTE_TO, "WroteTo");
+    if (NS_FAILED(rv)) return rv;
+    rv = errorService->RegisterErrorStringBundleKey(NS_NET_STATUS_RESOLVING_HOST, "ResolvingHost");
+    if (NS_FAILED(rv)) return rv;
+    rv = errorService->RegisterErrorStringBundleKey(NS_NET_STATUS_CONNECTED_TO, "ConnectedTo");
+    if (NS_FAILED(rv)) return rv;
+    rv = errorService->RegisterErrorStringBundleKey(NS_NET_STATUS_SENDING_TO, "SendingTo");
+    if (NS_FAILED(rv)) return rv;
+    rv = errorService->RegisterErrorStringBundleKey(NS_NET_STATUS_RECEIVING_FROM, "ReceivingFrom");
+    if (NS_FAILED(rv)) return rv;
+    rv = errorService->RegisterErrorStringBundleKey(NS_NET_STATUS_CONNECTING_TO, "ConnectingTo");
+    if (NS_FAILED(rv)) return rv;
+    
+    // setup our bad port list stuff
+    for(int i=0; gBadPortList[i]; i++)
+    {
+        mRestrictedPortList.AppendElement((void*)gBadPortList[i]);
     }
-    return rv;
+
+    // Lets make it really easy to block extra ports:
+    NS_WITH_SERVICE(nsIPref, prefService, kPrefServiceCID, &rv);
+    if (NS_FAILED(rv) && !prefService) {
+        NS_ASSERTION(0, "Prefs not found!");
+        return NS_ERROR_FAILURE;
+    }
+    
+    char* portList = nsnull;
+    prefService->CopyCharPref("network.security.ports.banned", &portList);
+    if (portList) {
+        char* tokp;
+        char* currentPos = portList;  
+        while ( (tokp = nsCRT::strtok(currentPos, ",", &currentPos)) != nsnull )
+        {
+            nsCAutoString tmp(tokp);
+            tmp.StripWhitespace();
+
+            PRInt32 aErrorCode;
+            PRInt32 value = tmp.ToInteger(&aErrorCode);
+            mRestrictedPortList.AppendElement((void*)value);
+        }
+
+        PL_strfree(portList);
+    }
+    
+    portList = nsnull;
+    prefService->CopyCharPref("network.security.ports.banned.override", &portList);
+    if (portList) {
+        char* tokp;
+        char* currentPos = portList;  
+        while ( (tokp = nsCRT::strtok(currentPos, ",", &currentPos)) != nsnull )
+        {
+            nsCAutoString tmp(tokp);
+            tmp.StripWhitespace();
+
+            PRInt32 aErrorCode;
+            PRInt32 value = tmp.ToInteger(&aErrorCode);
+            mRestrictedPortList.RemoveElement((void*)value);
+        }
+
+        PL_strfree(portList);
+    }
+
+    return NS_OK;
 }
 
 
@@ -398,6 +515,38 @@ nsIOService::SetOffline(PRBool offline)
 }
 
 
+NS_IMETHODIMP
+nsIOService::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    if (port == -1) {
+        *_retval = PR_TRUE;
+        return NS_OK;
+    }
+        
+    // first check to see if the port is in our blacklist:
+    PRInt32 badPortListCnt = mRestrictedPortList.Count();
+    for (int i=0; i<badPortListCnt; i++)
+    {
+        if (port == (PRInt32) mRestrictedPortList[i])
+        {
+            *_retval = PR_FALSE;
+
+            // check to see if the protocol wants to override
+            if (!scheme)
+                return NS_OK;
+            
+            nsCOMPtr<nsIProtocolHandler> handler;
+            nsresult rv = GetProtocolHandler(scheme, getter_AddRefs(handler));
+            if (NS_FAILED(rv)) return rv;
+
+            // let the protocol handler decide
+            return handler->AllowPort(port, scheme, _retval);
+        }
+    }
+
+    *_retval = PR_TRUE;
+    return NS_OK;
+}
 ////////////////////////////////////////////////////////////////////////////////
 // URL parsing utilities
 

netwerk/base/src/nsIOService.h

@@ -25,6 +25,7 @@
 
 #include "nsIIOService.h"
 #include "nsString.h"
+#include "nsVoidArray.h"
 #include "nsISocketTransportService.h" 
 #include "nsIFileTransportService.h" 
 #include "nsIDNSService.h" 
@@ -73,6 +74,8 @@ protected:
     
     // Cached protocol handlers
     nsWeakPtr                  mWeakHandler[NS_N(gScheme)];
+
+    nsVoidArray                         mRestrictedPortList;
 };
 
 #endif // nsIOService_h__

netwerk/protocol/about/src/nsAboutProtocolHandler.cpp

@@ -152,4 +152,11 @@ nsAboutProtocolHandler::NewChannel(nsIURI* uri, nsIChannel* *result)
     return rv;
 }
 
+NS_IMETHODIMP 
+nsAboutProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
 ////////////////////////////////////////////////////////////////////////////////

netwerk/protocol/data/src/nsDataHandler.cpp

@@ -117,4 +117,11 @@ nsDataHandler::NewChannel(nsIURI* url, nsIChannel* *result)
     return NS_OK;
 }
 
+NS_IMETHODIMP 
+nsDataHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
 ////////////////////////////////////////////////////////////////////////////////

netwerk/protocol/datetime/src/nsDateTimeChannel.cpp

@@ -23,6 +23,7 @@
 // datetime implementation
 
 #include "nsDateTimeChannel.h"
+#include "nsNetUtil.h"
 #include "nsIServiceManager.h"
 #include "nsILoadGroup.h"
 #include "nsIInterfaceRequestor.h"
@@ -157,6 +158,9 @@ NS_IMETHODIMP
 nsDateTimeChannel::Open(nsIInputStream **_retval)
 {
     nsresult rv = NS_OK;
+    rv = NS_CheckPortSafety(mPort, "datetime");
+    if (NS_FAILED(rv))
+      return rv;
 
     NS_WITH_SERVICE(nsISocketTransportService, socketService, kSocketTransportServiceCID, &rv);
     if (NS_FAILED(rv)) return rv;
@@ -175,6 +179,9 @@ NS_IMETHODIMP
 nsDateTimeChannel::AsyncOpen(nsIStreamListener *aListener, nsISupports *ctxt)
 {
     nsresult rv = NS_OK;
+    rv = NS_CheckPortSafety(mPort, "datetime");
+    if (NS_FAILED(rv))
+      return rv;
 
     NS_WITH_SERVICE(nsISocketTransportService, socketService, kSocketTransportServiceCID, &rv);
     if (NS_FAILED(rv)) return rv;

netwerk/protocol/datetime/src/nsDateTimeHandler.cpp

@@ -114,4 +114,14 @@ nsDateTimeHandler::NewChannel(nsIURI* url, nsIChannel* *result)
     return NS_OK;
 }
 
+
+NS_IMETHODIMP 
+nsDateTimeHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    if (port == DATETIME_PORT)
+        *_retval = PR_TRUE;
+    else
+        *_retval = PR_FALSE;
+    return NS_OK;
+}
 ////////////////////////////////////////////////////////////////////////////////

netwerk/protocol/file/src/nsFileProtocolHandler.cpp

@@ -137,4 +137,11 @@ nsFileProtocolHandler::NewChannel(nsIURI* url, nsIChannel* *result)
     return NS_OK;
 }
 
+NS_IMETHODIMP 
+nsFileProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
 ////////////////////////////////////////////////////////////////////////////////

netwerk/protocol/finger/src/nsFingerChannel.cpp

@@ -188,6 +188,10 @@ nsFingerChannel::Open(nsIInputStream **_retval)
 {
     nsresult rv = NS_OK;
 
+    rv = NS_CheckPortSafety(mPort, "finger");
+    if (NS_FAILED(rv))
+      return rv;
+
     NS_WITH_SERVICE(nsISocketTransportService, socketService, kSocketTransportServiceCID, &rv);
     if (NS_FAILED(rv)) return rv;
 
@@ -206,6 +210,10 @@ nsFingerChannel::AsyncOpen(nsIStreamListener *aListener, nsISupports *ctxt)
 {
     nsresult rv = NS_OK;
 
+    rv = NS_CheckPortSafety(mPort, "finger");
+    if (NS_FAILED(rv))
+      return rv;
+
     NS_WITH_SERVICE(nsISocketTransportService, socketService, kSocketTransportServiceCID, &rv);
     if (NS_FAILED(rv)) return rv;
 

netwerk/protocol/finger/src/nsFingerHandler.cpp

@@ -114,4 +114,13 @@ nsFingerHandler::NewChannel(nsIURI* url, nsIChannel* *result)
     return NS_OK;
 }
 
+NS_IMETHODIMP 
+nsFingerHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    if (port == FINGER_PORT)
+        *_retval = PR_TRUE;
+    else
+        *_retval = PR_FALSE;
+    return NS_OK;
+}
 ////////////////////////////////////////////////////////////////////////////////

netwerk/protocol/ftp/src/nsFTPChannel.cpp

@@ -91,6 +91,10 @@ nsFTPChannel::Init(nsIURI* uri)
         mLock = PR_NewLock();
         if (!mLock) return NS_ERROR_OUT_OF_MEMORY;
     }
+
+    mIOService = do_GetIOService(&rv);
+    if (NS_FAILED(rv)) return rv;
+    
     return NS_OK;
 }
 
@@ -229,7 +233,14 @@ nsFTPChannel::Open(nsIInputStream **result)
 NS_IMETHODIMP
 nsFTPChannel::AsyncOpen(nsIStreamListener *listener, nsISupports *ctxt)
 {
-    nsresult rv;
+    PRInt32 port;
+    nsresult rv = mURL->GetPort(&port);
+    if (NS_FAILED(rv))
+        return rv;
+ 
+    rv = NS_CheckPortSafety(port, "ftp", mIOService);
+    if (NS_FAILED(rv))
+        return rv;
 
     PR_LOG(gFTPLog, PR_LOG_DEBUG, ("nsFTPChannel::AsyncOpen() called\n"));
 

netwerk/protocol/ftp/src/nsFTPChannel.h

@@ -25,6 +25,7 @@
 #ifndef nsFTPChannel_h___
 #define nsFTPChannel_h___
 
+#include "nsIIOService.h"
 #include "nsIURI.h"
 #include "nsString.h"
 #include "nsILoadGroup.h"
@@ -107,6 +108,8 @@ protected:
     nsCOMPtr<nsISupports>           mUserContext;
     nsresult                        mStatus;
     PRPackedBool                    mCanceled;
+
+    nsCOMPtr<nsIIOService>          mIOService;
 };
 
 #endif /* nsFTPChannel_h___ */

netwerk/protocol/ftp/src/nsFtpProtocolHandler.cpp

@@ -168,6 +168,16 @@ nsFtpProtocolHandler::NewChannel(nsIURI* url, nsIChannel* *result)
     return rv;
 }
 
+NS_IMETHODIMP 
+nsFtpProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    if (port == 21)
+        *_retval = PR_TRUE;
+    else
+        *_retval = PR_FALSE;
+    return NS_OK;
+}
+
 // connection cache methods
 nsresult
 nsFtpProtocolHandler::RemoveConnection(nsIURI *aKey, nsISupports* *_retval) {

netwerk/protocol/gopher/src/nsGopherChannel.cpp

@@ -227,6 +227,15 @@ NS_IMETHODIMP
 nsGopherChannel::Open(nsIInputStream **_retval)
 {
     nsresult rv = NS_OK;
+    
+    PRInt32 port;
+    rv = mUrl->GetPort(&port);
+    if (NS_FAILED(rv))
+        return rv;
+ 
+    rv = NS_CheckPortSafety(port);
+    if (NS_FAILED(rv))
+        return rv;
 
     NS_WITH_SERVICE(nsISocketTransportService,
                     socketService,
@@ -256,11 +265,20 @@ nsGopherChannel::AsyncOpen(nsIStreamListener *aListener, nsISupports *ctxt)
     PR_LOG(gGopherLog, PR_LOG_DEBUG, ("nsGopherChannel::AsyncOpen() called [this=%x]\n",
                                       this));
 
+    nsresult rv;
+
+    PRInt32 port;
+    rv = mUrl->GetPort(&port);
+    if (NS_FAILED(rv))
+        return rv;
+ 
+    rv = NS_CheckPortSafety(port);
+    if (NS_FAILED(rv))
+        return rv;
+    
     mListener = aListener;
     mResponseContext = ctxt;
 
-    nsresult rv;
-
     NS_WITH_SERVICE(nsISocketTransportService,
                     socketService,
                     kSocketTransportServiceCID,

netwerk/protocol/gopher/src/nsGopherHandler.cpp

@@ -126,3 +126,13 @@ nsGopherHandler::NewChannel(nsIURI* url, nsIChannel* *result)
     *result = channel;
     return rv;
 }
+
+NS_IMETHODIMP 
+nsGopherHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    if (port == GOPHER_PORT)
+        *_retval = PR_TRUE;
+    else
+        *_retval = PR_FALSE;
+    return NS_OK;
+}

netwerk/protocol/http/src/nsHttpChannel.cpp

@@ -533,9 +533,10 @@ nsHttpChannel::OpenCacheEntry(PRBool *delayed)
 
     // Are we offline?
     PRBool offline = PR_FALSE;
-    nsCOMPtr<nsIIOService> ioService = do_GetIOService();
-    if (ioService)
-        ioService->GetOffline(&offline);
+    
+    nsCOMPtr<nsIIOService> ioService;
+    rv = nsHttpHandler::get()->GetIOService(getter_AddRefs(ioService));
+    ioService->GetOffline(&offline);
 
     // Set the desired cache access mode accordingly...
     nsCacheAccessMode accessRequested;
@@ -1032,17 +1033,13 @@ nsHttpChannel::ProcessRedirection(PRUint32 redirectType)
         if (NS_FAILED(rv)) return rv;
     }
     else {
-        //
-        // this redirect could be to ANY uri, so we need to talk to the
-        // IO service to create the new channel.
-        //
-        nsCOMPtr<nsIIOService> serv = do_GetIOService(&rv);
-        if (NS_FAILED(rv)) return rv;
-
         // create a new URI using the location header and the current URL
         // as a base...
+        nsCOMPtr<nsIIOService> ioService;
+        rv = nsHttpHandler::get()->GetIOService(getter_AddRefs(ioService));
+
         nsCOMPtr<nsIURI> newURI;
-        rv = serv->NewURI(location, mURI, getter_AddRefs(newURI));
+        rv = ioService->NewURI(location, mURI, getter_AddRefs(newURI));
         if (NS_FAILED(rv)) return rv;
 
         // move the reference of the old location to the new one if the new
@@ -1062,7 +1059,7 @@ nsHttpChannel::ProcessRedirection(PRUint32 redirectType)
         }
 
         // build the new channel
-        rv = NS_OpenURI(getter_AddRefs(newChannel), newURI, serv, mLoadGroup,
+        rv = NS_OpenURI(getter_AddRefs(newChannel), newURI, ioService, mLoadGroup,
                         mCallbacks, mLoadFlags | LOAD_REPLACE);
         if (NS_FAILED(rv)) return rv;
     }
@@ -1329,11 +1326,12 @@ nsHttpChannel::GetUserPassFromURI(nsAString &user,
     if (prehost) {
         nsresult rv;
 
-        nsCOMPtr<nsIIOService> serv = do_GetIOService(&rv);
-        if (NS_FAILED(rv)) return rv;
-
         nsXPIDLCString buf;
-        rv = serv->Unescape(prehost, getter_Copies(buf));
+        nsCOMPtr<nsIIOService> ioService;
+        rv = nsHttpHandler::get()->GetIOService(getter_AddRefs(ioService));
+        if (NS_FAILED(rv)) return rv;
+        
+        rv = ioService->Unescape(prehost, getter_Copies(buf));
         if (NS_FAILED(rv)) return rv;
 
         char *p = PL_strchr(buf, ':');
@@ -1777,6 +1775,19 @@ nsHttpChannel::AsyncOpen(nsIStreamListener *listener, nsISupports *context)
     NS_ENSURE_ARG_POINTER(listener);
     NS_ENSURE_TRUE(!mIsPending, NS_ERROR_IN_PROGRESS);
 
+    PRInt32 port;
+    nsresult rv = mURI->GetPort(&port);
+    if (NS_FAILED(rv))
+        return rv;
+ 
+    nsCOMPtr<nsIIOService> ioService;
+    rv = nsHttpHandler::get()->GetIOService(getter_AddRefs(ioService));
+    if (NS_FAILED(rv)) return rv;
+
+    rv = NS_CheckPortSafety(port, "http", ioService); // FIX - other schemes?
+    if (NS_FAILED(rv))
+        return rv;
+    
     mIsPending = PR_TRUE;
 
     mListener = listener;
@@ -1787,7 +1798,7 @@ nsHttpChannel::AsyncOpen(nsIStreamListener *listener, nsISupports *context)
     if (mLoadGroup)
         mLoadGroup->AddRequest(this, nsnull);
 
-    nsresult rv = Connect();
+    rv = Connect();
     if (NS_FAILED(rv)) {
         LOG(("Connect failed [rv=%x]\n", rv));
 

netwerk/protocol/http/src/nsHttpChannel.h

@@ -28,6 +28,7 @@
 #include "nsIHttpChannel.h"
 #include "nsIHttpEventSink.h"
 #include "nsIStreamListener.h"
+#include "nsIIOService.h"
 #include "nsIURI.h"
 #include "nsILoadGroup.h"
 #include "nsIInterfaceRequestor.h"

netwerk/protocol/http/src/nsHttpHandler.cpp

@@ -59,6 +59,7 @@ static const char NETWORK_PREFS[] = "network.";
 static const char INTL_ACCEPT_LANGUAGES[] = "intl.accept_languages";
 static const char INTL_ACCEPT_CHARSET[] = "intl.charset.default";
 
+static NS_DEFINE_CID(kIOServiceCID, NS_IOSERVICE_CID);
 static NS_DEFINE_CID(kStandardURLCID, NS_STANDARDURL_CID);
 static NS_DEFINE_CID(kPrefServiceCID, NS_PREF_CID);
 static NS_DEFINE_CID(kCategoryManagerCID, NS_CATEGORYMANAGER_CID);
@@ -179,6 +180,12 @@ nsHttpHandler::Init()
 
     LOG(("nsHttpHandler::Init\n"));
 
+    mIOService = do_GetService(kIOServiceCID, &rv);
+    if (NS_FAILED(rv)) {
+        NS_WARNING("unable to continue without io service");
+        return rv;
+    }
+
     mPrefs = do_GetService(kPrefServiceCID, &rv);
     if (NS_FAILED(rv)) {
         NS_WARNING("unable to continue without prefs service");
@@ -511,6 +518,14 @@ nsHttpHandler::GetMimeService(nsIMIMEService **result)
     return NS_OK;
 }
 
+nsresult 
+nsHttpHandler::GetIOService(nsIIOService** result)
+{
+    NS_ADDREF(*result = mIOService);
+    return NS_OK;
+}
+
+
 nsresult
 nsHttpHandler::OnModifyRequest(nsIHttpChannel *chan)
 {
@@ -1446,6 +1461,14 @@ nsHttpHandler::NewChannel(nsIURI *uri, nsIChannel **result)
     return rv;
 }
 
+NS_IMETHODIMP 
+nsHttpHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
+
 //-----------------------------------------------------------------------------
 // nsHttpHandler::nsIHttpProtocolHandler
 //-----------------------------------------------------------------------------

netwerk/protocol/http/src/nsHttpHandler.h

@@ -27,6 +27,7 @@
 #include "nsHttp.h"
 #include "nsIHttpProtocolHandler.h"
 #include "nsIProtocolProxyService.h"
+#include "nsIIOService.h"
 #include "nsIPref.h"
 #include "nsIObserver.h"
 #include "nsIProxyObjectManager.h"
@@ -125,6 +126,8 @@ public:
     nsresult GetEventQueueService(nsIEventQueueService **);
     nsresult GetStreamConverterService(nsIStreamConverterService **);
     nsresult GetMimeService(nsIMIMEService **);
+    nsresult GetIOService(nsIIOService** service);
+
 
     // Called by the channel before writing a request
     nsresult OnModifyRequest(nsIHttpChannel *);
@@ -183,6 +186,7 @@ private:
     static nsHttpHandler *mGlobalInstance;
 
     // cached services
+    nsCOMPtr<nsIIOService>              mIOService;
     nsCOMPtr<nsIPref>                   mPrefs;
     nsCOMPtr<nsIProxyObjectManager>     mProxyMgr;
     nsCOMPtr<nsIEventQueueService>      mEventQueueService;

netwerk/protocol/jar/src/nsJARProtocolHandler.cpp

@@ -159,4 +159,13 @@ nsJARProtocolHandler::NewChannel(nsIURI* uri, nsIChannel* *result)
     return NS_OK;
 }
 
+
+NS_IMETHODIMP 
+nsJARProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
+
 ////////////////////////////////////////////////////////////////////////////////

netwerk/protocol/keyword/src/nsKeywordProtocolHandler.cpp

@@ -179,4 +179,12 @@ nsKeywordProtocolHandler::NewChannel(nsIURI* uri, nsIChannel* *result)
 
 }
 
+NS_IMETHODIMP 
+nsKeywordProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
+
 ////////////////////////////////////////////////////////////////////////////////

netwerk/protocol/res/src/nsResProtocolHandler.cpp

@@ -234,6 +234,13 @@ nsResProtocolHandler::NewChannel(nsIURI* uri, nsIChannel* *result)
     return NS_OK;
 }
 
+NS_IMETHODIMP 
+nsResProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
 ////////////////////////////////////////////////////////////////////////////////
 
 NS_IMETHODIMP

netwerk/protocol/theme/src/nsThemeHandler.cpp

@@ -136,6 +136,15 @@ nsThemeHandler::NewURI(const char *aSpec, nsIURI *aBaseURI, nsIURI **result)
     return NS_OK;
 }
 
+
+NS_IMETHODIMP 
+nsThemeHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
+
 /**
  * Quick & dirty little 32-bit deep GWorld wrapper, meant to be used within a single
  * block of code. After construction, the GWorld will be made the current port, and

netwerk/protocol/viewsource/src/nsViewSourceHandler.cpp

@@ -107,4 +107,12 @@ nsViewSourceHandler::NewChannel(nsIURI* uri, nsIChannel* *result)
     return NS_OK;
 }
 
+NS_IMETHODIMP 
+nsViewSourceHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
+
 ////////////////////////////////////////////////////////////////////////////////

netwerk/resources/locale/en-US/necko.properties

@@ -46,3 +46,4 @@ EnterUserPasswordForRealm=Enter username and password for %1$S at %2$S
 EnterUserPasswordForProxy=Enter username and password for proxy at %1$S
 EnterUserPasswordFor=Enter username and password for %1$S
 EnterPasswordFor=Enter password for %1$S on %2$S
+DeniedPortAccess=Access to the port number given has been disabled for security reasons.

rdf/chrome/src/nsChromeProtocolHandler.cpp

@@ -513,6 +513,14 @@ nsChromeProtocolHandler::GetDefaultPort(PRInt32 *result)
     return NS_OK;
 }
 
+NS_IMETHODIMP 
+nsChromeProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
+
 NS_IMETHODIMP
 nsChromeProtocolHandler::NewURI(const char *aSpec, nsIURI *aBaseURI,
                                 nsIURI **result)

uriloader/exthandler/nsExternalProtocolHandler.cpp

@@ -280,6 +280,13 @@ NS_IMETHODIMP nsExternalProtocolHandler::GetDefaultPort(PRInt32 *aDefaultPort)
     return NS_OK;
 }
 
+NS_IMETHODIMP 
+nsExternalProtocolHandler::AllowPort(PRInt32 port, const char *scheme, PRBool *_retval)
+{
+    // don't override anything.  
+    *_retval = PR_FALSE;
+    return NS_OK;
+}
 // returns TRUE if the OS can handle this protocol scheme and false otherwise.
 PRBool nsExternalProtocolHandler::HaveProtocolHandler(nsIURI * aURI)
 {