Merge remote-tracking branch 'leeN/urlhelper_fix'

SAP · Jan 12, 2024 · 9b50b11 · 9b50b11
2 parents a818696 + c5e02be
commit 9b50b11
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/netwerk/base/nsURLHelper.cpp b/netwerk/base/nsURLHelper.cpp
@@ -1331,8 +1331,15 @@ namespace {
 void SerializeString(const nsCString& aInput, nsAString& aValue) {
   const unsigned char* p = (const unsigned char*)aInput.get();
   const unsigned char* end = p + aInput.Length();
-
+  size_t oi = 0;
+  // Taintfox: Keeps track of position on where to insert
+  size_t ti = 0;
+  auto in_taint = aInput.Taint();
+  auto current = in_taint.begin();
   while (p != end) {
+    if(current != in_taint.end() && oi == current->begin()) {
+      ti = aValue.Length();
+    }
     // ' ' to '+'
     if (*p == 0x20) {
       aValue.Append(0x2B);
@@ -1344,7 +1351,12 @@ void SerializeString(const nsCString& aInput, nsAString& aValue) {
     } else {
       aValue.AppendPrintf("%%%.2X", *p);
     }
-
+    ++oi;
+    if(current != in_taint.end() && oi == current->end()) {
+      aValue.Taint().append(TaintRange(ti, aValue.Length(), current->flow()));
+      current++;
+    }
+
     ++p;
   }
 }
@@ -1374,6 +1386,7 @@ void URLParams::Serialize(nsAString& aValue, bool aEncode) const {
       aValue.Append(mParams[i].mValue);
     }
   }
+  MarkTaintOperation(aValue, "URLHelper.Serialize");
 }
 
 void URLParams::Sort() {

diff --git a/taint/test/mochitest/test_url_search_params.html b/taint/test/mochitest/test_url_search_params.html
@@ -34,6 +34,13 @@
       taintedSearchParams.delete("tainted");
       check_untainted(taintedSearchParams.toString());
 
+
+      const paramsToEscape = new URLSearchParams("q=URLUtils." + String.tainted("search<b>") + "f<o>o" + String.tainted("</b> Params") + "&"+ String.tainted("topic") + "=api");
+      const us = paramsToEscape.toString();
+      ok(us.taint.length == 3, "length check");
+      ok(us.substring(us.taint[0].begin, us.taint[0].end) == "search%3Cb%3E", "content check");
+      ok(us.substring(us.taint[1].begin, us.taint[1].end) == '%3C%2Fb%3E+Params', "content check");
+      ok(us.substring(us.taint[2].begin, us.taint[2].end) == "topic", "content check");
     </script>
   </head>
   <body>