d873e57e81
https://www.mozilla.org/en-US/firefox/131.0/releasenotes/ MFSA 2024-46 (bsc#1230979) * CVE-2024-9391 (bmo#1892407) Prevent users from exiting full-screen mode in Firefox Focus for Android * CVE-2024-9392 (bmo#1899154, bmo#1905843) Compromised content process can bypass site isolation * CVE-2024-9393 (bmo#1918301) Cross-origin access to PDF contents through multipart responses * CVE-2024-9394 (bmo#1918874) Cross-origin access to JSON contents through multipart responses * CVE-2024-9395 (bmo#1906024) Specially crafted filename could be used to obscure download type * CVE-2024-9396 (bmo#1912471) Potential memory corruption may occur when cloning certain objects * CVE-2024-9397 (bmo#1916659) Potential directory upload bypass via clickjacking * CVE-2024-9398 (bmo#1881037) External protocol handlers could be enumerated via popups * CVE-2024-9399 (bmo#1907726) Specially crafted WebTransport requests could lead to denial of service * CVE-2024-9400 (bmo#1915249) Potential memory corruption during JIT compilation * CVE-2024-9401 (bmo#1872744, bmo#1897792, bmo#1911317, bmo#1916476) Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 * CVE-2024-9402 (bmo#1872744, bmo#1897792, bmo#1911317, bmo#1913445, bmo#1914106, bmo#1914475, bmo#1914963, bmo#1915008, bmo#1916476) OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1178
64 lines
2.5 KiB
Diff
64 lines
2.5 KiB
Diff
# HG changeset patch
|
|
# User Rob Krum <biggestsonicfan@gmail.com>
|
|
# Date 1695432215 25200
|
|
# Fri Sep 22 18:23:35 2023 -0700
|
|
# Node ID e6a8a9f0956d124e8de34eb4bcf09d8e17077d9d
|
|
# Parent 5dbbabbfaca21d2c5994f95ed095313284611c44
|
|
Bug 1822730 - Add basic blob protocol handling for blob URIs that contain parsable http/s protocols
|
|
|
|
diff --git a/toolkit/mozapps/downloads/DownloadLastDir.sys.mjs b/toolkit/mozapps/downloads/DownloadLastDir.sys.mjs
|
|
--- a/toolkit/mozapps/downloads/DownloadLastDir.sys.mjs
|
|
+++ b/toolkit/mozapps/downloads/DownloadLastDir.sys.mjs
|
|
@@ -216,38 +216,49 @@ export class DownloadLastDir {
|
|
Services.prefs.setComplexValue(LAST_DIR_PREF, nsIFile, aFile);
|
|
} else if (Services.prefs.prefHasUserValue(LAST_DIR_PREF)) {
|
|
Services.prefs.clearUserPref(LAST_DIR_PREF);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Pre-processor to extract a domain name to be used with the content-prefs
|
|
- * service. This specially handles data and file URIs so that the download
|
|
- * dirs are recalled in a more consistent way:
|
|
+ * service. This specially handles data, file and blob URIs so that the
|
|
+ * download dirs are recalled in a more consistent way:
|
|
* - all file:/// URIs share the same folder
|
|
* - data: URIs share a folder per mime-type. If a mime-type is not
|
|
* specified text/plain is assumed.
|
|
* - blob: URIs share the same folder as their origin. This is done by
|
|
* ContentPrefs already, so we just let the url fall-through.
|
|
* In any other case the original URL is returned as a string and ContentPrefs
|
|
* will do its usual parsing.
|
|
*
|
|
* @param {string|nsIURI|URL} url The URL to parse
|
|
* @returns {string} the domain name to use, or the original url.
|
|
*/
|
|
#cpsGroupFromURL(url) {
|
|
if (typeof url == "string") {
|
|
+ if (url.startsWith("blob:http://") || url.startsWith("blob:https://")) {
|
|
+ url = url.replace("blob:", "");
|
|
+ }
|
|
url = new URL(url);
|
|
} else if (url instanceof Ci.nsIURI) {
|
|
url = URL.fromURI(url);
|
|
}
|
|
if (!URL.isInstance(url)) {
|
|
return url;
|
|
}
|
|
+ if (url.protocol == "blob:") {
|
|
+ if (
|
|
+ url.href.startsWith("blob:http://") ||
|
|
+ url.href.startsWith("blob:https://")
|
|
+ ) {
|
|
+ return url.href.replace("blob:", "");
|
|
+ }
|
|
+ }
|
|
if (url.protocol == "data:") {
|
|
return url.href.match(/^data:[^;,]*/i)[0].replace(/:$/, ":text/plain");
|
|
}
|
|
if (url.protocol == "file:") {
|
|
return "file:///";
|
|
}
|
|
return url.href;
|
|
}
|