- tbb-commits - lists.torproject.org

[Git][tpo/applications/tor-browser-build][maint-14.5] Bug 41469,414679: Prepare Tor,Mullvad Browser 14.5.3
by morgan (＠morgan) 26 May '25

26 May '25

morgan pushed to branch maint-14.5 at The Tor Project / Applications / tor-browser-build Commits: 7f1de994 by Morgan at 2025-05-26T20:49:17+00:00 Bug 41469,414679: Prepare Tor,Mullvad Browser 14.5.3 - - - - - 7 changed files: - projects/browser/Bundle-Data/Docs-MB/ChangeLog.txt - projects/browser/Bundle-Data/Docs-TBB/ChangeLog.txt - projects/browser/config - projects/firefox/config - projects/geckoview/config - projects/translation/config - rbm.conf Changes: ===================================== projects/browser/Bundle-Data/Docs-MB/ChangeLog.txt ===================================== @@ -1,3 +1,10 @@ +Mullvad Browser 14.5.3 - May 26 2025 + * All Platforms + * Updated Firefox to 128.11.0esr + * Updated NoScript to 13.0.6 + * Bug 439: Rebase Mullvad Browser stable onto 128.11.0esr [mullvad-browser] + * Bug 43811: Backport security fixes from Firefox 139 [tor-browser] + Mullvad Browser 14.5.2 - May 18 2025 * All Platforms * Updated Firefox to 128.10.1esr ===================================== projects/browser/Bundle-Data/Docs-TBB/ChangeLog.txt ===================================== @@ -1,3 +1,16 @@ +Tor Browser 14.5.3 - May 26 2025 + * All Platforms + * Updated NoScript to 13.0.6 + * Bug 43811: Backport security fixes from Firefox 139 [tor-browser] + * Bug 439: Rebase Mullvad Browser stable onto 128.11.0esr [mullvad-browser] + * Windows + macOS + Linux + * Updated Firefox to 128.11.0esr + * Android + * Updated GeckoView to 128.11.0esr + * Build System + * Android + * Bug 43809: Allow tba-fetch-deps.sh to fetch prebuilt artifacts from tor-browser-build from nightlies [tor-browser] + Tor Browser 14.5.2 - May 18 2025 * All Platforms * Bug 43397: Click to play should override "Any capability blocked in the top document must be blocked in its subdocuments too" [tor-browser] ===================================== projects/browser/config ===================================== @@ -111,9 +111,9 @@ input_files: enable: '[% ! c("var/android") %]' - filename: Bundle-Data enable: '[% ! c("var/android") %]' - - URL: https://addons.mozilla.org/firefox/downloads/file/4482368/noscript-12.6.xpi + - URL: https://addons.mozilla.org/firefox/downloads/file/4495120/noscript-13.0.6.x… name: noscript - sha256sum: 91d9aecbccdbad8b370ec243108f45328fa638d924b74e0abe6f2ca870dd1bf6 + sha256sum: 85066ef24c44cc839b2d6bbe4d3d08652c8e09f06515e1b86ee72ba26c406989 - URL: https://addons.mozilla.org/firefox/downloads/file/4492375/ublock_origin-1.6… name: ublock-origin sha256sum: b9e1c868bd1ac1defcabf2e01776d1a90effba34b07fe6a21350d45f022e0e9f ===================================== projects/firefox/config ===================================== @@ -16,12 +16,12 @@ container: use_container: 1 var: - firefox_platform_version: '128.10.1' + firefox_platform_version: '128.11.0' firefox_version: '[% c("var/firefox_platform_version") %]esr' browser_series: '14.5' browser_rebase: 1 browser_branch: '[% c("var/browser_series") %]-[% c("var/browser_rebase") %]' - browser_build: 1 + browser_build: 2 copyright_year: '[% exec("git show -s --format=%ci " _ c("git_hash") _ "^{commit}", { exec_noco => 1 }).remove("-.*") %]' nightly_updates_publish_dir: '[% c("var/nightly_updates_publish_dir_prefix") %]nightly-[% c("var/osname") %]' gitlab_project: https://gitlab.torproject.org/tpo/applications/tor-browser ===================================== projects/geckoview/config ===================================== @@ -18,12 +18,12 @@ container: build_apk: 1 var: - firefox_platform_version: '128.10.1' + firefox_platform_version: '128.11.0' geckoview_version: '[% c("var/firefox_platform_version") %]esr' browser_series: '14.5' browser_rebase: 1 browser_branch: '[% c("var/browser_series") %]-[% c("var/browser_rebase") %]' - browser_build: 1 + browser_build: 2 gitlab_project: https://gitlab.torproject.org/tpo/applications/tor-browser git_commit: '[% exec("git rev-parse " _ c("git_hash") _ "^{commit}", { exec_noco => 1 }) %]' deps: ===================================== projects/translation/config ===================================== @@ -12,13 +12,13 @@ compress_tar: 'gz' steps: base-browser: base-browser: '[% INCLUDE build %]' - git_hash: cbb22f086f26899d8cd74ad2419535638ea84d1a + git_hash: 90dbac96420394aa35ce29385814742ac4942b26 targets: nightly: git_hash: 'base-browser' tor-browser: tor-browser: '[% INCLUDE build %]' - git_hash: 0145a0f66043525a0c5c85fbaa84dfb082224809 + git_hash: 9cbc3b3d25d2c5c77f1b6b3172ba6bcad2563939 targets: nightly: git_hash: 'tor-browser' ===================================== rbm.conf ===================================== @@ -73,11 +73,11 @@ buildconf: git_signtag_opt: '-s' var: - torbrowser_version: '14.5.2' - torbrowser_build: 'build2' + torbrowser_version: '14.5.3' + torbrowser_build: 'build1' # This should be the date of when the build is started. For the build # to be reproducible, browser_release_date should always be in the past. - browser_release_date: '2025/05/18 05:10:03' + browser_release_date: '2025/05/26 20:25:32' browser_release_date_timestamp: '[% USE date; date.format(c("var/browser_release_date"), "%s") %]' browser_default_channel: release browser_platforms: @@ -96,13 +96,13 @@ var: updater_enabled: 1 build_mar: 1 torbrowser_incremental_from: + - 14.5.2 - 14.5.1 - - 14.5 - - 14.0.9 + - '14.5' mar_channel_id: '[% c("var/projectname") %]-torproject-[% c("var/channel") %]' - torbrowser_legacy_version: 13.5.17 - torbrowser_legacy_platform_version: 115.23.1 + torbrowser_legacy_version: 13.5.18 + torbrowser_legacy_platform_version: 115.24.0 # By default, we sort the list of installed packages. This allows sharing # containers with identical list of packages, even if they are not listed View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/7… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/7… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Pushed new tag tor-browser-115.24.0esr-13.5-1-build2
by ma1 (＠ma1) 26 May '25

26 May '25

ma1 pushed new tag tor-browser-115.24.0esr-13.5-1-build2 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/tor-brows… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-115.24.0esr-13.5-1] 8 commits: Bug 1889130 - block http requests on 0.0.0.0 address. r=necko-reviewers,valentin,kershaw
by ma1 (＠ma1) 26 May '25

26 May '25

ma1 pushed to branch tor-browser-115.24.0esr-13.5-1 at The Tor Project / Applications / Tor Browser Commits: 0a4acb71 by smayya at 2025-05-22T17:18:56+02:00 Bug 1889130 - block http requests on 0.0.0.0 address. r=necko-reviewers,valentin,kershaw Differential Revision: https://phabricator.services.mozilla.com/D219041 - - - - - 02ee510f by hackademix at 2025-05-22T17:34:56+02:00 fixup! Firefox preference overrides. BB 43811: Block 0.0.0.0 - - - - - 6186c1fe by Oskar Mansfeld at 2025-05-26T17:25:28+02:00 Bug 1914583 - Block IPAddrAny on H3 code path. r=necko-reviewers,kershaw Note: removed glean references on Tor Browser esr115 backport Differential Revision: https://phabricator.services.mozilla.com/D239514 - - - - - dc06e11d by Daniel Holbert at 2025-05-26T17:25:48+02:00 Bug 1742738 part 1: Tighten up tearoff-table removal for DOMSVGPointList and DOMSVGStringList. r=firefox-svg-reviewers,longsonr Differential Revision: https://phabricator.services.mozilla.com/D246062 - - - - - 4f3e5d70 by Daniel Holbert at 2025-05-26T17:25:49+02:00 Bug 1742738 part 2: Tighten up tearoff-table removal for DOMSVGLength. r=firefox-svg-reviewers,longsonr I'm doing this one in its own patch since it's slightly more subtle than the others, due to the existence of multiple instance-creation codepaths, some of which generate instances that never end up in the tearoff table. Differential Revision: https://phabricator.services.mozilla.com/D246063 - - - - - d5a152e4 by Daniel Holbert at 2025-05-26T17:25:50+02:00 Bug 1742738 part 3: Tighten up tearoff-table removal for DOMSVGPoint. r=firefox-svg-reviewers,longsonr I'm doing this one in its own patch since it's slightly more subtle than the others, due to the existence of multiple instance-creation codepaths, some of which generate instances that never end up in the tearoff table. Differential Revision: https://phabricator.services.mozilla.com/D246065 - - - - - 73753ce8 by Jonathan Kew at 2025-05-26T17:25:50+02:00 Bug 1958121 - Use exchange to update the SpaceFeatures flags. a=RyanVM Original Revision: https://phabricator.services.mozilla.com/D245913 Differential Revision: https://phabricator.services.mozilla.com/D247887 - - - - - d3e4fff1 by Gijs Kruitbosch at 2025-05-26T17:25:51+02:00 Bug 1959298 - use search params in about:memory, r=mccr8 Differential Revision: https://phabricator.services.mozilla.com/D245049 - - - - - 16 changed files: - browser/app/profile/001-base-profile.js - dom/svg/DOMSVGLength.cpp - dom/svg/DOMSVGLength.h - dom/svg/DOMSVGPoint.cpp - dom/svg/DOMSVGPoint.h - dom/svg/DOMSVGPointList.cpp - dom/svg/DOMSVGPointList.h - dom/svg/DOMSVGStringList.cpp - dom/svg/DOMSVGStringList.h - gfx/thebes/gfxFont.cpp - modules/libpref/init/StaticPrefList.yaml - netwerk/base/nsIOService.cpp - netwerk/base/nsSocketTransport2.cpp - netwerk/protocol/http/HttpConnectionUDP.cpp - netwerk/test/unit/trr_common.js - toolkit/components/aboutmemory/content/aboutMemory.js Changes: ===================================== browser/app/profile/001-base-profile.js ===================================== @@ -482,6 +482,11 @@ pref("network.http.http2.default-hpack-buffer", 65536, locked); pref("network.http.http2.websockets", true, locked); pref("network.http.http2.enable-hpack-dump", false, locked); +// Block 0.0.0.0 +// https://bugzilla.mozilla.org/show_bug.cgi?id=1889130 +// tor-browser#43811 +pref("network.socket.ip_addr_any.disabled", true); + // tor-browser#23044: Make sure we don't have any GIO supported protocols // (defense in depth measure) pref("network.gio.supported-protocols", ""); ===================================== dom/svg/DOMSVGLength.cpp ===================================== @@ -51,6 +51,7 @@ DOMSVGLength::DOMSVGLength(DOMSVGLengthList* aList, uint8_t aAttrEnum, mListIndex(aListIndex), mAttrEnum(aAttrEnum), mIsAnimValItem(aIsAnimValItem), + mIsInTearoffTable(false), mUnit(SVGLength_Binding::SVG_LENGTHTYPE_NUMBER) { MOZ_ASSERT(aList, "bad arg"); MOZ_ASSERT(mAttrEnum == aAttrEnum, "bitfield too small"); @@ -63,6 +64,7 @@ DOMSVGLength::DOMSVGLength() mListIndex(0), mAttrEnum(0), mIsAnimValItem(false), + mIsInTearoffTable(false), mUnit(SVGLength_Binding::SVG_LENGTHTYPE_NUMBER) {} DOMSVGLength::DOMSVGLength(SVGAnimatedLength* aVal, SVGElement* aSVGElement, @@ -71,6 +73,7 @@ DOMSVGLength::DOMSVGLength(SVGAnimatedLength* aVal, SVGElement* aSVGElement, mListIndex(0), mAttrEnum(aVal->mAttrEnum), mIsAnimValItem(aAnimVal), + mIsInTearoffTable(false), mUnit(SVGLength_Binding::SVG_LENGTHTYPE_NUMBER) { MOZ_ASSERT(aVal, "bad arg"); MOZ_ASSERT(mAttrEnum == aVal->mAttrEnum, "bitfield too small"); @@ -88,22 +91,33 @@ void DOMSVGLength::CleanupWeakRefs() { // Similarly, we must update the tearoff table to remove its (non-owning) // pointer to mVal. - if (nsCOMPtr<SVGElement> svg = do_QueryInterface(mOwner)) { - auto& table = mIsAnimValItem ? sAnimSVGLengthTearOffTable - : sBaseSVGLengthTearOffTable; - table.RemoveTearoff(svg->GetAnimatedLength(mAttrEnum)); + if (mIsInTearoffTable) { + nsCOMPtr<SVGElement> svg = do_QueryInterface(mOwner); + MOZ_ASSERT(svg, + "We need our svgElement reference in order to remove " + "ourselves from tearoff table..."); + if (MOZ_LIKELY(svg)) { + auto& table = mIsAnimValItem ? sAnimSVGLengthTearOffTable + : sBaseSVGLengthTearOffTable; + table.RemoveTearoff(svg->GetAnimatedLength(mAttrEnum)); + mIsInTearoffTable = false; + } } } already_AddRefed<DOMSVGLength> DOMSVGLength::GetTearOff(SVGAnimatedLength* aVal, SVGElement* aSVGElement, bool aAnimVal) { + MOZ_ASSERT(aVal && aSVGElement, "Expecting non-null aVal and aSVGElement"); + MOZ_ASSERT(aVal == aSVGElement->GetAnimatedLength(aVal->mAttrEnum), + "Mismatched aVal/SVGElement?"); auto& table = aAnimVal ? sAnimSVGLengthTearOffTable : sBaseSVGLengthTearOffTable; RefPtr<DOMSVGLength> domLength = table.GetTearoff(aVal); if (!domLength) { domLength = new DOMSVGLength(aVal, aSVGElement, aAnimVal); table.AddTearoff(aVal, domLength); + domLength->mIsInTearoffTable = true; } return domLength.forget(); ===================================== dom/svg/DOMSVGLength.h ===================================== @@ -15,7 +15,7 @@ #include "mozilla/Attributes.h" #include "nsWrapperCache.h" -#define MOZ_SVG_LIST_INDEX_BIT_COUNT 22 // supports > 4 million list items +#define MOZ_SVG_LIST_INDEX_BIT_COUNT 21 // supports > 2 million list items namespace mozilla { @@ -198,6 +198,13 @@ class DOMSVGLength final : public nsWrapperCache { uint32_t mAttrEnum : 4; // supports up to 16 attributes uint32_t mIsAnimValItem : 1; + // Tracks whether we're in the tearoff table. Initialized to false in the + // ctor, but then immediately set to true after we're added to the table + // (unless we're an instance created via 'Copy()'; those never get added to + // the table). Updated to false when we're removed from the table (at which + // point we're being destructed or soon-to-be destructed). + uint32_t mIsInTearoffTable : 1; + // The following members are only used when we're not in a list: uint32_t mUnit : 5; // can handle 31 units (the 10 SVG 1.1 units + rem, vw, // vh, wm, calc + future additions) ===================================== dom/svg/DOMSVGPoint.cpp ===================================== @@ -168,6 +168,7 @@ already_AddRefed<DOMSVGPoint> DOMSVGPoint::GetTranslateTearOff( if (!domPoint) { domPoint = new DOMSVGPoint(aVal, aSVGSVGElement); sSVGTranslateTearOffTable.AddTearoff(aVal, domPoint); + domPoint->mIsInTearoffTable = true; } return domPoint.forget(); @@ -204,12 +205,18 @@ void DOMSVGPoint::CleanupWeakRefs() { pointList->mItems[mListIndex] = nullptr; } + if (mIsInTearoffTable) { + // Similarly, we must update the tearoff table to remove its (non-owning) + // pointer to mVal. + MOZ_ASSERT(mVal && mIsTranslatePoint, + "Tearoff table should only be used for translate-point objects " + "with non-null mVal (see GetTranslateTearOff and its callers)"); + sSVGTranslateTearOffTable.RemoveTearoff(mVal); + mIsInTearoffTable = false; + } + if (mVal) { - if (mIsTranslatePoint) { - // Similarly, we must update the tearoff table to remove its (non-owning) - // pointer to mVal. - sSVGTranslateTearOffTable.RemoveTearoff(mVal); - } else { + if (!mIsTranslatePoint) { // In this case we own mVal delete mVal; } ===================================== dom/svg/DOMSVGPoint.h ===================================== @@ -17,7 +17,7 @@ #include "mozilla/dom/SVGSVGElement.h" #include "mozilla/gfx/2D.h" -#define MOZ_SVG_LIST_INDEX_BIT_COUNT 30 +#define MOZ_SVG_LIST_INDEX_BIT_COUNT 29 namespace mozilla::dom { struct DOMMatrix2DInit; @@ -51,7 +51,8 @@ class DOMSVGPoint final : public nsWrapperCache { mOwner(aList), mListIndex(aListIndex), mIsAnimValItem(aIsAnimValItem), - mIsTranslatePoint(false) { + mIsTranslatePoint(false), + mIsInTearoffTable(false) { // These shifts are in sync with the members. MOZ_ASSERT(aList && aListIndex <= MaxListIndex(), "bad arg"); @@ -60,7 +61,10 @@ class DOMSVGPoint final : public nsWrapperCache { // Constructor for unowned points and SVGSVGElement.createSVGPoint explicit DOMSVGPoint(const Point& aPt) - : mListIndex(0), mIsAnimValItem(false), mIsTranslatePoint(false) { + : mListIndex(0), + mIsAnimValItem(false), + mIsTranslatePoint(false), + mIsInTearoffTable(false) { // In this case we own mVal mVal = new SVGPoint(aPt.x, aPt.y); } @@ -72,7 +76,8 @@ class DOMSVGPoint final : public nsWrapperCache { mOwner(ToSupports(aSVGSVGElement)), mListIndex(0), mIsAnimValItem(false), - mIsTranslatePoint(true) {} + mIsTranslatePoint(true), + mIsInTearoffTable(false) {} virtual ~DOMSVGPoint() { CleanupWeakRefs(); } @@ -178,6 +183,12 @@ class DOMSVGPoint final : public nsWrapperCache { uint32_t mListIndex : MOZ_SVG_LIST_INDEX_BIT_COUNT; uint32_t mIsAnimValItem : 1; // True if We're the animated value of a list uint32_t mIsTranslatePoint : 1; // true iff our owner is a SVGSVGElement + + // Tracks whether we're in the tearoff table. Initialized to false in the + // ctor, but then immediately set to true if/when we're added to the table + // (not all instances are). Updated to false when we're removed from the + // table (at which point we're being destructed or soon-to-be destructed). + uint32_t mIsInTearoffTable : 1; }; } // namespace mozilla::dom ===================================== dom/svg/DOMSVGPointList.cpp ===================================== @@ -88,9 +88,12 @@ void DOMSVGPointList::RemoveFromTearoffTable() { // // There are now no longer any references to us held by script or list items. // Note we must use GetAnimValKey/GetBaseValKey here, NOT InternalList()! - void* key = mIsAnimValList ? InternalAList().GetAnimValKey() - : InternalAList().GetBaseValKey(); - SVGPointListTearoffTable().RemoveTearoff(key); + if (mIsInTearoffTable) { + void* key = mIsAnimValList ? InternalAList().GetAnimValKey() + : InternalAList().GetBaseValKey(); + SVGPointListTearoffTable().RemoveTearoff(key); + mIsInTearoffTable = false; + } } DOMSVGPointList::~DOMSVGPointList() { RemoveFromTearoffTable(); } ===================================== dom/svg/DOMSVGPointList.h ===================================== @@ -250,6 +250,12 @@ class DOMSVGPointList final : public nsISupports, public nsWrapperCache { RefPtr<dom::SVGElement> mElement; bool mIsAnimValList; + + // Tracks whether we're in the tearoff table. Initialized to true, since all + // new instances are added to the table right after construction. Updated to + // false when we're removed from the table (at which point we're being + // destructed or soon-to-be destructed). + bool mIsInTearoffTable = true; }; NS_DEFINE_STATIC_IID_ACCESSOR(DOMSVGPointList, MOZILLA_DOMSVGPOINTLIST_IID) ===================================== dom/svg/DOMSVGStringList.cpp ===================================== @@ -91,7 +91,10 @@ already_AddRefed<DOMSVGStringList> DOMSVGStringList::GetDOMWrapper( void DOMSVGStringList::RemoveFromTearoffTable() { // Script no longer has any references to us. - SVGStringListTearoffTable().RemoveTearoff(&InternalList()); + if (mIsInTearoffTable) { + SVGStringListTearoffTable().RemoveTearoff(&InternalList()); + mIsInTearoffTable = false; + } } DOMSVGStringList::~DOMSVGStringList() { RemoveFromTearoffTable(); } ===================================== dom/svg/DOMSVGStringList.h ===================================== @@ -108,6 +108,12 @@ class DOMSVGStringList final : public nsISupports, public nsWrapperCache { uint8_t mAttrEnum; bool mIsConditionalProcessingAttribute; + + // Tracks whether we're in the tearoff table. Initialized to true, since all + // new instances are added to the table right after construction. Updated to + // false when we're removed from the table (at which point we're being + // destructed or soon-to-be destructed). + bool mIsInTearoffTable = true; }; } // namespace dom ===================================== gfx/thebes/gfxFont.cpp ===================================== @@ -1293,8 +1293,12 @@ static const hb_tag_t defaultFeatures[] = { void gfxFont::CheckForFeaturesInvolvingSpace() const { gfxFontEntry::SpaceFeatures flags = gfxFontEntry::SpaceFeatures::None; + // mFontEntry->mHasSpaceFeatures is a std::atomic<>, so we set it with + // `exchange` to avoid a potential data race. It's ok if two threads both + // try to set it; they'll end up with the same value, so it doesn't matter + // that one will overwrite the other. auto setFlags = - MakeScopeExit([&]() { mFontEntry->mHasSpaceFeatures = flags; }); + MakeScopeExit([&]() { mFontEntry->mHasSpaceFeatures.exchange(flags); }); bool log = LOG_FONTINIT_ENABLED(); TimeStamp start; ===================================== modules/libpref/init/StaticPrefList.yaml ===================================== @@ -11735,6 +11735,13 @@ value: true mirror: always +# Disable requests to 0.0.0.0 +# See Bug 1889130 +- name: network.socket.ip_addr_any.disabled + type: RelaxedAtomicBool + value: @IS_EARLY_BETA_OR_EARLIER@ + mirror: always + # Set true to allow resolving proxy for localhost - name: network.proxy.allow_hijacking_localhost type: RelaxedAtomicBool ===================================== netwerk/base/nsIOService.cpp ===================================== @@ -230,6 +230,7 @@ static const char* gCallbackPrefsForSocketProcess[] = { "network.proxy.allow_hijacking_localhost", "network.connectivity-service.", "network.captive-portal-service.testMode", + "network.socket.ip_addr_any.disabled", nullptr, }; ===================================== netwerk/base/nsSocketTransport2.cpp ===================================== @@ -1245,6 +1245,15 @@ nsresult nsSocketTransport::InitiateSocket() { if (gIOService->IsNetTearingDown()) { return NS_ERROR_ABORT; } + + // Since https://github.com/whatwg/fetch/pull/1763, + // we need to disable access to 0.0.0.0 for non-test purposes + if (StaticPrefs::network_socket_ip_addr_any_disabled() && + mNetAddr.IsIPAddrAny() && !mProxyTransparentResolvesHost) { + SOCKET_LOG(("connection refused NS_ERROR_CONNECTION_REFUSED\n")); + return NS_ERROR_CONNECTION_REFUSED; + } + if (gIOService->IsOffline()) { if (StaticPrefs::network_disable_localhost_when_offline() || !isLocal) { return NS_ERROR_OFFLINE; ===================================== netwerk/protocol/http/HttpConnectionUDP.cpp ===================================== @@ -86,6 +86,15 @@ nsresult HttpConnectionUDP::Init(nsHttpConnectionInfo* info, return rv; } + // We are disabling 0.0.0.0 for non-test purposes. + // See https://github.com/whatwg/fetch/pull/1763 for context. + if (peerAddr.IsIPAddrAny()) { + if (StaticPrefs::network_socket_ip_addr_any_disabled()) { + LOG(("Connection refused because of 0.0.0.0 IP address\n")); + return NS_ERROR_CONNECTION_REFUSED; + } + } + mSocket = do_CreateInstance("@mozilla.org/network/udp-socket;1", &rv); if (NS_FAILED(rv)) { return rv; ===================================== netwerk/test/unit/trr_common.js ===================================== @@ -1025,6 +1025,7 @@ async function test_ipv4_trr_fallback() { async function test_no_retry_without_doh() { info("Bug 1648147 - if the TRR returns 0.0.0.0 we should not retry with DNS"); Services.prefs.setBoolPref("network.trr.fallback-on-zero-response", false); + Services.prefs.setBoolPref("network.socket.ip_addr_any.disabled", false); async function test(url, ip) { setModeAndURI(2, `doh?responseIP=${ip}`); @@ -1071,6 +1072,8 @@ async function test_no_retry_without_doh() { await test(`http://unknown.ipv4.stuff:666/path`, "0.0.0.0"); await test(`http://unknown.ipv6.stuff:666/path`, "::"); } + + Services.prefs.clearUserPref("network.socket.ip_addr_any.disabled"); } async function test_connection_reuse_and_cycling() { ===================================== toolkit/components/aboutmemory/content/aboutMemory.js ===================================== @@ -506,19 +506,11 @@ window.onload = function () { appendElementWithText(gFooter, "div", "legend", legendText1); appendElementWithText(gFooter, "div", "legend hiddenOnMobile", legendText2); - // See if we're loading from a file. (Because about:memory is a non-standard - // URL, location.search is undefined, so we have to use location.href - // instead.) - let search = location.href.split("?")[1]; - if (search) { - let searchSplit = search.split("&"); - for (let s of searchSplit) { - if (s.toLowerCase().startsWith("file=")) { - let filename = s.substring("file=".length); - updateAboutMemoryFromFile(decodeURIComponent(filename)); - return; - } - } + // See if we're loading from a file. + let { searchParams } = URL.fromURI(document.documentURIObject); + let fileParam = searchParams.get("file"); + if (fileParam) { + updateAboutMemoryFromFile(fileParam); } }; View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/be8b37… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/be8b37… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][base-browser-128.11.0esr-14.5-1] 7 commits: Bug 1889130 - block http requests on 0.0.0.0 address. r=necko-reviewers,valentin,kershaw
by morgan (＠morgan) 26 May '25

26 May '25

morgan pushed to branch base-browser-128.11.0esr-14.5-1 at The Tor Project / Applications / Tor Browser Commits: 67609f51 by smayya at 2025-05-26T20:22:49+00:00 Bug 1889130 - block http requests on 0.0.0.0 address. r=necko-reviewers,valentin,kershaw Differential Revision: https://phabricator.services.mozilla.com/D219041 - - - - - 9135b49b by hackademix at 2025-05-26T20:22:49+00:00 fixup! Firefox preference overrides. BB 43811: Block 0.0.0.0 - - - - - 3863a3bb by Oskar Mansfeld at 2025-05-26T20:22:49+00:00 Bug 1914583 - Block IPAddrAny on H3 code path. r=necko-reviewers,kershaw Differential Revision: https://phabricator.services.mozilla.com/D239514 - - - - - 23aa8fbb by Daniel Holbert at 2025-05-26T20:22:50+00:00 Bug 1742738 part 1: Tighten up tearoff-table removal for DOMSVGPointList and DOMSVGStringList. r=firefox-svg-reviewers,longsonr Differential Revision: https://phabricator.services.mozilla.com/D246062 - - - - - a75f2376 by Daniel Holbert at 2025-05-26T20:22:50+00:00 Bug 1742738 part 2: Tighten up tearoff-table removal for DOMSVGLength. r=firefox-svg-reviewers,longsonr I'm doing this one in its own patch since it's slightly more subtle than the others, due to the existence of multiple instance-creation codepaths, some of which generate instances that never end up in the tearoff table. Differential Revision: https://phabricator.services.mozilla.com/D246063 - - - - - ab86560a by Daniel Holbert at 2025-05-26T20:22:50+00:00 Bug 1742738 part 3: Tighten up tearoff-table removal for DOMSVGPoint. r=firefox-svg-reviewers,longsonr I'm doing this one in its own patch since it's slightly more subtle than the others, due to the existence of multiple instance-creation codepaths, some of which generate instances that never end up in the tearoff table. Differential Revision: https://phabricator.services.mozilla.com/D246065 - - - - - 5ae92208 by Gijs Kruitbosch at 2025-05-26T20:22:51+00:00 Bug 1959298 - use search params in about:memory, r=mccr8 Differential Revision: https://phabricator.services.mozilla.com/D245049 - - - - - 15 changed files: - browser/app/profile/001-base-profile.js - dom/svg/DOMSVGLength.cpp - dom/svg/DOMSVGLength.h - dom/svg/DOMSVGPoint.cpp - dom/svg/DOMSVGPoint.h - dom/svg/DOMSVGPointList.cpp - dom/svg/DOMSVGPointList.h - dom/svg/DOMSVGStringList.cpp - dom/svg/DOMSVGStringList.h - modules/libpref/init/StaticPrefList.yaml - netwerk/base/nsIOService.cpp - netwerk/base/nsSocketTransport2.cpp - netwerk/protocol/http/HttpConnectionUDP.cpp - netwerk/test/unit/trr_common.js - toolkit/components/aboutmemory/content/aboutMemory.js Changes: ===================================== browser/app/profile/001-base-profile.js ===================================== @@ -536,6 +536,11 @@ pref("network.proxy.failover_direct", false, locked); // alters content load order in a page. See tor-browser#24686 pref("network.http.tailing.enabled", true, locked); +// Block 0.0.0.0 +// https://bugzilla.mozilla.org/show_bug.cgi?id=1889130 +// tor-browser#43811 +pref("network.socket.ip_addr_any.disabled", true); + // tor-browser#23044: Make sure we don't have any GIO supported protocols // (defense in depth measure). // As of Firefox 118 (Bug 1843763), upstream does not add any protocol by ===================================== dom/svg/DOMSVGLength.cpp ===================================== @@ -51,6 +51,7 @@ DOMSVGLength::DOMSVGLength(DOMSVGLengthList* aList, uint8_t aAttrEnum, mListIndex(aListIndex), mAttrEnum(aAttrEnum), mIsAnimValItem(aIsAnimValItem), + mIsInTearoffTable(false), mUnit(SVGLength_Binding::SVG_LENGTHTYPE_NUMBER) { MOZ_ASSERT(aList, "bad arg"); MOZ_ASSERT(mAttrEnum == aAttrEnum, "bitfield too small"); @@ -63,6 +64,7 @@ DOMSVGLength::DOMSVGLength() mListIndex(0), mAttrEnum(0), mIsAnimValItem(false), + mIsInTearoffTable(false), mUnit(SVGLength_Binding::SVG_LENGTHTYPE_NUMBER) {} DOMSVGLength::DOMSVGLength(SVGAnimatedLength* aVal, SVGElement* aSVGElement, @@ -71,6 +73,7 @@ DOMSVGLength::DOMSVGLength(SVGAnimatedLength* aVal, SVGElement* aSVGElement, mListIndex(0), mAttrEnum(aVal->mAttrEnum), mIsAnimValItem(aAnimVal), + mIsInTearoffTable(false), mUnit(SVGLength_Binding::SVG_LENGTHTYPE_NUMBER) { MOZ_ASSERT(aVal, "bad arg"); MOZ_ASSERT(mAttrEnum == aVal->mAttrEnum, "bitfield too small"); @@ -88,22 +91,33 @@ void DOMSVGLength::CleanupWeakRefs() { // Similarly, we must update the tearoff table to remove its (non-owning) // pointer to mVal. - if (nsCOMPtr<SVGElement> svg = do_QueryInterface(mOwner)) { - auto& table = mIsAnimValItem ? sAnimSVGLengthTearOffTable - : sBaseSVGLengthTearOffTable; - table.RemoveTearoff(svg->GetAnimatedLength(mAttrEnum)); + if (mIsInTearoffTable) { + nsCOMPtr<SVGElement> svg = do_QueryInterface(mOwner); + MOZ_ASSERT(svg, + "We need our svgElement reference in order to remove " + "ourselves from tearoff table..."); + if (MOZ_LIKELY(svg)) { + auto& table = mIsAnimValItem ? sAnimSVGLengthTearOffTable + : sBaseSVGLengthTearOffTable; + table.RemoveTearoff(svg->GetAnimatedLength(mAttrEnum)); + mIsInTearoffTable = false; + } } } already_AddRefed<DOMSVGLength> DOMSVGLength::GetTearOff(SVGAnimatedLength* aVal, SVGElement* aSVGElement, bool aAnimVal) { + MOZ_ASSERT(aVal && aSVGElement, "Expecting non-null aVal and aSVGElement"); + MOZ_ASSERT(aVal == aSVGElement->GetAnimatedLength(aVal->mAttrEnum), + "Mismatched aVal/SVGElement?"); auto& table = aAnimVal ? sAnimSVGLengthTearOffTable : sBaseSVGLengthTearOffTable; RefPtr<DOMSVGLength> domLength = table.GetTearoff(aVal); if (!domLength) { domLength = new DOMSVGLength(aVal, aSVGElement, aAnimVal); table.AddTearoff(aVal, domLength); + domLength->mIsInTearoffTable = true; } return domLength.forget(); ===================================== dom/svg/DOMSVGLength.h ===================================== @@ -15,7 +15,7 @@ #include "mozilla/Attributes.h" #include "nsWrapperCache.h" -#define MOZ_SVG_LIST_INDEX_BIT_COUNT 22 // supports > 4 million list items +#define MOZ_SVG_LIST_INDEX_BIT_COUNT 21 // supports > 2 million list items namespace mozilla { @@ -204,6 +204,13 @@ class DOMSVGLength final : public nsWrapperCache { uint32_t mAttrEnum : 4; // supports up to 16 attributes uint32_t mIsAnimValItem : 1; + // Tracks whether we're in the tearoff table. Initialized to false in the + // ctor, but then immediately set to true after we're added to the table + // (unless we're an instance created via 'Copy()'; those never get added to + // the table). Updated to false when we're removed from the table (at which + // point we're being destructed or soon-to-be destructed). + uint32_t mIsInTearoffTable : 1; + // The following members are only used when we're not in a list: uint32_t mUnit : 5; // can handle 31 units (the 10 SVG 1.1 units + rem, vw, // vh, wm, calc + future additions) ===================================== dom/svg/DOMSVGPoint.cpp ===================================== @@ -167,6 +167,7 @@ already_AddRefed<DOMSVGPoint> DOMSVGPoint::GetTranslateTearOff( if (!domPoint) { domPoint = new DOMSVGPoint(aVal, aSVGSVGElement); sSVGTranslateTearOffTable.AddTearoff(aVal, domPoint); + domPoint->mIsInTearoffTable = true; } return domPoint.forget(); @@ -203,12 +204,18 @@ void DOMSVGPoint::CleanupWeakRefs() { pointList->mItems[mListIndex] = nullptr; } + if (mIsInTearoffTable) { + // Similarly, we must update the tearoff table to remove its (non-owning) + // pointer to mVal. + MOZ_ASSERT(mVal && mIsTranslatePoint, + "Tearoff table should only be used for translate-point objects " + "with non-null mVal (see GetTranslateTearOff and its callers)"); + sSVGTranslateTearOffTable.RemoveTearoff(mVal); + mIsInTearoffTable = false; + } + if (mVal) { - if (mIsTranslatePoint) { - // Similarly, we must update the tearoff table to remove its (non-owning) - // pointer to mVal. - sSVGTranslateTearOffTable.RemoveTearoff(mVal); - } else { + if (!mIsTranslatePoint) { // In this case we own mVal delete mVal; } ===================================== dom/svg/DOMSVGPoint.h ===================================== @@ -17,7 +17,7 @@ #include "mozilla/dom/SVGSVGElement.h" #include "mozilla/gfx/2D.h" -#define MOZ_SVG_LIST_INDEX_BIT_COUNT 30 +#define MOZ_SVG_LIST_INDEX_BIT_COUNT 29 namespace mozilla::dom { struct DOMMatrix2DInit; @@ -51,7 +51,8 @@ class DOMSVGPoint final : public nsWrapperCache { mOwner(aList), mListIndex(aListIndex), mIsAnimValItem(aIsAnimValItem), - mIsTranslatePoint(false) { + mIsTranslatePoint(false), + mIsInTearoffTable(false) { // These shifts are in sync with the members. MOZ_ASSERT(aList && aListIndex <= MaxListIndex(), "bad arg"); @@ -60,7 +61,10 @@ class DOMSVGPoint final : public nsWrapperCache { // Constructor for unowned points and SVGSVGElement.createSVGPoint explicit DOMSVGPoint(const Point& aPt) - : mListIndex(0), mIsAnimValItem(false), mIsTranslatePoint(false) { + : mListIndex(0), + mIsAnimValItem(false), + mIsTranslatePoint(false), + mIsInTearoffTable(false) { // In this case we own mVal mVal = new SVGPoint(aPt.x, aPt.y); } @@ -72,7 +76,8 @@ class DOMSVGPoint final : public nsWrapperCache { mOwner(ToSupports(aSVGSVGElement)), mListIndex(0), mIsAnimValItem(false), - mIsTranslatePoint(true) {} + mIsTranslatePoint(true), + mIsInTearoffTable(false) {} virtual ~DOMSVGPoint() { CleanupWeakRefs(); } @@ -178,6 +183,12 @@ class DOMSVGPoint final : public nsWrapperCache { uint32_t mListIndex : MOZ_SVG_LIST_INDEX_BIT_COUNT; uint32_t mIsAnimValItem : 1; // True if We're the animated value of a list uint32_t mIsTranslatePoint : 1; // true iff our owner is a SVGSVGElement + + // Tracks whether we're in the tearoff table. Initialized to false in the + // ctor, but then immediately set to true if/when we're added to the table + // (not all instances are). Updated to false when we're removed from the + // table (at which point we're being destructed or soon-to-be destructed). + uint32_t mIsInTearoffTable : 1; }; } // namespace mozilla::dom ===================================== dom/svg/DOMSVGPointList.cpp ===================================== @@ -90,9 +90,12 @@ void DOMSVGPointList::RemoveFromTearoffTable() { // // There are now no longer any references to us held by script or list items. // Note we must use GetAnimValKey/GetBaseValKey here, NOT InternalList()! - void* key = mIsAnimValList ? InternalAList().GetAnimValKey() - : InternalAList().GetBaseValKey(); - SVGPointListTearoffTable().RemoveTearoff(key); + if (mIsInTearoffTable) { + void* key = mIsAnimValList ? InternalAList().GetAnimValKey() + : InternalAList().GetBaseValKey(); + SVGPointListTearoffTable().RemoveTearoff(key); + mIsInTearoffTable = false; + } } DOMSVGPointList::~DOMSVGPointList() { RemoveFromTearoffTable(); } ===================================== dom/svg/DOMSVGPointList.h ===================================== @@ -251,6 +251,12 @@ class DOMSVGPointList final : public nsISupports, public nsWrapperCache { RefPtr<dom::SVGElement> mElement; bool mIsAnimValList; + + // Tracks whether we're in the tearoff table. Initialized to true, since all + // new instances are added to the table right after construction. Updated to + // false when we're removed from the table (at which point we're being + // destructed or soon-to-be destructed). + bool mIsInTearoffTable = true; }; NS_DEFINE_STATIC_IID_ACCESSOR(DOMSVGPointList, MOZILLA_DOMSVGPOINTLIST_IID) ===================================== dom/svg/DOMSVGStringList.cpp ===================================== @@ -91,7 +91,10 @@ already_AddRefed<DOMSVGStringList> DOMSVGStringList::GetDOMWrapper( void DOMSVGStringList::RemoveFromTearoffTable() { // Script no longer has any references to us. - SVGStringListTearoffTable().RemoveTearoff(&InternalList()); + if (mIsInTearoffTable) { + SVGStringListTearoffTable().RemoveTearoff(&InternalList()); + mIsInTearoffTable = false; + } } DOMSVGStringList::~DOMSVGStringList() { RemoveFromTearoffTable(); } ===================================== dom/svg/DOMSVGStringList.h ===================================== @@ -108,6 +108,12 @@ class DOMSVGStringList final : public nsISupports, public nsWrapperCache { uint8_t mAttrEnum; bool mIsConditionalProcessingAttribute; + + // Tracks whether we're in the tearoff table. Initialized to true, since all + // new instances are added to the table right after construction. Updated to + // false when we're removed from the table (at which point we're being + // destructed or soon-to-be destructed). + bool mIsInTearoffTable = true; }; } // namespace dom ===================================== modules/libpref/init/StaticPrefList.yaml ===================================== @@ -12175,6 +12175,13 @@ value: true mirror: always +# Disable requests to 0.0.0.0 +# See Bug 1889130 +- name: network.socket.ip_addr_any.disabled + type: RelaxedAtomicBool + value: @IS_EARLY_BETA_OR_EARLIER@ + mirror: always + # Set true to allow resolving proxy for localhost - name: network.proxy.allow_hijacking_localhost type: RelaxedAtomicBool ===================================== netwerk/base/nsIOService.cpp ===================================== @@ -239,6 +239,7 @@ static const char* gCallbackPrefsForSocketProcess[] = { "network.proxy.allow_hijacking_localhost", "network.connectivity-service.", "network.captive-portal-service.testMode", + "network.socket.ip_addr_any.disabled", nullptr, }; ===================================== netwerk/base/nsSocketTransport2.cpp ===================================== @@ -1241,6 +1241,15 @@ nsresult nsSocketTransport::InitiateSocket() { if (gIOService->IsNetTearingDown()) { return NS_ERROR_ABORT; } + + // Since https://github.com/whatwg/fetch/pull/1763, + // we need to disable access to 0.0.0.0 for non-test purposes + if (StaticPrefs::network_socket_ip_addr_any_disabled() && + mNetAddr.IsIPAddrAny() && !mProxyTransparentResolvesHost) { + SOCKET_LOG(("connection refused NS_ERROR_CONNECTION_REFUSED\n")); + return NS_ERROR_CONNECTION_REFUSED; + } + if (gIOService->IsOffline()) { if (StaticPrefs::network_disable_localhost_when_offline() || !isLocal) { return NS_ERROR_OFFLINE; ===================================== netwerk/protocol/http/HttpConnectionUDP.cpp ===================================== @@ -19,6 +19,7 @@ #include "ASpdySession.h" #include "mozilla/StaticPrefs_network.h" +#include "mozilla/glean/NetwerkMetrics.h" #include "mozilla/Telemetry.h" #include "HttpConnectionUDP.h" #include "nsHttpHandler.h" @@ -88,6 +89,22 @@ nsresult HttpConnectionUDP::Init(nsHttpConnectionInfo* info, return rv; } + // We are disabling 0.0.0.0 for non-test purposes. + // See https://github.com/whatwg/fetch/pull/1763 for context. + if (peerAddr.IsIPAddrAny()) { + if (StaticPrefs::network_socket_ip_addr_any_disabled()) { + mozilla::glean::networking::http_ip_addr_any_count + .Get("blocked_requests"_ns) + .Add(1); + LOG(("Connection refused because of 0.0.0.0 IP address\n")); + return NS_ERROR_CONNECTION_REFUSED; + } + + mozilla::glean::networking::http_ip_addr_any_count + .Get("not_blocked_requests"_ns) + .Add(1); + } + mSocket = do_CreateInstance("@mozilla.org/network/udp-socket;1", &rv); if (NS_FAILED(rv)) { return rv; ===================================== netwerk/test/unit/trr_common.js ===================================== @@ -1027,6 +1027,7 @@ async function test_ipv4_trr_fallback() { async function test_no_retry_without_doh() { info("Bug 1648147 - if the TRR returns 0.0.0.0 we should not retry with DNS"); Services.prefs.setBoolPref("network.trr.fallback-on-zero-response", false); + Services.prefs.setBoolPref("network.socket.ip_addr_any.disabled", false); async function test(url, ip) { setModeAndURI(2, `doh?responseIP=${ip}`); @@ -1073,6 +1074,8 @@ async function test_no_retry_without_doh() { await test(`http://unknown.ipv4.stuff:666/path`, "0.0.0.0"); await test(`http://unknown.ipv6.stuff:666/path`, "::"); } + + Services.prefs.clearUserPref("network.socket.ip_addr_any.disabled"); } async function test_connection_reuse_and_cycling() { ===================================== toolkit/components/aboutmemory/content/aboutMemory.js ===================================== @@ -508,19 +508,11 @@ window.onload = function () { appendElementWithText(gFooter, "div", "legend", legendText1); appendElementWithText(gFooter, "div", "legend hiddenOnMobile", legendText2); - // See if we're loading from a file. (Because about:memory is a non-standard - // URL, location.search is undefined, so we have to use location.href - // instead.) - let search = location.href.split("?")[1]; - if (search) { - let searchSplit = search.split("&"); - for (let s of searchSplit) { - if (s.toLowerCase().startsWith("file=")) { - let filename = s.substring("file=".length); - updateAboutMemoryFromFile(decodeURIComponent(filename)); - return; - } - } + // See if we're loading from a file. + let { searchParams } = URL.fromURI(document.documentURIObject); + let fileParam = searchParams.get("file"); + if (fileParam) { + updateAboutMemoryFromFile(fileParam); } }; View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/6a2fa0… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/6a2fa0… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/mullvad-browser] Pushed new tag mullvad-browser-128.11.0esr-14.5-1-build2
by morgan (＠morgan) 26 May '25

26 May '25

morgan pushed new tag mullvad-browser-128.11.0esr-14.5-1-build2 at The Tor Project / Applications / Mullvad Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/tree/mullv… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/mullvad-browser][mullvad-browser-128.11.0esr-14.5-1] 7 commits: Bug 1889130 - block http requests on 0.0.0.0 address. r=necko-reviewers,valentin,kershaw
by morgan (＠morgan) 26 May '25

26 May '25

morgan pushed to branch mullvad-browser-128.11.0esr-14.5-1 at The Tor Project / Applications / Mullvad Browser Commits: d3f83daa by smayya at 2025-05-26T20:03:31+00:00 Bug 1889130 - block http requests on 0.0.0.0 address. r=necko-reviewers,valentin,kershaw Differential Revision: https://phabricator.services.mozilla.com/D219041 - - - - - f13fc799 by hackademix at 2025-05-26T20:03:31+00:00 fixup! Firefox preference overrides. BB 43811: Block 0.0.0.0 - - - - - 557f124b by Oskar Mansfeld at 2025-05-26T20:03:32+00:00 Bug 1914583 - Block IPAddrAny on H3 code path. r=necko-reviewers,kershaw Differential Revision: https://phabricator.services.mozilla.com/D239514 - - - - - 493492d2 by Daniel Holbert at 2025-05-26T20:03:32+00:00 Bug 1742738 part 1: Tighten up tearoff-table removal for DOMSVGPointList and DOMSVGStringList. r=firefox-svg-reviewers,longsonr Differential Revision: https://phabricator.services.mozilla.com/D246062 - - - - - e486547a by Daniel Holbert at 2025-05-26T20:03:32+00:00 Bug 1742738 part 2: Tighten up tearoff-table removal for DOMSVGLength. r=firefox-svg-reviewers,longsonr I'm doing this one in its own patch since it's slightly more subtle than the others, due to the existence of multiple instance-creation codepaths, some of which generate instances that never end up in the tearoff table. Differential Revision: https://phabricator.services.mozilla.com/D246063 - - - - - c1566bd8 by Daniel Holbert at 2025-05-26T20:03:32+00:00 Bug 1742738 part 3: Tighten up tearoff-table removal for DOMSVGPoint. r=firefox-svg-reviewers,longsonr I'm doing this one in its own patch since it's slightly more subtle than the others, due to the existence of multiple instance-creation codepaths, some of which generate instances that never end up in the tearoff table. Differential Revision: https://phabricator.services.mozilla.com/D246065 - - - - - d686ade4 by Gijs Kruitbosch at 2025-05-26T20:03:33+00:00 Bug 1959298 - use search params in about:memory, r=mccr8 Differential Revision: https://phabricator.services.mozilla.com/D245049 - - - - - 15 changed files: - browser/app/profile/001-base-profile.js - dom/svg/DOMSVGLength.cpp - dom/svg/DOMSVGLength.h - dom/svg/DOMSVGPoint.cpp - dom/svg/DOMSVGPoint.h - dom/svg/DOMSVGPointList.cpp - dom/svg/DOMSVGPointList.h - dom/svg/DOMSVGStringList.cpp - dom/svg/DOMSVGStringList.h - modules/libpref/init/StaticPrefList.yaml - netwerk/base/nsIOService.cpp - netwerk/base/nsSocketTransport2.cpp - netwerk/protocol/http/HttpConnectionUDP.cpp - netwerk/test/unit/trr_common.js - toolkit/components/aboutmemory/content/aboutMemory.js Changes: ===================================== browser/app/profile/001-base-profile.js ===================================== @@ -536,6 +536,11 @@ pref("network.proxy.failover_direct", false, locked); // alters content load order in a page. See tor-browser#24686 pref("network.http.tailing.enabled", true, locked); +// Block 0.0.0.0 +// https://bugzilla.mozilla.org/show_bug.cgi?id=1889130 +// tor-browser#43811 +pref("network.socket.ip_addr_any.disabled", true); + // tor-browser#23044: Make sure we don't have any GIO supported protocols // (defense in depth measure). // As of Firefox 118 (Bug 1843763), upstream does not add any protocol by ===================================== dom/svg/DOMSVGLength.cpp ===================================== @@ -51,6 +51,7 @@ DOMSVGLength::DOMSVGLength(DOMSVGLengthList* aList, uint8_t aAttrEnum, mListIndex(aListIndex), mAttrEnum(aAttrEnum), mIsAnimValItem(aIsAnimValItem), + mIsInTearoffTable(false), mUnit(SVGLength_Binding::SVG_LENGTHTYPE_NUMBER) { MOZ_ASSERT(aList, "bad arg"); MOZ_ASSERT(mAttrEnum == aAttrEnum, "bitfield too small"); @@ -63,6 +64,7 @@ DOMSVGLength::DOMSVGLength() mListIndex(0), mAttrEnum(0), mIsAnimValItem(false), + mIsInTearoffTable(false), mUnit(SVGLength_Binding::SVG_LENGTHTYPE_NUMBER) {} DOMSVGLength::DOMSVGLength(SVGAnimatedLength* aVal, SVGElement* aSVGElement, @@ -71,6 +73,7 @@ DOMSVGLength::DOMSVGLength(SVGAnimatedLength* aVal, SVGElement* aSVGElement, mListIndex(0), mAttrEnum(aVal->mAttrEnum), mIsAnimValItem(aAnimVal), + mIsInTearoffTable(false), mUnit(SVGLength_Binding::SVG_LENGTHTYPE_NUMBER) { MOZ_ASSERT(aVal, "bad arg"); MOZ_ASSERT(mAttrEnum == aVal->mAttrEnum, "bitfield too small"); @@ -88,22 +91,33 @@ void DOMSVGLength::CleanupWeakRefs() { // Similarly, we must update the tearoff table to remove its (non-owning) // pointer to mVal. - if (nsCOMPtr<SVGElement> svg = do_QueryInterface(mOwner)) { - auto& table = mIsAnimValItem ? sAnimSVGLengthTearOffTable - : sBaseSVGLengthTearOffTable; - table.RemoveTearoff(svg->GetAnimatedLength(mAttrEnum)); + if (mIsInTearoffTable) { + nsCOMPtr<SVGElement> svg = do_QueryInterface(mOwner); + MOZ_ASSERT(svg, + "We need our svgElement reference in order to remove " + "ourselves from tearoff table..."); + if (MOZ_LIKELY(svg)) { + auto& table = mIsAnimValItem ? sAnimSVGLengthTearOffTable + : sBaseSVGLengthTearOffTable; + table.RemoveTearoff(svg->GetAnimatedLength(mAttrEnum)); + mIsInTearoffTable = false; + } } } already_AddRefed<DOMSVGLength> DOMSVGLength::GetTearOff(SVGAnimatedLength* aVal, SVGElement* aSVGElement, bool aAnimVal) { + MOZ_ASSERT(aVal && aSVGElement, "Expecting non-null aVal and aSVGElement"); + MOZ_ASSERT(aVal == aSVGElement->GetAnimatedLength(aVal->mAttrEnum), + "Mismatched aVal/SVGElement?"); auto& table = aAnimVal ? sAnimSVGLengthTearOffTable : sBaseSVGLengthTearOffTable; RefPtr<DOMSVGLength> domLength = table.GetTearoff(aVal); if (!domLength) { domLength = new DOMSVGLength(aVal, aSVGElement, aAnimVal); table.AddTearoff(aVal, domLength); + domLength->mIsInTearoffTable = true; } return domLength.forget(); ===================================== dom/svg/DOMSVGLength.h ===================================== @@ -15,7 +15,7 @@ #include "mozilla/Attributes.h" #include "nsWrapperCache.h" -#define MOZ_SVG_LIST_INDEX_BIT_COUNT 22 // supports > 4 million list items +#define MOZ_SVG_LIST_INDEX_BIT_COUNT 21 // supports > 2 million list items namespace mozilla { @@ -204,6 +204,13 @@ class DOMSVGLength final : public nsWrapperCache { uint32_t mAttrEnum : 4; // supports up to 16 attributes uint32_t mIsAnimValItem : 1; + // Tracks whether we're in the tearoff table. Initialized to false in the + // ctor, but then immediately set to true after we're added to the table + // (unless we're an instance created via 'Copy()'; those never get added to + // the table). Updated to false when we're removed from the table (at which + // point we're being destructed or soon-to-be destructed). + uint32_t mIsInTearoffTable : 1; + // The following members are only used when we're not in a list: uint32_t mUnit : 5; // can handle 31 units (the 10 SVG 1.1 units + rem, vw, // vh, wm, calc + future additions) ===================================== dom/svg/DOMSVGPoint.cpp ===================================== @@ -167,6 +167,7 @@ already_AddRefed<DOMSVGPoint> DOMSVGPoint::GetTranslateTearOff( if (!domPoint) { domPoint = new DOMSVGPoint(aVal, aSVGSVGElement); sSVGTranslateTearOffTable.AddTearoff(aVal, domPoint); + domPoint->mIsInTearoffTable = true; } return domPoint.forget(); @@ -203,12 +204,18 @@ void DOMSVGPoint::CleanupWeakRefs() { pointList->mItems[mListIndex] = nullptr; } + if (mIsInTearoffTable) { + // Similarly, we must update the tearoff table to remove its (non-owning) + // pointer to mVal. + MOZ_ASSERT(mVal && mIsTranslatePoint, + "Tearoff table should only be used for translate-point objects " + "with non-null mVal (see GetTranslateTearOff and its callers)"); + sSVGTranslateTearOffTable.RemoveTearoff(mVal); + mIsInTearoffTable = false; + } + if (mVal) { - if (mIsTranslatePoint) { - // Similarly, we must update the tearoff table to remove its (non-owning) - // pointer to mVal. - sSVGTranslateTearOffTable.RemoveTearoff(mVal); - } else { + if (!mIsTranslatePoint) { // In this case we own mVal delete mVal; } ===================================== dom/svg/DOMSVGPoint.h ===================================== @@ -17,7 +17,7 @@ #include "mozilla/dom/SVGSVGElement.h" #include "mozilla/gfx/2D.h" -#define MOZ_SVG_LIST_INDEX_BIT_COUNT 30 +#define MOZ_SVG_LIST_INDEX_BIT_COUNT 29 namespace mozilla::dom { struct DOMMatrix2DInit; @@ -51,7 +51,8 @@ class DOMSVGPoint final : public nsWrapperCache { mOwner(aList), mListIndex(aListIndex), mIsAnimValItem(aIsAnimValItem), - mIsTranslatePoint(false) { + mIsTranslatePoint(false), + mIsInTearoffTable(false) { // These shifts are in sync with the members. MOZ_ASSERT(aList && aListIndex <= MaxListIndex(), "bad arg"); @@ -60,7 +61,10 @@ class DOMSVGPoint final : public nsWrapperCache { // Constructor for unowned points and SVGSVGElement.createSVGPoint explicit DOMSVGPoint(const Point& aPt) - : mListIndex(0), mIsAnimValItem(false), mIsTranslatePoint(false) { + : mListIndex(0), + mIsAnimValItem(false), + mIsTranslatePoint(false), + mIsInTearoffTable(false) { // In this case we own mVal mVal = new SVGPoint(aPt.x, aPt.y); } @@ -72,7 +76,8 @@ class DOMSVGPoint final : public nsWrapperCache { mOwner(ToSupports(aSVGSVGElement)), mListIndex(0), mIsAnimValItem(false), - mIsTranslatePoint(true) {} + mIsTranslatePoint(true), + mIsInTearoffTable(false) {} virtual ~DOMSVGPoint() { CleanupWeakRefs(); } @@ -178,6 +183,12 @@ class DOMSVGPoint final : public nsWrapperCache { uint32_t mListIndex : MOZ_SVG_LIST_INDEX_BIT_COUNT; uint32_t mIsAnimValItem : 1; // True if We're the animated value of a list uint32_t mIsTranslatePoint : 1; // true iff our owner is a SVGSVGElement + + // Tracks whether we're in the tearoff table. Initialized to false in the + // ctor, but then immediately set to true if/when we're added to the table + // (not all instances are). Updated to false when we're removed from the + // table (at which point we're being destructed or soon-to-be destructed). + uint32_t mIsInTearoffTable : 1; }; } // namespace mozilla::dom ===================================== dom/svg/DOMSVGPointList.cpp ===================================== @@ -90,9 +90,12 @@ void DOMSVGPointList::RemoveFromTearoffTable() { // // There are now no longer any references to us held by script or list items. // Note we must use GetAnimValKey/GetBaseValKey here, NOT InternalList()! - void* key = mIsAnimValList ? InternalAList().GetAnimValKey() - : InternalAList().GetBaseValKey(); - SVGPointListTearoffTable().RemoveTearoff(key); + if (mIsInTearoffTable) { + void* key = mIsAnimValList ? InternalAList().GetAnimValKey() + : InternalAList().GetBaseValKey(); + SVGPointListTearoffTable().RemoveTearoff(key); + mIsInTearoffTable = false; + } } DOMSVGPointList::~DOMSVGPointList() { RemoveFromTearoffTable(); } ===================================== dom/svg/DOMSVGPointList.h ===================================== @@ -251,6 +251,12 @@ class DOMSVGPointList final : public nsISupports, public nsWrapperCache { RefPtr<dom::SVGElement> mElement; bool mIsAnimValList; + + // Tracks whether we're in the tearoff table. Initialized to true, since all + // new instances are added to the table right after construction. Updated to + // false when we're removed from the table (at which point we're being + // destructed or soon-to-be destructed). + bool mIsInTearoffTable = true; }; NS_DEFINE_STATIC_IID_ACCESSOR(DOMSVGPointList, MOZILLA_DOMSVGPOINTLIST_IID) ===================================== dom/svg/DOMSVGStringList.cpp ===================================== @@ -91,7 +91,10 @@ already_AddRefed<DOMSVGStringList> DOMSVGStringList::GetDOMWrapper( void DOMSVGStringList::RemoveFromTearoffTable() { // Script no longer has any references to us. - SVGStringListTearoffTable().RemoveTearoff(&InternalList()); + if (mIsInTearoffTable) { + SVGStringListTearoffTable().RemoveTearoff(&InternalList()); + mIsInTearoffTable = false; + } } DOMSVGStringList::~DOMSVGStringList() { RemoveFromTearoffTable(); } ===================================== dom/svg/DOMSVGStringList.h ===================================== @@ -108,6 +108,12 @@ class DOMSVGStringList final : public nsISupports, public nsWrapperCache { uint8_t mAttrEnum; bool mIsConditionalProcessingAttribute; + + // Tracks whether we're in the tearoff table. Initialized to true, since all + // new instances are added to the table right after construction. Updated to + // false when we're removed from the table (at which point we're being + // destructed or soon-to-be destructed). + bool mIsInTearoffTable = true; }; } // namespace dom ===================================== modules/libpref/init/StaticPrefList.yaml ===================================== @@ -12175,6 +12175,13 @@ value: true mirror: always +# Disable requests to 0.0.0.0 +# See Bug 1889130 +- name: network.socket.ip_addr_any.disabled + type: RelaxedAtomicBool + value: @IS_EARLY_BETA_OR_EARLIER@ + mirror: always + # Set true to allow resolving proxy for localhost - name: network.proxy.allow_hijacking_localhost type: RelaxedAtomicBool ===================================== netwerk/base/nsIOService.cpp ===================================== @@ -239,6 +239,7 @@ static const char* gCallbackPrefsForSocketProcess[] = { "network.proxy.allow_hijacking_localhost", "network.connectivity-service.", "network.captive-portal-service.testMode", + "network.socket.ip_addr_any.disabled", nullptr, }; ===================================== netwerk/base/nsSocketTransport2.cpp ===================================== @@ -1241,6 +1241,15 @@ nsresult nsSocketTransport::InitiateSocket() { if (gIOService->IsNetTearingDown()) { return NS_ERROR_ABORT; } + + // Since https://github.com/whatwg/fetch/pull/1763, + // we need to disable access to 0.0.0.0 for non-test purposes + if (StaticPrefs::network_socket_ip_addr_any_disabled() && + mNetAddr.IsIPAddrAny() && !mProxyTransparentResolvesHost) { + SOCKET_LOG(("connection refused NS_ERROR_CONNECTION_REFUSED\n")); + return NS_ERROR_CONNECTION_REFUSED; + } + if (gIOService->IsOffline()) { if (StaticPrefs::network_disable_localhost_when_offline() || !isLocal) { return NS_ERROR_OFFLINE; ===================================== netwerk/protocol/http/HttpConnectionUDP.cpp ===================================== @@ -19,6 +19,7 @@ #include "ASpdySession.h" #include "mozilla/StaticPrefs_network.h" +#include "mozilla/glean/NetwerkMetrics.h" #include "mozilla/Telemetry.h" #include "HttpConnectionUDP.h" #include "nsHttpHandler.h" @@ -88,6 +89,22 @@ nsresult HttpConnectionUDP::Init(nsHttpConnectionInfo* info, return rv; } + // We are disabling 0.0.0.0 for non-test purposes. + // See https://github.com/whatwg/fetch/pull/1763 for context. + if (peerAddr.IsIPAddrAny()) { + if (StaticPrefs::network_socket_ip_addr_any_disabled()) { + mozilla::glean::networking::http_ip_addr_any_count + .Get("blocked_requests"_ns) + .Add(1); + LOG(("Connection refused because of 0.0.0.0 IP address\n")); + return NS_ERROR_CONNECTION_REFUSED; + } + + mozilla::glean::networking::http_ip_addr_any_count + .Get("not_blocked_requests"_ns) + .Add(1); + } + mSocket = do_CreateInstance("@mozilla.org/network/udp-socket;1", &rv); if (NS_FAILED(rv)) { return rv; ===================================== netwerk/test/unit/trr_common.js ===================================== @@ -1027,6 +1027,7 @@ async function test_ipv4_trr_fallback() { async function test_no_retry_without_doh() { info("Bug 1648147 - if the TRR returns 0.0.0.0 we should not retry with DNS"); Services.prefs.setBoolPref("network.trr.fallback-on-zero-response", false); + Services.prefs.setBoolPref("network.socket.ip_addr_any.disabled", false); async function test(url, ip) { setModeAndURI(2, `doh?responseIP=${ip}`); @@ -1073,6 +1074,8 @@ async function test_no_retry_without_doh() { await test(`http://unknown.ipv4.stuff:666/path`, "0.0.0.0"); await test(`http://unknown.ipv6.stuff:666/path`, "::"); } + + Services.prefs.clearUserPref("network.socket.ip_addr_any.disabled"); } async function test_connection_reuse_and_cycling() { ===================================== toolkit/components/aboutmemory/content/aboutMemory.js ===================================== @@ -508,19 +508,11 @@ window.onload = function () { appendElementWithText(gFooter, "div", "legend", legendText1); appendElementWithText(gFooter, "div", "legend hiddenOnMobile", legendText2); - // See if we're loading from a file. (Because about:memory is a non-standard - // URL, location.search is undefined, so we have to use location.href - // instead.) - let search = location.href.split("?")[1]; - if (search) { - let searchSplit = search.split("&"); - for (let s of searchSplit) { - if (s.toLowerCase().startsWith("file=")) { - let filename = s.substring("file=".length); - updateAboutMemoryFromFile(decodeURIComponent(filename)); - return; - } - } + // See if we're loading from a file. + let { searchParams } = URL.fromURI(document.documentURIObject); + let fileParam = searchParams.get("file"); + if (fileParam) { + updateAboutMemoryFromFile(fileParam); } }; View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/compare/6c… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/compare/6c… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Pushed new tag tor-browser-128.11.0esr-14.5-1-build2
by morgan (＠morgan) 26 May '25

26 May '25

morgan pushed new tag tor-browser-128.11.0esr-14.5-1-build2 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/tor-brows… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-128.11.0esr-14.5-1] Deleted 1 commit: Merge branch 'tb43811_sb128' into 'tor-browser-128.11.0esr-14.5-1'
by morgan (＠morgan) 26 May '25

26 May '25

morgan pushed to branch tor-browser-128.11.0esr-14.5-1 at The Tor Project / Applications / Tor Browser WARNING: The push did not contain any new commits, but force pushed to delete the commits and changes below. Deleted commits: ab178f3e by morgan at 2025-05-26T15:45:37+00:00 Merge branch 'tb43811_sb128' into 'tor-browser-128.11.0esr-14.5-1' BB 43811 (esr128): Backport security fixes from Firefox 139 See merge request ma1/tor-browser-confidential!19 - - - - - 0 changed files: Changes: View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/ab178f3… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/ab178f3… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Deleted tag tor-browser-128.11.0esr-14.5-1-build2
by morgan (＠morgan) 26 May '25

26 May '25

morgan deleted tag tor-browser-128.11.0esr-14.5-1-build2 at The Tor Project / Applications / Tor Browser -- You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Pushed new tag tor-browser-128.11.0esr-14.5-1-build2
by morgan (＠morgan) 26 May '25

26 May '25

morgan pushed new tag tor-browser-128.11.0esr-14.5-1-build2 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/tor-brows… You're receiving this email because of your account on gitlab.torproject.org.

1 0