GitLab

at 2025-05-26T20:22:49+00:00

Bug 1889130 - block http requests on 0.0.0.0 address. r=necko-reviewers,valentin,kershaw

Differential Revision: https://phabricator.services.mozilla.com/D219041
fixup! Firefox preference overrides.

BB 43811: Block 0.0.0.0

Bug 1914583 - Block IPAddrAny on H3 code path. r=necko-reviewers,kershaw

Differential Revision: https://phabricator.services.mozilla.com/D239514
Bug 1742738 part 1: Tighten up tearoff-table removal for DOMSVGPointList and DOMSVGStringList. r=firefox-svg-reviewers,longsonr

Differential Revision: https://phabricator.services.mozilla.com/D246062
Bug 1742738 part 2: Tighten up tearoff-table removal for DOMSVGLength. r=firefox-svg-reviewers,longsonr

I'm doing this one in its own patch since it's slightly more subtle than the
others, due to the existence of multiple instance-creation codepaths, some of
which generate instances that never end up in the tearoff table.

Differential Revision: https://phabricator.services.mozilla.com/D246063
Bug 1742738 part 3: Tighten up tearoff-table removal for DOMSVGPoint. r=firefox-svg-reviewers,longsonr

I'm doing this one in its own patch since it's slightly more subtle than the
others, due to the existence of multiple instance-creation codepaths, some of
which generate instances that never end up in the tearoff table.

Differential Revision: https://phabricator.services.mozilla.com/D246065
Bug 1959298 - use search params in about:memory, r=mccr8

Differential Revision: https://phabricator.services.mozilla.com/D245049
 // alters content load order in a page. See tor-browser#24686

 pref("network.http.tailing.enabled", true, locked);

+// Block 0.0.0.0

+// https://bugzilla.mozilla.org/show_bug.cgi?id=1889130

+// tor-browser#43811

+pref("network.socket.ip_addr_any.disabled", true);

+

 // tor-browser#23044: Make sure we don't have any GIO supported protocols

 // (defense in depth measure).

 // As of Firefox 118 (Bug 1843763), upstream does not add any protocol by

       mListIndex(aListIndex),

       mAttrEnum(aAttrEnum),

       mIsAnimValItem(aIsAnimValItem),

+      mIsInTearoffTable(false),

       mUnit(SVGLength_Binding::SVG_LENGTHTYPE_NUMBER) {

   MOZ_ASSERT(aList, "bad arg");

   MOZ_ASSERT(mAttrEnum == aAttrEnum, "bitfield too small");

       mListIndex(0),

       mAttrEnum(0),

       mIsAnimValItem(false),

+      mIsInTearoffTable(false),

       mUnit(SVGLength_Binding::SVG_LENGTHTYPE_NUMBER) {}

 DOMSVGLength::DOMSVGLength(SVGAnimatedLength* aVal, SVGElement* aSVGElement,

       mListIndex(0),

       mAttrEnum(aVal->mAttrEnum),

       mIsAnimValItem(aAnimVal),

+      mIsInTearoffTable(false),

       mUnit(SVGLength_Binding::SVG_LENGTHTYPE_NUMBER) {

   MOZ_ASSERT(aVal, "bad arg");

   MOZ_ASSERT(mAttrEnum == aVal->mAttrEnum, "bitfield too small");

   // Similarly, we must update the tearoff table to remove its (non-owning)

   // pointer to mVal.

-  if (nsCOMPtr<SVGElement> svg = do_QueryInterface(mOwner)) {

-    auto& table = mIsAnimValItem ? sAnimSVGLengthTearOffTable

-                                 : sBaseSVGLengthTearOffTable;

-    table.RemoveTearoff(svg->GetAnimatedLength(mAttrEnum));

+  if (mIsInTearoffTable) {

+    nsCOMPtr<SVGElement> svg = do_QueryInterface(mOwner);

+    MOZ_ASSERT(svg,

+               "We need our svgElement reference in order to remove "

+               "ourselves from tearoff table...");

+    if (MOZ_LIKELY(svg)) {

+      auto& table = mIsAnimValItem ? sAnimSVGLengthTearOffTable

+                                   : sBaseSVGLengthTearOffTable;

+      table.RemoveTearoff(svg->GetAnimatedLength(mAttrEnum));

+      mIsInTearoffTable = false;

+    }

   }

 }

 already_AddRefed<DOMSVGLength> DOMSVGLength::GetTearOff(SVGAnimatedLength* aVal,

                                                         SVGElement* aSVGElement,

                                                         bool aAnimVal) {

+  MOZ_ASSERT(aVal && aSVGElement, "Expecting non-null aVal and aSVGElement");

+  MOZ_ASSERT(aVal == aSVGElement->GetAnimatedLength(aVal->mAttrEnum),

+             "Mismatched aVal/SVGElement?");

   auto& table =

       aAnimVal ? sAnimSVGLengthTearOffTable : sBaseSVGLengthTearOffTable;

   RefPtr<DOMSVGLength> domLength = table.GetTearoff(aVal);

   if (!domLength) {

     domLength = new DOMSVGLength(aVal, aSVGElement, aAnimVal);

     table.AddTearoff(aVal, domLength);

+    domLength->mIsInTearoffTable = true;

   }

   return domLength.forget();

 #include "mozilla/Attributes.h"

 #include "nsWrapperCache.h"

-#define MOZ_SVG_LIST_INDEX_BIT_COUNT 22  // supports > 4 million list items

+#define MOZ_SVG_LIST_INDEX_BIT_COUNT 21  // supports > 2 million list items

 namespace mozilla {

   uint32_t mAttrEnum : 4;  // supports up to 16 attributes

   uint32_t mIsAnimValItem : 1;

+  // Tracks whether we're in the tearoff table. Initialized to false in the

+  // ctor, but then immediately set to true after we're added to the table

+  // (unless we're an instance created via 'Copy()'; those never get added to

+  // the table).  Updated to false when we're removed from the table (at which

+  // point we're being destructed or soon-to-be destructed).

+  uint32_t mIsInTearoffTable : 1;

+

   // The following members are only used when we're not in a list:

   uint32_t mUnit : 5;  // can handle 31 units (the 10 SVG 1.1 units + rem, vw,

                        // vh, wm, calc + future additions)

   if (!domPoint) {

     domPoint = new DOMSVGPoint(aVal, aSVGSVGElement);

     sSVGTranslateTearOffTable.AddTearoff(aVal, domPoint);

+    domPoint->mIsInTearoffTable = true;

   }

   return domPoint.forget();

     pointList->mItems[mListIndex] = nullptr;

   }

+  if (mIsInTearoffTable) {

+    // Similarly, we must update the tearoff table to remove its (non-owning)

+    // pointer to mVal.

+    MOZ_ASSERT(mVal && mIsTranslatePoint,

+               "Tearoff table should only be used for translate-point objects "

+               "with non-null mVal (see GetTranslateTearOff and its callers)");

+    sSVGTranslateTearOffTable.RemoveTearoff(mVal);

+    mIsInTearoffTable = false;

+  }

+

   if (mVal) {

-    if (mIsTranslatePoint) {

-      // Similarly, we must update the tearoff table to remove its (non-owning)

-      // pointer to mVal.

-      sSVGTranslateTearOffTable.RemoveTearoff(mVal);

-    } else {

+    if (!mIsTranslatePoint) {

       // In this case we own mVal

       delete mVal;

     }

 #include "mozilla/dom/SVGSVGElement.h"

 #include "mozilla/gfx/2D.h"

-#define MOZ_SVG_LIST_INDEX_BIT_COUNT 30

+#define MOZ_SVG_LIST_INDEX_BIT_COUNT 29

 namespace mozilla::dom {

 struct DOMMatrix2DInit;

         mOwner(aList),

         mListIndex(aListIndex),

         mIsAnimValItem(aIsAnimValItem),

-        mIsTranslatePoint(false) {

+        mIsTranslatePoint(false),

+        mIsInTearoffTable(false) {

     // These shifts are in sync with the members.

     MOZ_ASSERT(aList && aListIndex <= MaxListIndex(), "bad arg");

   // Constructor for unowned points and SVGSVGElement.createSVGPoint

   explicit DOMSVGPoint(const Point& aPt)

-      : mListIndex(0), mIsAnimValItem(false), mIsTranslatePoint(false) {

+      : mListIndex(0),

+        mIsAnimValItem(false),

+        mIsTranslatePoint(false),

+        mIsInTearoffTable(false) {

     // In this case we own mVal

     mVal = new SVGPoint(aPt.x, aPt.y);

   }

         mOwner(ToSupports(aSVGSVGElement)),

         mListIndex(0),

         mIsAnimValItem(false),

-        mIsTranslatePoint(true) {}

+        mIsTranslatePoint(true),

+        mIsInTearoffTable(false) {}

   virtual ~DOMSVGPoint() { CleanupWeakRefs(); }

   uint32_t mListIndex : MOZ_SVG_LIST_INDEX_BIT_COUNT;

   uint32_t mIsAnimValItem : 1;     // True if We're the animated value of a list

   uint32_t mIsTranslatePoint : 1;  // true iff our owner is a SVGSVGElement

+

+  // Tracks whether we're in the tearoff table. Initialized to false in the

+  // ctor, but then immediately set to true if/when we're added to the table

+  // (not all instances are).  Updated to false when we're removed from the

+  // table (at which point we're being destructed or soon-to-be destructed).

+  uint32_t mIsInTearoffTable : 1;

 };

 }  // namespace mozilla::dom

   //

   // There are now no longer any references to us held by script or list items.

   // Note we must use GetAnimValKey/GetBaseValKey here, NOT InternalList()!

-  void* key = mIsAnimValList ? InternalAList().GetAnimValKey()

-                             : InternalAList().GetBaseValKey();

-  SVGPointListTearoffTable().RemoveTearoff(key);

+  if (mIsInTearoffTable) {

+    void* key = mIsAnimValList ? InternalAList().GetAnimValKey()

+                               : InternalAList().GetBaseValKey();

+    SVGPointListTearoffTable().RemoveTearoff(key);

+    mIsInTearoffTable = false;

+  }

 }

 DOMSVGPointList::~DOMSVGPointList() { RemoveFromTearoffTable(); }

   RefPtr<dom::SVGElement> mElement;

   bool mIsAnimValList;

+

+  // Tracks whether we're in the tearoff table. Initialized to true, since all

+  // new instances are added to the table right after construction. Updated to

+  // false when we're removed from the table (at which point we're being

+  // destructed or soon-to-be destructed).

+  bool mIsInTearoffTable = true;

 };

 NS_DEFINE_STATIC_IID_ACCESSOR(DOMSVGPointList, MOZILLA_DOMSVGPOINTLIST_IID)

 void DOMSVGStringList::RemoveFromTearoffTable() {

   // Script no longer has any references to us.

-  SVGStringListTearoffTable().RemoveTearoff(&InternalList());

+  if (mIsInTearoffTable) {

+    SVGStringListTearoffTable().RemoveTearoff(&InternalList());

+    mIsInTearoffTable = false;

+  }

 }

 DOMSVGStringList::~DOMSVGStringList() { RemoveFromTearoffTable(); }

   uint8_t mAttrEnum;

   bool mIsConditionalProcessingAttribute;

+

+  // Tracks whether we're in the tearoff table. Initialized to true, since all

+  // new instances are added to the table right after construction. Updated to

+  // false when we're removed from the table (at which point we're being

+  // destructed or soon-to-be destructed).

+  bool mIsInTearoffTable = true;

 };

 }  // namespace dom

   value: true

   mirror: always

+# Disable requests to 0.0.0.0

+# See Bug 1889130

+- name: network.socket.ip_addr_any.disabled

+  type: RelaxedAtomicBool

+  value: @IS_EARLY_BETA_OR_EARLIER@

+  mirror: always

+

 # Set true to allow resolving proxy for localhost

 - name: network.proxy.allow_hijacking_localhost

   type: RelaxedAtomicBool

     "network.proxy.allow_hijacking_localhost",

     "network.connectivity-service.",

     "network.captive-portal-service.testMode",

+    "network.socket.ip_addr_any.disabled",

     nullptr,

 };

   if (gIOService->IsNetTearingDown()) {

     return NS_ERROR_ABORT;

   }

+

+  // Since https://github.com/whatwg/fetch/pull/1763,

+  // we need to disable access to 0.0.0.0 for non-test purposes

+  if (StaticPrefs::network_socket_ip_addr_any_disabled() &&

+      mNetAddr.IsIPAddrAny() && !mProxyTransparentResolvesHost) {

+    SOCKET_LOG(("connection refused NS_ERROR_CONNECTION_REFUSED\n"));

+    return NS_ERROR_CONNECTION_REFUSED;

+  }

+

   if (gIOService->IsOffline()) {

     if (StaticPrefs::network_disable_localhost_when_offline() || !isLocal) {

       return NS_ERROR_OFFLINE;

 #include "ASpdySession.h"

 #include "mozilla/StaticPrefs_network.h"

+#include "mozilla/glean/NetwerkMetrics.h"

 #include "mozilla/Telemetry.h"

 #include "HttpConnectionUDP.h"

 #include "nsHttpHandler.h"

     return rv;

   }

+  // We are disabling 0.0.0.0 for non-test purposes.

+  // See https://github.com/whatwg/fetch/pull/1763 for context.

+  if (peerAddr.IsIPAddrAny()) {

+    if (StaticPrefs::network_socket_ip_addr_any_disabled()) {

+      mozilla::glean::networking::http_ip_addr_any_count

+          .Get("blocked_requests"_ns)

+          .Add(1);

+      LOG(("Connection refused because of 0.0.0.0 IP address\n"));

+      return NS_ERROR_CONNECTION_REFUSED;

+    }

+

+    mozilla::glean::networking::http_ip_addr_any_count

+        .Get("not_blocked_requests"_ns)

+        .Add(1);

+  }

+

   mSocket = do_CreateInstance("@mozilla.org/network/udp-socket;1", &rv);

   if (NS_FAILED(rv)) {

     return rv;

 async function test_no_retry_without_doh() {

   info("Bug 1648147 - if the TRR returns 0.0.0.0 we should not retry with DNS");

   Services.prefs.setBoolPref("network.trr.fallback-on-zero-response", false);

+  Services.prefs.setBoolPref("network.socket.ip_addr_any.disabled", false);

   async function test(url, ip) {

     setModeAndURI(2, `doh?responseIP=${ip}`);

     await test(`http://unknown.ipv4.stuff:666/path`, "0.0.0.0");

     await test(`http://unknown.ipv6.stuff:666/path`, "::");

   }

+

+  Services.prefs.clearUserPref("network.socket.ip_addr_any.disabled");

 }

 async function test_connection_reuse_and_cycling() {

   appendElementWithText(gFooter, "div", "legend", legendText1);

   appendElementWithText(gFooter, "div", "legend hiddenOnMobile", legendText2);

-  // See if we're loading from a file.  (Because about:memory is a non-standard

-  // URL, location.search is undefined, so we have to use location.href

-  // instead.)

-  let search = location.href.split("?")[1];

-  if (search) {

-    let searchSplit = search.split("&");

-    for (let s of searchSplit) {

-      if (s.toLowerCase().startsWith("file=")) {

-        let filename = s.substring("file=".length);

-        updateAboutMemoryFromFile(decodeURIComponent(filename));

-        return;

-      }

-    }

+  // See if we're loading from a file.

+  let { searchParams } = URL.fromURI(document.documentURIObject);

+  let fileParam = searchParams.get("file");

+  if (fileParam) {

+    updateAboutMemoryFromFile(fileParam);

   }

 };

morgan pushed to branch base-browser-128.11.0esr-14.5-1 at The Tor Project / Applications / Tor Browser

Commits:

15 changed files:

Changes: