ma1 pushed to branch tor-browser-115.24.0esr-13.5-1 at The Tor Project / Applications / Tor Browser Commits: 0a4acb71 by smayya at 2025-05-22T17:18:56+02:00 Bug 1889130 - block http requests on 0.0.0.0 address. r=necko-reviewers,valentin,kershaw Differential Revision: https://phabricator.services.mozilla.com/D219041 - - - - - 02ee510f by hackademix at 2025-05-22T17:34:56+02:00 fixup! Firefox preference overrides. BB 43811: Block 0.0.0.0 - - - - - 6186c1fe by Oskar Mansfeld at 2025-05-26T17:25:28+02:00 Bug 1914583 - Block IPAddrAny on H3 code path. r=necko-reviewers,kershaw Note: removed glean references on Tor Browser esr115 backport Differential Revision: https://phabricator.services.mozilla.com/D239514 - - - - - dc06e11d by Daniel Holbert at 2025-05-26T17:25:48+02:00 Bug 1742738 part 1: Tighten up tearoff-table removal for DOMSVGPointList and DOMSVGStringList. r=firefox-svg-reviewers,longsonr Differential Revision: https://phabricator.services.mozilla.com/D246062 - - - - - 4f3e5d70 by Daniel Holbert at 2025-05-26T17:25:49+02:00 Bug 1742738 part 2: Tighten up tearoff-table removal for DOMSVGLength. r=firefox-svg-reviewers,longsonr I'm doing this one in its own patch since it's slightly more subtle than the others, due to the existence of multiple instance-creation codepaths, some of which generate instances that never end up in the tearoff table. Differential Revision: https://phabricator.services.mozilla.com/D246063 - - - - - d5a152e4 by Daniel Holbert at 2025-05-26T17:25:50+02:00 Bug 1742738 part 3: Tighten up tearoff-table removal for DOMSVGPoint. r=firefox-svg-reviewers,longsonr I'm doing this one in its own patch since it's slightly more subtle than the others, due to the existence of multiple instance-creation codepaths, some of which generate instances that never end up in the tearoff table. Differential Revision: https://phabricator.services.mozilla.com/D246065 - - - - - 73753ce8 by Jonathan Kew at 2025-05-26T17:25:50+02:00 Bug 1958121 - Use exchange to update the SpaceFeatures flags. a=RyanVM Original Revision: https://phabricator.services.mozilla.com/D245913 Differential Revision: https://phabricator.services.mozilla.com/D247887 - - - - - d3e4fff1 by Gijs Kruitbosch at 2025-05-26T17:25:51+02:00 Bug 1959298 - use search params in about:memory, r=mccr8 Differential Revision: https://phabricator.services.mozilla.com/D245049 - - - - - 16 changed files: - browser/app/profile/001-base-profile.js - dom/svg/DOMSVGLength.cpp - dom/svg/DOMSVGLength.h - dom/svg/DOMSVGPoint.cpp - dom/svg/DOMSVGPoint.h - dom/svg/DOMSVGPointList.cpp - dom/svg/DOMSVGPointList.h - dom/svg/DOMSVGStringList.cpp - dom/svg/DOMSVGStringList.h - gfx/thebes/gfxFont.cpp - modules/libpref/init/StaticPrefList.yaml - netwerk/base/nsIOService.cpp - netwerk/base/nsSocketTransport2.cpp - netwerk/protocol/http/HttpConnectionUDP.cpp - netwerk/test/unit/trr_common.js - toolkit/components/aboutmemory/content/aboutMemory.js Changes: ===================================== browser/app/profile/001-base-profile.js ===================================== @@ -482,6 +482,11 @@ pref("network.http.http2.default-hpack-buffer", 65536, locked); pref("network.http.http2.websockets", true, locked); pref("network.http.http2.enable-hpack-dump", false, locked); +// Block 0.0.0.0 +// https://bugzilla.mozilla.org/show_bug.cgi?id=1889130 +// tor-browser#43811 +pref("network.socket.ip_addr_any.disabled", true); + // tor-browser#23044: Make sure we don't have any GIO supported protocols // (defense in depth measure) pref("network.gio.supported-protocols", ""); ===================================== dom/svg/DOMSVGLength.cpp ===================================== @@ -51,6 +51,7 @@ DOMSVGLength::DOMSVGLength(DOMSVGLengthList* aList, uint8_t aAttrEnum, mListIndex(aListIndex), mAttrEnum(aAttrEnum), mIsAnimValItem(aIsAnimValItem), + mIsInTearoffTable(false), mUnit(SVGLength_Binding::SVG_LENGTHTYPE_NUMBER) { MOZ_ASSERT(aList, "bad arg"); MOZ_ASSERT(mAttrEnum == aAttrEnum, "bitfield too small"); @@ -63,6 +64,7 @@ DOMSVGLength::DOMSVGLength() mListIndex(0), mAttrEnum(0), mIsAnimValItem(false), + mIsInTearoffTable(false), mUnit(SVGLength_Binding::SVG_LENGTHTYPE_NUMBER) {} DOMSVGLength::DOMSVGLength(SVGAnimatedLength* aVal, SVGElement* aSVGElement, @@ -71,6 +73,7 @@ DOMSVGLength::DOMSVGLength(SVGAnimatedLength* aVal, SVGElement* aSVGElement, mListIndex(0), mAttrEnum(aVal->mAttrEnum), mIsAnimValItem(aAnimVal), + mIsInTearoffTable(false), mUnit(SVGLength_Binding::SVG_LENGTHTYPE_NUMBER) { MOZ_ASSERT(aVal, "bad arg"); MOZ_ASSERT(mAttrEnum == aVal->mAttrEnum, "bitfield too small"); @@ -88,22 +91,33 @@ void DOMSVGLength::CleanupWeakRefs() { // Similarly, we must update the tearoff table to remove its (non-owning) // pointer to mVal. - if (nsCOMPtr<SVGElement> svg = do_QueryInterface(mOwner)) { - auto& table = mIsAnimValItem ? sAnimSVGLengthTearOffTable - : sBaseSVGLengthTearOffTable; - table.RemoveTearoff(svg->GetAnimatedLength(mAttrEnum)); + if (mIsInTearoffTable) { + nsCOMPtr<SVGElement> svg = do_QueryInterface(mOwner); + MOZ_ASSERT(svg, + "We need our svgElement reference in order to remove " + "ourselves from tearoff table..."); + if (MOZ_LIKELY(svg)) { + auto& table = mIsAnimValItem ? sAnimSVGLengthTearOffTable + : sBaseSVGLengthTearOffTable; + table.RemoveTearoff(svg->GetAnimatedLength(mAttrEnum)); + mIsInTearoffTable = false; + } } } already_AddRefed<DOMSVGLength> DOMSVGLength::GetTearOff(SVGAnimatedLength* aVal, SVGElement* aSVGElement, bool aAnimVal) { + MOZ_ASSERT(aVal && aSVGElement, "Expecting non-null aVal and aSVGElement"); + MOZ_ASSERT(aVal == aSVGElement->GetAnimatedLength(aVal->mAttrEnum), + "Mismatched aVal/SVGElement?"); auto& table = aAnimVal ? sAnimSVGLengthTearOffTable : sBaseSVGLengthTearOffTable; RefPtr<DOMSVGLength> domLength = table.GetTearoff(aVal); if (!domLength) { domLength = new DOMSVGLength(aVal, aSVGElement, aAnimVal); table.AddTearoff(aVal, domLength); + domLength->mIsInTearoffTable = true; } return domLength.forget(); ===================================== dom/svg/DOMSVGLength.h ===================================== @@ -15,7 +15,7 @@ #include "mozilla/Attributes.h" #include "nsWrapperCache.h" -#define MOZ_SVG_LIST_INDEX_BIT_COUNT 22 // supports > 4 million list items +#define MOZ_SVG_LIST_INDEX_BIT_COUNT 21 // supports > 2 million list items namespace mozilla { @@ -198,6 +198,13 @@ class DOMSVGLength final : public nsWrapperCache { uint32_t mAttrEnum : 4; // supports up to 16 attributes uint32_t mIsAnimValItem : 1; + // Tracks whether we're in the tearoff table. Initialized to false in the + // ctor, but then immediately set to true after we're added to the table + // (unless we're an instance created via 'Copy()'; those never get added to + // the table). Updated to false when we're removed from the table (at which + // point we're being destructed or soon-to-be destructed). + uint32_t mIsInTearoffTable : 1; + // The following members are only used when we're not in a list: uint32_t mUnit : 5; // can handle 31 units (the 10 SVG 1.1 units + rem, vw, // vh, wm, calc + future additions) ===================================== dom/svg/DOMSVGPoint.cpp ===================================== @@ -168,6 +168,7 @@ already_AddRefed<DOMSVGPoint> DOMSVGPoint::GetTranslateTearOff( if (!domPoint) { domPoint = new DOMSVGPoint(aVal, aSVGSVGElement); sSVGTranslateTearOffTable.AddTearoff(aVal, domPoint); + domPoint->mIsInTearoffTable = true; } return domPoint.forget(); @@ -204,12 +205,18 @@ void DOMSVGPoint::CleanupWeakRefs() { pointList->mItems[mListIndex] = nullptr; } + if (mIsInTearoffTable) { + // Similarly, we must update the tearoff table to remove its (non-owning) + // pointer to mVal. + MOZ_ASSERT(mVal && mIsTranslatePoint, + "Tearoff table should only be used for translate-point objects " + "with non-null mVal (see GetTranslateTearOff and its callers)"); + sSVGTranslateTearOffTable.RemoveTearoff(mVal); + mIsInTearoffTable = false; + } + if (mVal) { - if (mIsTranslatePoint) { - // Similarly, we must update the tearoff table to remove its (non-owning) - // pointer to mVal. - sSVGTranslateTearOffTable.RemoveTearoff(mVal); - } else { + if (!mIsTranslatePoint) { // In this case we own mVal delete mVal; } ===================================== dom/svg/DOMSVGPoint.h ===================================== @@ -17,7 +17,7 @@ #include "mozilla/dom/SVGSVGElement.h" #include "mozilla/gfx/2D.h" -#define MOZ_SVG_LIST_INDEX_BIT_COUNT 30 +#define MOZ_SVG_LIST_INDEX_BIT_COUNT 29 namespace mozilla::dom { struct DOMMatrix2DInit; @@ -51,7 +51,8 @@ class DOMSVGPoint final : public nsWrapperCache { mOwner(aList), mListIndex(aListIndex), mIsAnimValItem(aIsAnimValItem), - mIsTranslatePoint(false) { + mIsTranslatePoint(false), + mIsInTearoffTable(false) { // These shifts are in sync with the members. MOZ_ASSERT(aList && aListIndex <= MaxListIndex(), "bad arg"); @@ -60,7 +61,10 @@ class DOMSVGPoint final : public nsWrapperCache { // Constructor for unowned points and SVGSVGElement.createSVGPoint explicit DOMSVGPoint(const Point& aPt) - : mListIndex(0), mIsAnimValItem(false), mIsTranslatePoint(false) { + : mListIndex(0), + mIsAnimValItem(false), + mIsTranslatePoint(false), + mIsInTearoffTable(false) { // In this case we own mVal mVal = new SVGPoint(aPt.x, aPt.y); } @@ -72,7 +76,8 @@ class DOMSVGPoint final : public nsWrapperCache { mOwner(ToSupports(aSVGSVGElement)), mListIndex(0), mIsAnimValItem(false), - mIsTranslatePoint(true) {} + mIsTranslatePoint(true), + mIsInTearoffTable(false) {} virtual ~DOMSVGPoint() { CleanupWeakRefs(); } @@ -178,6 +183,12 @@ class DOMSVGPoint final : public nsWrapperCache { uint32_t mListIndex : MOZ_SVG_LIST_INDEX_BIT_COUNT; uint32_t mIsAnimValItem : 1; // True if We're the animated value of a list uint32_t mIsTranslatePoint : 1; // true iff our owner is a SVGSVGElement + + // Tracks whether we're in the tearoff table. Initialized to false in the + // ctor, but then immediately set to true if/when we're added to the table + // (not all instances are). Updated to false when we're removed from the + // table (at which point we're being destructed or soon-to-be destructed). + uint32_t mIsInTearoffTable : 1; }; } // namespace mozilla::dom ===================================== dom/svg/DOMSVGPointList.cpp ===================================== @@ -88,9 +88,12 @@ void DOMSVGPointList::RemoveFromTearoffTable() { // // There are now no longer any references to us held by script or list items. // Note we must use GetAnimValKey/GetBaseValKey here, NOT InternalList()! - void* key = mIsAnimValList ? InternalAList().GetAnimValKey() - : InternalAList().GetBaseValKey(); - SVGPointListTearoffTable().RemoveTearoff(key); + if (mIsInTearoffTable) { + void* key = mIsAnimValList ? InternalAList().GetAnimValKey() + : InternalAList().GetBaseValKey(); + SVGPointListTearoffTable().RemoveTearoff(key); + mIsInTearoffTable = false; + } } DOMSVGPointList::~DOMSVGPointList() { RemoveFromTearoffTable(); } ===================================== dom/svg/DOMSVGPointList.h ===================================== @@ -250,6 +250,12 @@ class DOMSVGPointList final : public nsISupports, public nsWrapperCache { RefPtr<dom::SVGElement> mElement; bool mIsAnimValList; + + // Tracks whether we're in the tearoff table. Initialized to true, since all + // new instances are added to the table right after construction. Updated to + // false when we're removed from the table (at which point we're being + // destructed or soon-to-be destructed). + bool mIsInTearoffTable = true; }; NS_DEFINE_STATIC_IID_ACCESSOR(DOMSVGPointList, MOZILLA_DOMSVGPOINTLIST_IID) ===================================== dom/svg/DOMSVGStringList.cpp ===================================== @@ -91,7 +91,10 @@ already_AddRefed<DOMSVGStringList> DOMSVGStringList::GetDOMWrapper( void DOMSVGStringList::RemoveFromTearoffTable() { // Script no longer has any references to us. - SVGStringListTearoffTable().RemoveTearoff(&InternalList()); + if (mIsInTearoffTable) { + SVGStringListTearoffTable().RemoveTearoff(&InternalList()); + mIsInTearoffTable = false; + } } DOMSVGStringList::~DOMSVGStringList() { RemoveFromTearoffTable(); } ===================================== dom/svg/DOMSVGStringList.h ===================================== @@ -108,6 +108,12 @@ class DOMSVGStringList final : public nsISupports, public nsWrapperCache { uint8_t mAttrEnum; bool mIsConditionalProcessingAttribute; + + // Tracks whether we're in the tearoff table. Initialized to true, since all + // new instances are added to the table right after construction. Updated to + // false when we're removed from the table (at which point we're being + // destructed or soon-to-be destructed). + bool mIsInTearoffTable = true; }; } // namespace dom ===================================== gfx/thebes/gfxFont.cpp ===================================== @@ -1293,8 +1293,12 @@ static const hb_tag_t defaultFeatures[] = { void gfxFont::CheckForFeaturesInvolvingSpace() const { gfxFontEntry::SpaceFeatures flags = gfxFontEntry::SpaceFeatures::None; + // mFontEntry->mHasSpaceFeatures is a std::atomic<>, so we set it with + // `exchange` to avoid a potential data race. It's ok if two threads both + // try to set it; they'll end up with the same value, so it doesn't matter + // that one will overwrite the other. auto setFlags = - MakeScopeExit([&]() { mFontEntry->mHasSpaceFeatures = flags; }); + MakeScopeExit([&]() { mFontEntry->mHasSpaceFeatures.exchange(flags); }); bool log = LOG_FONTINIT_ENABLED(); TimeStamp start; ===================================== modules/libpref/init/StaticPrefList.yaml ===================================== @@ -11735,6 +11735,13 @@ value: true mirror: always +# Disable requests to 0.0.0.0 +# See Bug 1889130 +- name: network.socket.ip_addr_any.disabled + type: RelaxedAtomicBool + value: @IS_EARLY_BETA_OR_EARLIER@ + mirror: always + # Set true to allow resolving proxy for localhost - name: network.proxy.allow_hijacking_localhost type: RelaxedAtomicBool ===================================== netwerk/base/nsIOService.cpp ===================================== @@ -230,6 +230,7 @@ static const char* gCallbackPrefsForSocketProcess[] = { "network.proxy.allow_hijacking_localhost", "network.connectivity-service.", "network.captive-portal-service.testMode", + "network.socket.ip_addr_any.disabled", nullptr, }; ===================================== netwerk/base/nsSocketTransport2.cpp ===================================== @@ -1245,6 +1245,15 @@ nsresult nsSocketTransport::InitiateSocket() { if (gIOService->IsNetTearingDown()) { return NS_ERROR_ABORT; } + + // Since https://github.com/whatwg/fetch/pull/1763, + // we need to disable access to 0.0.0.0 for non-test purposes + if (StaticPrefs::network_socket_ip_addr_any_disabled() && + mNetAddr.IsIPAddrAny() && !mProxyTransparentResolvesHost) { + SOCKET_LOG(("connection refused NS_ERROR_CONNECTION_REFUSED\n")); + return NS_ERROR_CONNECTION_REFUSED; + } + if (gIOService->IsOffline()) { if (StaticPrefs::network_disable_localhost_when_offline() || !isLocal) { return NS_ERROR_OFFLINE; ===================================== netwerk/protocol/http/HttpConnectionUDP.cpp ===================================== @@ -86,6 +86,15 @@ nsresult HttpConnectionUDP::Init(nsHttpConnectionInfo* info, return rv; } + // We are disabling 0.0.0.0 for non-test purposes. + // See https://github.com/whatwg/fetch/pull/1763 for context. + if (peerAddr.IsIPAddrAny()) { + if (StaticPrefs::network_socket_ip_addr_any_disabled()) { + LOG(("Connection refused because of 0.0.0.0 IP address\n")); + return NS_ERROR_CONNECTION_REFUSED; + } + } + mSocket = do_CreateInstance("@mozilla.org/network/udp-socket;1", &rv); if (NS_FAILED(rv)) { return rv; ===================================== netwerk/test/unit/trr_common.js ===================================== @@ -1025,6 +1025,7 @@ async function test_ipv4_trr_fallback() { async function test_no_retry_without_doh() { info("Bug 1648147 - if the TRR returns 0.0.0.0 we should not retry with DNS"); Services.prefs.setBoolPref("network.trr.fallback-on-zero-response", false); + Services.prefs.setBoolPref("network.socket.ip_addr_any.disabled", false); async function test(url, ip) { setModeAndURI(2, `doh?responseIP=${ip}`); @@ -1071,6 +1072,8 @@ async function test_no_retry_without_doh() { await test(`http://unknown.ipv4.stuff:666/path`, "0.0.0.0"); await test(`http://unknown.ipv6.stuff:666/path`, "::"); } + + Services.prefs.clearUserPref("network.socket.ip_addr_any.disabled"); } async function test_connection_reuse_and_cycling() { ===================================== toolkit/components/aboutmemory/content/aboutMemory.js ===================================== @@ -506,19 +506,11 @@ window.onload = function () { appendElementWithText(gFooter, "div", "legend", legendText1); appendElementWithText(gFooter, "div", "legend hiddenOnMobile", legendText2); - // See if we're loading from a file. (Because about:memory is a non-standard - // URL, location.search is undefined, so we have to use location.href - // instead.) - let search = location.href.split("?")[1]; - if (search) { - let searchSplit = search.split("&"); - for (let s of searchSplit) { - if (s.toLowerCase().startsWith("file=")) { - let filename = s.substring("file=".length); - updateAboutMemoryFromFile(decodeURIComponent(filename)); - return; - } - } + // See if we're loading from a file. + let { searchParams } = URL.fromURI(document.documentURIObject); + let fileParam = searchParams.get("file"); + if (fileParam) { + updateAboutMemoryFromFile(fileParam); } }; View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/be8b37a... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/be8b37a... You're receiving this email because of your account on gitlab.torproject.org.