commit 0fb22986acb9e3f63296bbca0cba67964cbe71a0 Author: Mike Perry mikeperry-git@fscked.org Date: Sun Sep 4 14:55:24 2011 -0700
Clean up branch after accidental double-merge.
I knew I should have deleted those old branches :/. --- ...th-headers-before-the-modify-request-obse.patch | 51 ------------ .../0007-Add-a-string-based-cacheKey.patch | 85 -------------------- src/current-patches/0007-Smash-the-state.patch | 37 --------- 3 files changed, 0 insertions(+), 173 deletions(-)
diff --git a/src/current-patches/0006-Add-HTTP-auth-headers-before-the-modify-request-obse.patch b/src/current-patches/0006-Add-HTTP-auth-headers-before-the-modify-request-obse.patch deleted file mode 100644 index 3f270d6..0000000 --- a/src/current-patches/0006-Add-HTTP-auth-headers-before-the-modify-request-obse.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 8c2bf692deecb4efbfd2e9c4eba1d702b89a0f05 Mon Sep 17 00:00:00 2001 -From: Mike Perry mikeperry-git@fscked.org -Date: Fri, 2 Sep 2011 15:33:20 -0700 -Subject: [PATCH 6/6] Add HTTP auth headers before the modify-request observer. - -Otherwise, how are we supposed to modify them? - -Thanks to Georg Koppen for spotting both the problem and this fix. ---- - netwerk/protocol/http/nsHttpChannel.cpp | 11 +++++++---- - 1 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp -index 7038338..7a3254e 100644 ---- a/netwerk/protocol/http/nsHttpChannel.cpp -+++ b/netwerk/protocol/http/nsHttpChannel.cpp -@@ -311,9 +311,6 @@ nsHttpChannel::Connect(PRBool firstTime) - return NS_ERROR_DOCUMENT_NOT_CACHED; - } - -- // check to see if authorization headers should be included -- mAuthProvider->AddAuthorizationHeaders(); -- - if (mLoadFlags & LOAD_NO_NETWORK_IO) { - return NS_ERROR_DOCUMENT_NOT_CACHED; - } -@@ -3687,6 +3684,9 @@ nsHttpChannel::AsyncOpen(nsIStreamListener *listener, nsISupports *context) - - AddCookiesToRequest(); - -+ // check to see if authorization headers should be included -+ mAuthProvider->AddAuthorizationHeaders(); -+ - // notify "http-on-modify-request" observers - gHttpHandler->OnModifyRequest(this); - -@@ -4758,7 +4758,10 @@ nsHttpChannel::DoAuthRetry(nsAHttpConnection *conn) - // this authentication attempt (bug 84794). - // TODO: save cookies from auth response and send them here (bug 572151). - AddCookiesToRequest(); -- -+ -+ // check to see if authorization headers should be included -+ mAuthProvider->AddAuthorizationHeaders(); -+ - // notify "http-on-modify-request" observers - gHttpHandler->OnModifyRequest(this); - --- -1.7.3.4 - diff --git a/src/current-patches/0007-Add-a-string-based-cacheKey.patch b/src/current-patches/0007-Add-a-string-based-cacheKey.patch deleted file mode 100644 index 1e0dd0e..0000000 --- a/src/current-patches/0007-Add-a-string-based-cacheKey.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 62e7c05519aae2d515d8872525411b8fb4ff02a6 Mon Sep 17 00:00:00 2001 -From: Mike Perry mikeperry-git@fscked.org -Date: Fri, 2 Sep 2011 20:47:02 -0700 -Subject: [PATCH 7/7] Add a string-based cacheKey. - -Used for isolating cache according to same-origin policy. ---- - netwerk/base/public/nsICachingChannel.idl | 7 +++++++ - netwerk/protocol/http/nsHttpChannel.cpp | 22 ++++++++++++++++++++++ - netwerk/protocol/http/nsHttpChannel.h | 1 + - 3 files changed, 30 insertions(+), 0 deletions(-) - -diff --git a/netwerk/base/public/nsICachingChannel.idl b/netwerk/base/public/nsICachingChannel.idl -index 2da46d6..4ee5774 100644 ---- a/netwerk/base/public/nsICachingChannel.idl -+++ b/netwerk/base/public/nsICachingChannel.idl -@@ -98,6 +98,13 @@ interface nsICachingChannel : nsICacheInfoChannel - attribute nsISupports cacheKey; - - /** -+ * Set/get the cache domain... uniquely identifies the data in the cache -+ * for this channel. Holding a reference to this key does NOT prevent -+ * the cached data from being removed. -+ */ -+ attribute AUTF8String cacheDomain; -+ -+ /** - * Specifies whether or not the data should be cached to a file. This - * may fail if the disk cache is not present. The value of this attribute - * is usually only settable during the processing of a channel's -diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp -index 7a3254e..cef5eaa 100644 ---- a/netwerk/protocol/http/nsHttpChannel.cpp -+++ b/netwerk/protocol/http/nsHttpChannel.cpp -@@ -2379,6 +2379,12 @@ nsHttpChannel::AssembleCacheKey(const char *spec, PRUint32 postID, - cacheKey.Append(buf); - } - -+ if (strlen(mCacheDomain.get()) > 0) { -+ cacheKey.AppendLiteral("domain="); -+ cacheKey.Append(mCacheDomain.get()); -+ cacheKey.AppendLiteral("&"); -+ } -+ - if (!cacheKey.IsEmpty()) { - cacheKey.AppendLiteral("uri="); - } -@@ -4658,6 +4664,22 @@ nsHttpChannel::SetCacheForOfflineUse(PRBool value) - } - - NS_IMETHODIMP -+nsHttpChannel::GetCacheDomain(nsACString &value) -+{ -+ value = mCacheDomain; -+ -+ return NS_OK; -+} -+ -+NS_IMETHODIMP -+nsHttpChannel::SetCacheDomain(const nsACString &value) -+{ -+ mCacheDomain = value; -+ -+ return NS_OK; -+} -+ -+NS_IMETHODIMP - nsHttpChannel::GetOfflineCacheClientID(nsACString &value) - { - value = mOfflineCacheClientID; -diff --git a/netwerk/protocol/http/nsHttpChannel.h b/netwerk/protocol/http/nsHttpChannel.h -index dd0d7f4..f5016a8 100644 ---- a/netwerk/protocol/http/nsHttpChannel.h -+++ b/netwerk/protocol/http/nsHttpChannel.h -@@ -312,6 +312,7 @@ private: - nsCOMPtr<nsICacheEntryDescriptor> mOfflineCacheEntry; - nsCacheAccessMode mOfflineCacheAccess; - nsCString mOfflineCacheClientID; -+ nsCString mCacheDomain; - - // auth specific data - nsCOMPtr<nsIHttpChannelAuthProvider> mAuthProvider; --- -1.7.3.4 - diff --git a/src/current-patches/0007-Smash-the-state.patch b/src/current-patches/0007-Smash-the-state.patch deleted file mode 100644 index 16b03ea..0000000 --- a/src/current-patches/0007-Smash-the-state.patch +++ /dev/null @@ -1,37 +0,0 @@ -From b6b74cdac09ed294ea1b965e39e4e9ae64c5cbd8 Mon Sep 17 00:00:00 2001 -From: Mike Perry mikeperry-git@fscked.org -Date: Sat, 3 Sep 2011 03:00:26 -0700 -Subject: [PATCH 7/7] Smash the state. - -What happened to you, Nederlanden? You used to be cool. - -This exemption is insecure as-is anyway, because we have no way of verifying -that DigiNotar wasn't compromised enough to allow the attacker to sign -certificates with an issuer string matching this exemption. The adversary -would then be able to create a chain of Entrust -> DigiNotar -> "Staat der -Nederlanden" -> *.torproject.org or *.google.com. ---- - security/manager/ssl/src/nsNSSCallbacks.cpp | 7 ------- - 1 files changed, 0 insertions(+), 7 deletions(-) - -diff --git a/security/manager/ssl/src/nsNSSCallbacks.cpp b/security/manager/ssl/src/nsNSSCallbacks.cpp -index 5e3a888..43e1c19 100644 ---- a/security/manager/ssl/src/nsNSSCallbacks.cpp -+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp -@@ -1065,13 +1065,6 @@ PSM_SSL_BlacklistDigiNotar(CERTCertificate * serverCert, - } - } - } -- -- // By request of the Dutch government -- if (!strcmp(node->cert->issuerName, -- "CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") && -- CERT_LIST_END(CERT_LIST_NEXT(node), serverCertChain)) { -- return 0; -- } - } - - if (isDigiNotarIssuedCert) --- -1.7.3.4 -
tor-commits@lists.torproject.org