|
|
@@ -0,0 +1,177 @@
|
|
|
+# HG changeset patch
|
|
|
+# User Moonchild <moonchild@palemoon.org>
|
|
|
+# Date 1723211781 -7200
|
|
|
+# Parent b7cc5cfb7736fc34aa49aacdf99c2f441d74ca78
|
|
|
+No Bug - Block access to 0.0.0.0 on non-Windows OSes. r=frg a=frg
|
|
|
+
|
|
|
+https://repo.palemoon.org/MoonchildProductions/UXP/issues/2554
|
|
|
+
|
|
|
+diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
|
|
|
+--- a/modules/libpref/init/all.js
|
|
|
++++ b/modules/libpref/init/all.js
|
|
|
+@@ -2295,16 +2295,26 @@ pref("network.dnsCacheExpirationGracePer
|
|
|
+
|
|
|
+ // This preference can be used to turn off DNS prefetch.
|
|
|
+ pref("network.dns.disablePrefetch", false);
|
|
|
+
|
|
|
+ // This preference controls whether .onion hostnames are
|
|
|
+ // rejected before being given to DNS. RFC 7686
|
|
|
+ pref("network.dns.blockDotOnion", true);
|
|
|
+
|
|
|
++// This preference controls whether to block access to 0.0.0.0
|
|
|
++// to mitigate local access issues in *NIX network stacks.
|
|
|
++#if defined(XP_WIN)
|
|
|
++// Windows is not affected, so don't block it there.
|
|
|
++// XXX: any other OSes not having this issue?
|
|
|
++pref("network.dns.blockQuad0", false);
|
|
|
++#else
|
|
|
++pref("network.dns.blockQuad0", true);
|
|
|
++#endif
|
|
|
++
|
|
|
+ // These domains are treated as localhost equivalent
|
|
|
+ pref("network.dns.localDomains", "");
|
|
|
+
|
|
|
+ // When non empty all non-localhost DNS queries (including IP addresses)
|
|
|
+ // resolve to this value. The value can be a name or an IP address.
|
|
|
+ // domains mapped to localhost with localDomains stay localhost.
|
|
|
+ pref("network.dns.forceResolve", "");
|
|
|
+
|
|
|
+diff --git a/netwerk/dns/nsDNSService2.cpp b/netwerk/dns/nsDNSService2.cpp
|
|
|
+--- a/netwerk/dns/nsDNSService2.cpp
|
|
|
++++ b/netwerk/dns/nsDNSService2.cpp
|
|
|
+@@ -46,16 +46,17 @@ using namespace mozilla::net;
|
|
|
+
|
|
|
+ static const char kPrefDnsCacheEntries[] = "network.dnsCacheEntries";
|
|
|
+ static const char kPrefDnsCacheExpiration[] = "network.dnsCacheExpiration";
|
|
|
+ static const char kPrefDnsCacheGrace[] = "network.dnsCacheExpirationGracePeriod";
|
|
|
+ static const char kPrefIPv4OnlyDomains[] = "network.dns.ipv4OnlyDomains";
|
|
|
+ static const char kPrefDisableIPv6[] = "network.dns.disableIPv6";
|
|
|
+ static const char kPrefDisablePrefetch[] = "network.dns.disablePrefetch";
|
|
|
+ static const char kPrefBlockDotOnion[] = "network.dns.blockDotOnion";
|
|
|
++static const char kPrefBlockQuad0[] = "network.dns.blockQuad0";
|
|
|
+ static const char kPrefDnsLocalDomains[] = "network.dns.localDomains";
|
|
|
+ static const char kPrefDnsForceResolve[] = "network.dns.forceResolve";
|
|
|
+ static const char kPrefDnsOfflineLocalhost[] = "network.dns.offline-localhost";
|
|
|
+ static const char kPrefDnsNotifyResolution[] = "network.dns.notifyResolution";
|
|
|
+
|
|
|
+ //-----------------------------------------------------------------------------
|
|
|
+
|
|
|
+ class nsDNSRecord : public nsIDNSRecord
|
|
|
+@@ -536,16 +537,17 @@ nsDNSService::Init()
|
|
|
+ // prefs
|
|
|
+ uint32_t maxCacheEntries = 400;
|
|
|
+ uint32_t defaultCacheLifetime = 120; // seconds
|
|
|
+ uint32_t defaultGracePeriod = 60; // seconds
|
|
|
+ bool disableIPv6 = false;
|
|
|
+ bool offlineLocalhost = true;
|
|
|
+ bool disablePrefetch = false;
|
|
|
+ bool blockDotOnion = true;
|
|
|
++ bool blockQuad0 = false;
|
|
|
+ int proxyType = nsIProtocolProxyService::PROXYCONFIG_DIRECT;
|
|
|
+ bool notifyResolution = false;
|
|
|
+
|
|
|
+ nsAutoCString ipv4OnlyDomains;
|
|
|
+ nsAutoCString localDomains;
|
|
|
+ nsAutoCString forceResolve;
|
|
|
+
|
|
|
+ // read prefs
|
|
|
+@@ -562,16 +564,17 @@ nsDNSService::Init()
|
|
|
+ // ASSUMPTION: pref branch does not modify out params on failure
|
|
|
+ prefs->GetBoolPref(kPrefDisableIPv6, &disableIPv6);
|
|
|
+ prefs->GetCharPref(kPrefIPv4OnlyDomains, ipv4OnlyDomains);
|
|
|
+ prefs->GetCharPref(kPrefDnsLocalDomains, localDomains);
|
|
|
+ prefs->GetCharPref(kPrefDnsForceResolve, forceResolve);
|
|
|
+ prefs->GetBoolPref(kPrefDnsOfflineLocalhost, &offlineLocalhost);
|
|
|
+ prefs->GetBoolPref(kPrefDisablePrefetch, &disablePrefetch);
|
|
|
+ prefs->GetBoolPref(kPrefBlockDotOnion, &blockDotOnion);
|
|
|
++ prefs->GetBoolPref(kPrefBlockQuad0, &blockQuad0);
|
|
|
+
|
|
|
+ // If a manual proxy is in use, disable prefetch implicitly
|
|
|
+ prefs->GetIntPref("network.proxy.type", &proxyType);
|
|
|
+ prefs->GetBoolPref(kPrefDnsNotifyResolution, ¬ifyResolution);
|
|
|
+
|
|
|
+ if (mFirstTime) {
|
|
|
+ mFirstTime = false;
|
|
|
+
|
|
|
+@@ -581,16 +584,17 @@ nsDNSService::Init()
|
|
|
+ prefs->AddObserver(kPrefDnsCacheGrace, this, false);
|
|
|
+ prefs->AddObserver(kPrefIPv4OnlyDomains, this, false);
|
|
|
+ prefs->AddObserver(kPrefDnsLocalDomains, this, false);
|
|
|
+ prefs->AddObserver(kPrefDnsForceResolve, this, false);
|
|
|
+ prefs->AddObserver(kPrefDisableIPv6, this, false);
|
|
|
+ prefs->AddObserver(kPrefDnsOfflineLocalhost, this, false);
|
|
|
+ prefs->AddObserver(kPrefDisablePrefetch, this, false);
|
|
|
+ prefs->AddObserver(kPrefBlockDotOnion, this, false);
|
|
|
++ prefs->AddObserver(kPrefBlockQuad0, this, false);
|
|
|
+ prefs->AddObserver(kPrefDnsNotifyResolution, this, false);
|
|
|
+
|
|
|
+ // Monitor these to see if there is a change in proxy configuration
|
|
|
+ // If a manual proxy is in use, disable prefetch implicitly
|
|
|
+ prefs->AddObserver("network.proxy.type", this, false);
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+@@ -616,16 +620,17 @@ nsDNSService::Init()
|
|
|
+ mResolver = res;
|
|
|
+ mIDN = idn;
|
|
|
+ mIPv4OnlyDomains = ipv4OnlyDomains;
|
|
|
+ mOfflineLocalhost = offlineLocalhost;
|
|
|
+ mDisableIPv6 = disableIPv6;
|
|
|
+ mBlockDotOnion = blockDotOnion;
|
|
|
+ mForceResolve = forceResolve;
|
|
|
+ mForceResolveOn = !mForceResolve.IsEmpty();
|
|
|
++ mBlockQuad0 = blockQuad0;
|
|
|
+
|
|
|
+ // Disable prefetching either by explicit preference or if a manual proxy is configured
|
|
|
+ mDisablePrefetch = disablePrefetch || (proxyType == nsIProtocolProxyService::PROXYCONFIG_MANUAL);
|
|
|
+
|
|
|
+ mLocalDomains.Clear();
|
|
|
+ if (!localDomains.IsVoid()) {
|
|
|
+ nsCCharSeparatedTokenizer tokenizer(localDomains, ',',
|
|
|
+ nsCCharSeparatedTokenizer::SEPARATOR_OPTIONAL);
|
|
|
+@@ -701,16 +706,24 @@ nsDNSService::PreprocessHostname(bool
|
|
|
+ nsACString &aACE)
|
|
|
+ {
|
|
|
+ // Enforce RFC 7686
|
|
|
+ if (mBlockDotOnion &&
|
|
|
+ StringEndsWith(aInput, NS_LITERAL_CSTRING(".onion"))) {
|
|
|
+ return NS_ERROR_UNKNOWN_HOST;
|
|
|
+ }
|
|
|
+
|
|
|
++ // Block access to the "this machine" address.
|
|
|
++ if (mBlockQuad0 &&
|
|
|
++ (aInput.EqualsLiteral("0.0.0.0") ||
|
|
|
++ aInput.EqualsLiteral("::") ||
|
|
|
++ aInput.EqualsLiteral("::0.0.0.0"))) {
|
|
|
++ return NS_ERROR_UNKNOWN_HOST;
|
|
|
++ }
|
|
|
++
|
|
|
+ if (aLocalDomain) {
|
|
|
+ aACE.AssignLiteral("localhost");
|
|
|
+ return NS_OK;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (mForceResolveOn) {
|
|
|
+ MutexAutoLock lock(mLock);
|
|
|
+ if (!aInput.LowerCaseEqualsASCII("localhost") &&
|
|
|
+diff --git a/netwerk/dns/nsDNSService2.h b/netwerk/dns/nsDNSService2.h
|
|
|
+--- a/netwerk/dns/nsDNSService2.h
|
|
|
++++ b/netwerk/dns/nsDNSService2.h
|
|
|
+@@ -59,16 +59,17 @@ private:
|
|
|
+ // mIPv4OnlyDomains is a comma-separated list of domains for which only
|
|
|
+ // IPv4 DNS lookups are performed. This allows the user to disable IPv6 on
|
|
|
+ // a per-domain basis and work around broken DNS servers. See bug 68796.
|
|
|
+ nsCString mIPv4OnlyDomains;
|
|
|
+ nsCString mForceResolve;
|
|
|
+ bool mDisableIPv6;
|
|
|
+ bool mDisablePrefetch;
|
|
|
+ bool mBlockDotOnion;
|
|
|
++ bool mBlockQuad0;
|
|
|
+ bool mFirstTime;
|
|
|
+ bool mNotifyResolution;
|
|
|
+ bool mOfflineLocalhost;
|
|
|
+ bool mForceResolveOn;
|
|
|
+ nsTHashtable<nsCStringHashKey> mLocalDomains;
|
|
|
+ };
|
|
|
+
|
|
|
+ #endif //nsDNSService2_h__
|
Frank-Rainer Grahl