fixupAbsolutePath: filter out scheme-relative URLs

The current check to ensure that only absolute paths are accepted fails to take into account scheme-relative URLs like "//foo.com". These URLs end up in fixupURL and get the origin prepended to them to something like "https://origin.example.com//foo.com", which is invalid but still follows our same-origin restrictions. So the solution is to require that the character after the leading slash be anything but a slash.
mozilla · Sep 20, 2012 · 60d61f5 · 60d61f5
1 parent 3f3dfba
commit 60d61f5
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/resources/static/dialog/js/modules/dialog.js b/resources/static/dialog/js/modules/dialog.js
@@ -83,7 +83,7 @@ BrowserID.Modules.Dialog = (function() {
     if (typeof(url) !== "string")
       throw "urls must be strings: (" + url + ")";
     if (/^http(s)?:\/\//.test(url)) u = URLParse(url);
-    else if (/^\//.test(url)) u = URLParse(origin + url);
+    else if (/^\/[^\/]/.test(url)) u = URLParse(origin + url);
     else throw "relative urls not allowed: (" + url + ")";
     // encodeURI limits our return value to [a-z0-9:/?%], excluding <script>
     var encodedURI = encodeURI(u.validate().normalize().toString());
@@ -105,7 +105,8 @@ BrowserID.Modules.Dialog = (function() {
   }
 
   function fixupAbsolutePath(origin_url, path) {
-    if (/^\//.test(path))  return fixupURL(origin_url, path);
+    // Ensure URL is an absolute path (not a relative path or a scheme-relative URL)
+    if (/^\/[^\/]/.test(path))  return fixupURL(origin_url, path);
 
     throw "must be an absolute path: (" + path + ")";
   }