From 60d61f59dd3c17a4f65e90fa694e9fb4269591e6 Mon Sep 17 00:00:00 2001
From: Francois Marier <francois@mozilla.com>
Date: Fri, 14 Sep 2012 17:36:53 +1200
Subject: [PATCH] fixupAbsolutePath: filter out scheme-relative URLs

The current check to ensure that only absolute paths are accepted
fails to take into account scheme-relative URLs like "//foo.com".

These URLs end up in fixupURL and get the origin prepended to them
to something like "https://origin.example.com//foo.com", which is
invalid but still follows our same-origin restrictions.

So the solution is to require that the character after the leading
slash be anything but a slash.
---
 resources/static/dialog/js/modules/dialog.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/resources/static/dialog/js/modules/dialog.js b/resources/static/dialog/js/modules/dialog.js
index 00d6e8f8b..4bd17554d 100644
--- a/resources/static/dialog/js/modules/dialog.js
+++ b/resources/static/dialog/js/modules/dialog.js
@@ -83,7 +83,7 @@ BrowserID.Modules.Dialog = (function() {
     if (typeof(url) !== "string")
       throw "urls must be strings: (" + url + ")";
     if (/^http(s)?:\/\//.test(url)) u = URLParse(url);
-    else if (/^\//.test(url)) u = URLParse(origin + url);
+    else if (/^\/[^\/]/.test(url)) u = URLParse(origin + url);
     else throw "relative urls not allowed: (" + url + ")";
     // encodeURI limits our return value to [a-z0-9:/?%], excluding <script>
     var encodedURI = encodeURI(u.validate().normalize().toString());
@@ -105,7 +105,8 @@ BrowserID.Modules.Dialog = (function() {
   }
 
   function fixupAbsolutePath(origin_url, path) {
-    if (/^\//.test(path))  return fixupURL(origin_url, path);
+    // Ensure URL is an absolute path (not a relative path or a scheme-relative URL)
+    if (/^\/[^\/]/.test(path))  return fixupURL(origin_url, path);
 
     throw "must be an absolute path: (" + path + ")";
   }
-- 
GitLab