[X2Go-Commits] [pale-moon] 66/294: Update Basilisk FE code with HTTP Auth DoS protection.

Sat Apr 27 08:57:48 CEST 2019

This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch upstream/28.5.0
in repository pale-moon.

commit f227feb6efbfa61c62cba88ab85df3c650311560
Author: wolfbeast <mcwerewolf at wolfbeast.com>
Date:   Thu Feb 28 14:16:09 2019 +0100

    Update Basilisk FE code with HTTP Auth DoS protection.
---
 application/basilisk/app/profile/basilisk.js         | 8 ++++++++
 application/basilisk/base/content/browser.js         | 5 +++++
 application/basilisk/base/content/tabbrowser.xml     | 5 ++++-
 application/basilisk/base/content/urlbarBindings.xml | 3 +++
 4 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/application/basilisk/app/profile/basilisk.js b/application/basilisk/app/profile/basilisk.js
index 79d7678..24f1c58 100644
--- a/application/basilisk/app/profile/basilisk.js
+++ b/application/basilisk/app/profile/basilisk.js
@@ -1438,3 +1438,11 @@ pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false);
 // controlling validation are located in /services/sync/services-sync.js
 pref("services.sync.validation.enabled", true);
 #endif
+
+// When a user cancels this number of authentication dialogs coming from
+// a single web page (eTLD+1) in a row, all following authentication dialogs
+// will be blocked (automatically canceled) for that page.
+// This counter is per-tab and per-domain to minimize false positives.
+// The counter resets when the page is reloaded from the UI
+// (content-reloads do NOT clear this to mitigate reloading tricks).
+pref("prompts.authentication_dialog_abuse_limit", 3);
diff --git a/application/basilisk/base/content/browser.js b/application/basilisk/base/content/browser.js
index 9fb997a..336670f 100644
--- a/application/basilisk/base/content/browser.js
+++ b/application/basilisk/base/content/browser.js
@@ -3094,6 +3094,11 @@ function getWebNavigation()
 }
 
 function BrowserReloadWithFlags(reloadFlags) {
+
+  // Reset DOS mitigation for auth prompts when user initiates a reload.
+  let browser = gBrowser.selectedBrowser;
+  delete browser.authPromptCounter;
+
   let url = gBrowser.currentURI.spec;
   if (gBrowser.updateBrowserRemotenessByURL(gBrowser.selectedBrowser, url)) {
     // If the remoteness has changed, the new browser doesn't have any
diff --git a/application/basilisk/base/content/tabbrowser.xml b/application/basilisk/base/content/tabbrowser.xml
index 0438380..c84c333 100644
--- a/application/basilisk/base/content/tabbrowser.xml
+++ b/application/basilisk/base/content/tabbrowser.xml
@@ -2991,7 +2991,10 @@
         <parameter name="aTab"/>
         <body>
           <![CDATA[
-            this.getBrowserForTab(aTab).reload();
+            let browser = this.getBrowserForTab(aTab);
+            // Reset DOS mitigation for basic auth prompt
+            delete browser.authPromptCounter;
+            browser.reload();
           ]]>
         </body>
       </method>
diff --git a/application/basilisk/base/content/urlbarBindings.xml b/application/basilisk/base/content/urlbarBindings.xml
index ad11f7f..b9c1781 100644
--- a/application/basilisk/base/content/urlbarBindings.xml
+++ b/application/basilisk/base/content/urlbarBindings.xml
@@ -540,6 +540,9 @@ file, You can obtain one at http://mozilla.org/MPL/2.0/.
             Cu.reportError(ex);
           }
 
+          // Reset DOS mitigations for the basic auth prompt.
+          delete browser.authPromptCounter;
+
           let params = {
             postData,
             allowThirdPartyFixup: true,

--
Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/pale-moon.git
