Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/components/preferences/dialogs/browserLanguages.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/components/preferences/dialogs/browserLanguages.js@@ -2,7 +2,7 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */-/* import-globals-from ../../../../toolkit/content/preferencesBindings.js */+/* import-globals-from /toolkit/content/preferencesBindings.js */ var { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");@@ -209,12 +209,24 @@ } }+/**+ * The sorted select list of Locales available for the app.+ */ class SortedItemSelectList { constructor({ menulist, button, onSelect, onChange, compareFn }) {+ /** @type {XULElement} */ this.menulist = menulist;++ /** @type {XULElement} */ this.popup = menulist.menupopup;++ /** @type {XULElement} */ this.button = button;++ /** @type {(a: LocaleDisplayInfo, b: LocaleDisplayInfo) => number} */ this.compareFn = compareFn;++ /** @type {Array<LocaleDisplayInfo>} */ this.items = []; // This will register the "command" listener.@@ -240,6 +252,9 @@ }); }+ /**+ * @param {Array<LocaleDisplayInfo>} items+ */ setItems(items) { this.items = items.sort(this.compareFn); this.populate();@@ -318,6 +333,21 @@ } }+/**+ * @typedef LocaleDisplayInfo+ * @type {object}+ * @prop {string} id - A unique ID.+ * @prop {string} label - The localized display name.+ * @prop {string} value - The BCP 47 locale identifier or the word "search".+ * @prop {boolean} canRemove - Locales that are part of the packaged locales cannot be+ * removed.+ * @prop {boolean} installed - Whether or not the locale is installed.+ */++/**+ * @param {Array<string>} localeCodes - List of BCP 47 locale identifiers.+ * @returns {Array<LocaleDisplayInfo>}+ */ async function getLocaleDisplayInfo(localeCodes) { let availableLocales = new Set(await getAvailableLocales()); let packagedLocales = new Set(Services.locale.packagedLocales);@@ -337,6 +367,11 @@ }); }+/**+ * @param {LocaleDisplayInfo} a+ * @param {LocaleDisplayInfo} b+ * @returns {number}+ */ function compareItems(a, b) { // Sort by installed. if (a.installed != b.installed) {@@ -360,11 +395,32 @@ } var gBrowserLanguagesDialog = {- telemetryId: null,- accepted: false,- _availableLocales: null,- _selectedLocales: null,- selectedLocales: null,+ /**+ * The publicly readable list of selected locales. It is only set when the dialog is+ * accepted, and can be retrieved elsewhere by directly reading the property+ * on gBrowserLanguagesDialog.+ *+ * let { selected } = gBrowserLanguagesDialog;+ *+ * @type {null | Array<string>}+ */+ selected: null,++ /**+ * @type {string | null} An ID used for telemetry pings. It is unique to the current+ * opening of the browser language.+ */+ _telemetryId: null,++ /**+ * @type {SortedItemSelectList}+ */+ _availableLocalesUI: null,++ /**+ * @type {OrderedListBox}+ */+ _selectedLocalesUI: null, get downloadEnabled() { // Downloading langpacks isn't always supported, check the pref.@@ -376,31 +432,37 @@ "intl.ui.browserLanguage", method, "dialog",- this.telemetryId,+ this._telemetryId, extra ); },- beforeAccept() {- this.selected = this.getSelectedLocales();- this.accepted = true;- },- async onLoad() {- document- .getElementById("BrowserLanguagesDialog")- .addEventListener("beforeaccept", () => this.beforeAccept());- // Maintain the previously selected locales even if we cancel out.- let { telemetryId, selected, search } = window.arguments[0];- this.telemetryId = telemetryId;- this.selectedLocales = selected;+ /**+ * @typedef {Object} Options - Options passed in to configure the subdialog.+ * @property {string} telemetryId,+ * @property {Array<string>} [selectedLocalesForRestart] The optional list of+ * previously selected locales for when a restart is required. This list is+ * preserved between openings of the dialog.+ * @property {boolean} search Whether the user opened this from "Search for more+ * languages" option.+ */++ /** @type {Options} */+ let {+ telemetryId,+ selectedLocalesForRestart,+ search,+ } = window.arguments[0];++ this._telemetryId = telemetryId; // This is a list of available locales that the user selected. It's more // restricted than the Intl notion of `requested` as it only contains // locale codes for which we have matching locales available. // The first time this dialog is opened, populate with appLocalesAsBCP47. let selectedLocales =- this.selectedLocales || Services.locale.appLocalesAsBCP47;+ selectedLocalesForRestart || Services.locale.appLocalesAsBCP47; let selectedLocaleSet = new Set(selectedLocales); let available = await getAvailableLocales(); let availableSet = new Set(available);@@ -417,10 +479,20 @@ await this.initAvailableLocales(available, search); this.initialized = true;- },-++ // Now the component is initialized, it's safe to accept the results.+ document+ .getElementById("BrowserLanguagesDialog")+ .addEventListener("beforeaccept", () => {+ this.selected = this._selectedLocalesUI.items.map(item => item.value);+ });+ },++ /**+ * @param {string[]} selectedLocales - BCP 47 locale identifiers+ */ async initSelectedLocales(selectedLocales) {- this._selectedLocales = new OrderedListBox({+ this._selectedLocalesUI = new OrderedListBox({ richlistbox: document.getElementById("selectedLocales"), upButton: document.getElementById("up"), downButton: document.getElementById("down"),@@ -428,11 +500,18 @@ onRemove: item => this.selectedLocaleRemoved(item), onReorder: () => this.recordTelemetry("reorder"), });- this._selectedLocales.setItems(await getLocaleDisplayInfo(selectedLocales));- },-+ this._selectedLocalesUI.setItems(+ await getLocaleDisplayInfo(selectedLocales)+ );+ },++ /**+ * @param {Set<string>} available - The set of available BCP 47 locale identifiers.+ * @param {boolean} search - Whether the user opened this from "Search for more+ * languages" option.+ */ async initAvailableLocales(available, search) {- this._availableLocales = new SortedItemSelectList({+ this._availableLocalesUI = new SortedItemSelectList({ menulist: document.getElementById("availableLocales"), button: document.getElementById("add"), compareFn: compareItems,@@ -467,7 +546,9 @@ } // Disable the dropdown while we hit the network.- this._availableLocales.disableWithMessageId("browser-languages-searching");+ this._availableLocalesUI.disableWithMessageId(+ "browser-languages-searching"+ ); // Fetch the available langpacks from AMO. let availableLangpacks;@@ -502,17 +583,20 @@ }); // Remove the search option and add the remote locales.- let items = this._availableLocales.items;+ let items = this._availableLocalesUI.items; items.pop(); items = items.concat(availableItems); // Update the dropdown and enable it again.- this._availableLocales.setItems(items);- this._availableLocales.enableWithMessageId(+ this._availableLocalesUI.setItems(items);+ this._availableLocalesUI.enableWithMessageId( "browser-languages-select-language" ); },+ /**+ * @param {Set<string>} available - The set of available (BCP 47) locales.+ */ async loadLocalesFromInstalled(available) { let items; if (available.length) {@@ -527,9 +611,12 @@ value: "search", }); }- this._availableLocales.setItems(items);- },-+ this._availableLocalesUI.setItems(items);+ },++ /**+ * @param {LocaleDisplayInfo} item+ */ async availableLanguageSelected(item) { if ((await getAvailableLocales()).includes(item.value)) { this.recordTelemetry("add");@@ -542,23 +629,29 @@ } },- async requestLocalLanguage(item, available) {- this._selectedLocales.addItem(item);- let selectedCount = this._selectedLocales.items.length;+ /**+ * @param {LocaleDisplayInfo} item+ */+ async requestLocalLanguage(item) {+ this._selectedLocalesUI.addItem(item);+ let selectedCount = this._selectedLocalesUI.items.length; let availableCount = (await getAvailableLocales()).length; if (selectedCount == availableCount) { // Remove the installed label, they're all installed.- this._availableLocales.items.shift();- this._availableLocales.setItems(this._availableLocales.items);+ this._availableLocalesUI.items.shift();+ this._availableLocalesUI.setItems(this._availableLocalesUI.items); } // The label isn't always reset when the selected item is removed, so set it again.- this._availableLocales.enableWithMessageId(+ this._availableLocalesUI.enableWithMessageId( "browser-languages-select-language" ); },+ /**+ * @param {LocaleDisplayInfo} item+ */ async requestRemoteLanguage(item) {- this._availableLocales.disableWithMessageId(+ this._availableLocalesUI.disableWithMessageId( "browser-languages-downloading" );@@ -580,8 +673,8 @@ } item.installed = true;- this._selectedLocales.addItem(item);- this._availableLocales.enableWithMessageId(+ this._selectedLocalesUI.addItem(item);+ this._availableLocalesUI.enableWithMessageId( "browser-languages-select-language" );@@ -591,6 +684,9 @@ this.installDictionariesForLanguage(item.value); },+ /**+ * @param {string} locale The BCP 47 locale identifier+ */ async installDictionariesForLanguage(locale) { try { let ids = await dictionaryIdsForLocale(locale);@@ -605,7 +701,7 @@ showError() { document.getElementById("warning-message").hidden = false;- this._availableLocales.enableWithMessageId(+ this._availableLocalesUI.enableWithMessageId( "browser-languages-select-language" );@@ -623,18 +719,17 @@ document.getElementById("warning-message").hidden = true; },- getSelectedLocales() {- return this._selectedLocales.items.map(item => item.value);- },-+ /**+ * @param {LocaleDisplayInfo} item+ */ async selectedLocaleRemoved(item) { this.recordTelemetry("remove");- this._availableLocales.addItem(item);+ this._availableLocalesUI.addItem(item); // If the item we added is at the top of the list, it needs the label.- if (this._availableLocales.items[0] == item) {- this._availableLocales.addItem(await this.createInstalledLabel());+ if (this._availableLocalesUI.items[0] == item) {+ this._availableLocalesUI.addItem(await this.createInstalledLabel()); } },
Based on the provided code diff, I'll analyze it for security vulnerabilities. The changes appear to be primarily documentation improvements, type annotations, and some structural refactoring rather than security fixes. Here's my analysis: 1. Vulnerability Existed: no No clear security vulnerability was fixed in this diff. The changes are mainly: - Improved JSDoc type annotations - Better variable naming (e.g., `telemetryId` to `_telemetryId`) - More explicit type definitions - Code structure improvements 2. Vulnerability Existed: not sure Path Traversal Potential [File] browserLanguages.js [Lines] 2 Old Code: `/* import-globals-from ../../../../toolkit/content/preferencesBindings.js */` Fixed Code: `/* import-globals-from /toolkit/content/preferencesBindings.js */` Note: While the path change could potentially affect file inclusion security, this appears to be more of a path normalization rather than a security fix. The relative path was replaced with an absolute path, which might be more secure but doesn't clearly fix a vulnerability. The diff shows significant code quality improvements but no obvious security vulnerability fixes. The changes include: - Added proper type annotations - Better encapsulation of internal variables (prefixing with _) - More detailed documentation - Clearer separation of concerns - Improved error handling structure These are all good practices that can help prevent security issues, but they don't appear to be fixing any specific vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/taskcluster/ci/build/linux.yml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/taskcluster/ci/build/linux.yml@@ -1843,3 +1843,44 @@ - linux64-node - sysroot-x86_64-linux-gnu - sysroot-wasm32-wasi++linux64-domstreams/debug:+ description: "Linux64 Debug - DOM Streams enabled"+ index:+ product: firefox+ job-name: linux64-domstreams-debug+ treeherder:+ platform: linux64/debug+ symbol: B-ds+ worker-type: b-linux+ worker:+ max-run-time: 5400+ env:+ MOZ_AUTOMATION_PACKAGE_TESTS: "1"+ PERFHERDER_EXTRA_OPTIONS: domstreams+ run:+ using: mozharness+ actions: [get-secrets, build]+ config:+ - builds/releng_base_firefox.py+ - builds/releng_base_linux_64_builds.py+ script: "mozharness/scripts/fx_desktop_build.py"+ secrets: true+ custom-build-variant-cfg: debug+ mozconfig-variant: domstreams+ tooltool-downloads: public+ need-xvfb: true+ use-sccache: true+ fetches:+ toolchain:+ - linux64-binutils+ - linux64-clang+ - linux64-cbindgen+ - linux64-dump_syms+ - linux64-sccache+ - linux64-rust+ - linux64-rust-size+ - linux64-nasm+ - linux64-node+ - sysroot-x86_64-linux-gnu+ - sysroot-wasm32-wasi
After analyzing the provided code diff, I can see that this is an addition of a new build configuration rather than a security fix. Here's my analysis: Vulnerability Existed: no [New build configuration added] [taskcluster/ci/build/linux.yml] [Lines 1843-1887] [Old Code] [No previous code existed for this section] [Fixed Code] [New linux64-domstreams/debug build configuration added] The diff shows the addition of a new build configuration called "linux64-domstreams/debug" with various parameters and dependencies. There are no security vulnerabilities being fixed here - this is purely the addition of a new build target with DOM Streams enabled in debug mode. No security-related changes were made in this diff, and no vulnerabilities were fixed. The changes are related to build system configuration rather than security patches.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.interpolate.overlap2.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.interpolate.overlap2.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var g = ctx.createLinearGradient(0, 0, 100, 0); var ps = [ 0, 1/10, 1/4, 1/3, 1/2, 3/4, 1 ];@@ -27,11 +27,11 @@ } ctx.fillStyle = g; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 30,25, 0,255,0,255, "30,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 40,25, 0,255,0,255, "40,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 60,25, 0,255,0,255, "60,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 80,25, 0,255,0,255, "80,25", "0,255,0,255");+_assertPixel(canvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");+_assertPixel(canvas, 30,25, 0,255,0,255, "30,25", "0,255,0,255");+_assertPixel(canvas, 40,25, 0,255,0,255, "40,25", "0,255,0,255");+_assertPixel(canvas, 60,25, 0,255,0,255, "60,25", "0,255,0,255");+_assertPixel(canvas, 80,25, 0,255,0,255, "80,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and corresponding updates to the variable name in the assertions. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-27]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");
This appears to be a simple code refactoring/cleanup rather than a security fix. The functionality remains identical, only the variable name has changed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsl-4.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsl-4.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = 'hsl(0 100% 50% /)'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be primarily variable renaming and don't involve any security-related fixes. Here's the analysis following your requested format:
Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsl-4.html] [Lines 17-25]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes are:
1. Renaming variable from `offscreenCanvas` to `canvas`
2. Updating the variable name in the `_assertPixel` call
3. No changes to the actual security-related behavior or input validation
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jit/arm64/CodeGenerator-arm64.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jit/arm64/CodeGenerator-arm64.cpp@@ -1985,6 +1985,8 @@ Scalar::Type storageType = mir->storageType();+ // NOTE: the generated code must match the assembly code in gen_load in+ // GenerateAtomicOperations.py auto sync = Synchronization::Load(); masm.memoryBarrierBefore(sync);@@ -2011,6 +2013,8 @@ masm.loadBigInt64(value, temp1);+ // NOTE: the generated code must match the assembly code in gen_store in+ // GenerateAtomicOperations.py auto sync = Synchronization::Store(); masm.memoryBarrierBefore(sync);
Based on the provided code diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Synchronization Issue] [js/src/jit/arm64/CodeGenerator-arm64.cpp] [Lines 1985,2013]
[Old Code]
auto sync = Synchronization::Load();
[Fixed Code]
// NOTE: the generated code must match the assembly code in gen_load in
// GenerateAtomicOperations.py
auto sync = Synchronization::Load();
2. Vulnerability Existed: not sure
[Potential Synchronization Issue] [js/src/jit/arm64/CodeGenerator-arm64.cpp] [Lines 2011,2013]
[Old Code]
auto sync = Synchronization::Store();
[Fixed Code]
// NOTE: the generated code must match the assembly code in gen_store in
// GenerateAtomicOperations.py
auto sync = Synchronization::Store();
Analysis:
The changes add comments emphasizing the need for synchronization between the generated code and assembly code in GenerateAtomicOperations.py. While this doesn't directly fix a vulnerability, it appears to be adding documentation to prevent potential synchronization issues that could lead to race conditions or memory consistency problems in atomic operations. The comments suggest there might have been a risk of mismatched memory barriers or atomic operation implementations between different code generation paths.
Without more context about the actual implementation in GenerateAtomicOperations.py, I can't definitively say whether there was an actual vulnerability, but the changes suggest there was concern about potential synchronization issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/geckodriver/doc/Capabilities.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/geckodriver/doc/Capabilities.md@@ -50,7 +50,7 @@ The contained `webSocketDebuggerUrl` entries can be used to connect to the websocket and interact with the browser by using the CDP protocol.-[Remote Protocol]: /testing/remote/doc/+[Remote Protocol]: /remote/index.rst [Chrome DevTools Protocol]: https://chromedevtools.github.io/devtools-protocol/
Analysis of the provided code diff: 1. Vulnerability Existed: no No security vulnerability found [File] testing/geckodriver/doc/Capabilities.md [Lines] 50 [Old Code] `[Remote Protocol]: /testing/remote/doc/` [Fixed Code] `[Remote Protocol]: /remote/index.rst` Additional Details: - This appears to be a documentation update changing a link reference - The change updates the path to the Remote Protocol documentation - No security implications are evident from this change - The modification doesn't involve any code execution, input handling, or security-sensitive operations The diff only shows a documentation link being updated, which doesn't indicate any security vulnerability fix. The change might be part of a documentation restructuring or path normalization.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/xre/nsAppRunner.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/xre/nsAppRunner.cpp@@ -25,11 +25,13 @@ #include "mozilla/ScopeExit.h" #include "mozilla/StaticPrefs_browser.h" #include "mozilla/StaticPrefs_fission.h"+#include "mozilla/StaticPrefs_webgl.h"+#include "mozilla/StaticPrefs_widget.h" #include "mozilla/Telemetry.h" #include "mozilla/Utf8.h" #include "mozilla/intl/LocaleService.h" #include "mozilla/JSONWriter.h"-#include "mozilla/glean/GleanMetrics.h"+#include "mozilla/gfx/gfxVars.h" #include "BaseProfiler.h" #include "nsAppRunner.h"@@ -81,7 +83,6 @@ #include "nsIStringBundle.h" #include "nsISupportsPrimitives.h" #include "nsIToolkitProfile.h"-#include "nsIUUIDGenerator.h" #include "nsToolkitProfileService.h" #include "nsIURI.h" #include "nsIURL.h"@@ -95,6 +96,7 @@ #include "mozilla/dom/quota/QuotaManager.h" #include "mozilla/scache/StartupCache.h" #include "gfxPlatform.h"+#include "PDMFactory.h" #ifdef XP_MACOSX # include "gfxPlatformMac.h" #endif@@ -132,9 +134,6 @@ #if defined(MOZ_SANDBOX) # include "mozilla/SandboxSettings.h"-# if (defined(XP_WIN) || defined(XP_MACOSX))-# include "nsIUUIDGenerator.h"-# endif #endif #ifdef ACCESSIBILITY@@ -431,6 +430,12 @@ MessageBoxW(nullptr, wide_msg, L"XULRunner", flags); }+#elif defined(MOZ_WIDGET_ANDROID)+ SmprintfPointer msg = mozilla::Vsmprintf(fmt, ap);+ if (msg) {+ __android_log_print(isError ? ANDROID_LOG_ERROR : ANDROID_LOG_INFO,+ "GeckoRuntime", "%s", msg.get());+ } #else vfprintf(stderr, fmt, ap); #endif@@ -467,6 +472,400 @@ bool gSafeMode = false; bool gFxREmbedded = false;++enum E10sStatus {+ kE10sEnabledByDefault,+ kE10sDisabledByUser,+ kE10sForceDisabled,+};++static bool gBrowserTabsRemoteAutostart = false;+static E10sStatus gBrowserTabsRemoteStatus;+static bool gBrowserTabsRemoteAutostartInitialized = false;++namespace mozilla {++bool BrowserTabsRemoteAutostart() {+ if (gBrowserTabsRemoteAutostartInitialized) {+ return gBrowserTabsRemoteAutostart;+ }+ gBrowserTabsRemoteAutostartInitialized = true;++ // If we're not in the parent process, we are running E10s.+ if (!XRE_IsParentProcess()) {+ gBrowserTabsRemoteAutostart = true;+ return gBrowserTabsRemoteAutostart;+ }++#if defined(MOZILLA_OFFICIAL) && MOZ_BUILD_APP_IS_BROWSER+ bool allowSingleProcessOutsideAutomation = false;+#else+ bool allowSingleProcessOutsideAutomation = true;+#endif++ E10sStatus status = kE10sEnabledByDefault;+ // We use "are non-local connections disabled" as a proxy for+ // "are we running some kind of automated test". It would be nicer to use+ // xpc::IsInAutomation(), but that depends on some prefs being set, which+ // they are not in (at least) gtests (where we can't) and xpcshell.+ // Long-term, hopefully we can make tests switch to environment variables+ // to disable e10s and then we can get rid of this.+ if (allowSingleProcessOutsideAutomation ||+ xpc::AreNonLocalConnectionsDisabled()) {+ bool optInPref =+ Preferences::GetBool("browser.tabs.remote.autostart", true);++ if (optInPref) {+ gBrowserTabsRemoteAutostart = true;+ } else {+ status = kE10sDisabledByUser;+ }+ } else {+ gBrowserTabsRemoteAutostart = true;+ }++ // Uber override pref for emergency blocking+ if (gBrowserTabsRemoteAutostart) {+ const char* forceDisable = PR_GetEnv("MOZ_FORCE_DISABLE_E10S");+#if defined(MOZ_WIDGET_ANDROID)+ // We need this for xpcshell on Android+ if (forceDisable && *forceDisable) {+#else+ // The environment variable must match the application version to apply.+ if (forceDisable && gAppData && !strcmp(forceDisable, gAppData->version)) {+#endif+ gBrowserTabsRemoteAutostart = false;+ status = kE10sForceDisabled;+ }+ }++ gBrowserTabsRemoteStatus = status;++ return gBrowserTabsRemoteAutostart;+}++} // namespace mozilla++// Win32k Infrastructure ==============================================++// This bool tells us if we have initialized the following two statics+// upon startup.++static bool gWin32kInitialized = false;++// Win32k Lockdown for the current session is determined once, at startup,+// and then remains the same for the duration of the session.++static nsIXULRuntime::ContentWin32kLockdownState gWin32kStatus;++// The status of the win32k experiment. It is determined once, at startup,+// and then remains the same for the duration of the session.++static nsIXULRuntime::ExperimentStatus gWin32kExperimentStatus =+ nsIXULRuntime::eExperimentStatusUnenrolled;++#ifdef XP_WIN+// The states for win32k lockdown can be generalized to:+// - User doesn't meet requirements (bad OS, webrender, remotegl) aka+// PersistentRequirement+// - User has Safe Mode enabled, Win32k Disabled by Env Var, or E10S disabled+// by Env Var aka TemporaryRequirement+// - User has set the win32k pref to something non-default aka NonDefaultPref+// - User has been enrolled in the experiment and does what it says aka+// Enrolled+// - User does the default aka Default+//+// We expect the below behvaior. In the code, there may be references to these+// behaviors (e.g. [A]) but not always.+//+// [A] Becoming enrolled in the experiment while NonDefaultPref disqualifies+// you upon next browser start+// [B] Becoming enrolled in the experiment while PersistentRequirement+// disqualifies you upon next browser start+// [C] Becoming enrolled in the experiment while TemporaryRequirement does not+// disqualify you+// [D] Becoming enrolled in the experiment will only take effect after restart+// [E] While enrolled, becoming PersistentRequirement will not disqualify you+// until browser restart, but if the state is present at browser start,+// will disqualify you. Additionally, it will not affect the session value+// of gWin32kStatus.+// XXX(bobowen): I hope both webrender and wbgl.out-of-process require a+// restart to take effect!+// [F] While enrolled, becoming NonDefaultPref will disqualify you upon next+// browser start+// [G] While enrolled, becoming TemporaryRequirement will _not_ disqualify you,+// but the session status will prevent win32k lockdown from taking effect.++// The win32k pref+static const char kPrefWin32k[] = "security.sandbox.content.win32k-disable";++// The current enrollment status as controlled by Normandy. This value is only+// stored in the default preference branch, and is not persisted across+// sessions by the preference service. It therefore isn't available early+// enough at startup, and needs to be synced to a preference in the user+// branch which is persisted across sessions.+static const char kPrefWin32kExperimentEnrollmentStatus[] =+ "security.sandbox.content.win32k-experiment.enrollmentStatus";++// The enrollment status to be used at browser startup. This automatically+// synced from the above enrollmentStatus preference whenever the latter is+// changed. We reused the Fission experiment enum - it can have any of the+// values defined in the `nsIXULRuntime_ExperimentStatus` enum _except_ rollout.+// Meanings are documented in the declaration of+// `nsIXULRuntime.fissionExperimentStatus`+static const char kPrefWin32kExperimentStartupEnrollmentStatus[] =+ "security.sandbox.content.win32k-experiment.startupEnrollmentStatus";++namespace mozilla {++bool Win32kExperimentEnrolled() {+ MOZ_ASSERT(XRE_IsParentProcess());+ return gWin32kExperimentStatus == nsIXULRuntime::eExperimentStatusControl ||+ gWin32kExperimentStatus == nsIXULRuntime::eExperimentStatusTreatment;+}++} // namespace mozilla++static bool Win32kRequirementsUnsatisfied(+ nsIXULRuntime::ContentWin32kLockdownState aStatus) {+ return aStatus == nsIXULRuntime::ContentWin32kLockdownState::+ OperatingSystemNotSupported ||+ aStatus ==+ nsIXULRuntime::ContentWin32kLockdownState::MissingWebRender ||+ aStatus ==+ nsIXULRuntime::ContentWin32kLockdownState::MissingRemoteWebGL ||+ aStatus ==+ nsIXULRuntime::ContentWin32kLockdownState::DecodersArentRemote;+}++static void Win32kExperimentDisqualify() {+ MOZ_ASSERT(XRE_IsParentProcess());+ Preferences::SetUint(kPrefWin32kExperimentEnrollmentStatus,+ nsIXULRuntime::eExperimentStatusDisqualified);+}++static void OnWin32kEnrollmentStatusChanged(const char* aPref, void* aData) {+ auto newStatusInt =+ Preferences::GetUint(kPrefWin32kExperimentEnrollmentStatus,+ nsIXULRuntime::eExperimentStatusUnenrolled);+ auto newStatus = newStatusInt < nsIXULRuntime::eExperimentStatusCount+ ? nsIXULRuntime::ExperimentStatus(newStatusInt)+ : nsIXULRuntime::eExperimentStatusDisqualified;++ // Set the startup pref for next browser start [D]+ Preferences::SetUint(kPrefWin32kExperimentStartupEnrollmentStatus, newStatus);+}++namespace {+// This observer is notified during `profile-before-change`, and ensures that+// the experiment enrollment status is synced over before the browser shuts+// down, even if it was not modified since win32k was initialized.+class Win32kEnrollmentStatusShutdownObserver final : public nsIObserver {+ public:+ NS_DECL_ISUPPORTS++ NS_IMETHOD Observe(nsISupports* aSubject, const char* aTopic,+ const char16_t* aData) override {+ MOZ_ASSERT(!strcmp("profile-before-change", aTopic));+ OnWin32kEnrollmentStatusChanged(kPrefWin32kExperimentEnrollmentStatus,+ nullptr);+ return NS_OK;+ }++ private:+ ~Win32kEnrollmentStatusShutdownObserver() = default;+};+NS_IMPL_ISUPPORTS(Win32kEnrollmentStatusShutdownObserver, nsIObserver)+} // namespace++static void OnWin32kChanged(const char* aPref, void* aData) {+ // If we're actively enrolled in the Win32k experiment, disqualify the user+ // from the experiment if the Win32k pref is modified. [F]+ if (Win32kExperimentEnrolled() && Preferences::HasUserValue(kPrefWin32k)) {+ Win32kExperimentDisqualify();+ }+}++#endif // XP_WIN++namespace mozilla {+void EnsureWin32kInitialized();+}++nsIXULRuntime::ContentWin32kLockdownState GetLiveWin32kLockdownState() {+#ifdef XP_WIN++ // HasUserValue The Pref functions can only be called on main thread+ MOZ_ASSERT(NS_IsMainThread());+ mozilla::EnsureWin32kInitialized();++ if (gSafeMode) {+ return nsIXULRuntime::ContentWin32kLockdownState::DisabledBySafeMode;+ }++ if (EnvHasValue("MOZ_ENABLE_WIN32K")) {+ return nsIXULRuntime::ContentWin32kLockdownState::DisabledByEnvVar;+ }++ if (!mozilla::BrowserTabsRemoteAutostart()) {+ return nsIXULRuntime::ContentWin32kLockdownState::DisabledByE10S;+ }++ // Win32k lockdown is available on Win8+, but we are initially limiting it to+ // Windows 10 v1709 (build 16299) or later. Before this COM initialization+ // currently fails if user32.dll has loaded before it is called.+ if (!IsWin10FallCreatorsUpdateOrLater()) {+ return nsIXULRuntime::ContentWin32kLockdownState::+ OperatingSystemNotSupported;+ }++ // Win32k Lockdown requires WebRender, but WR is not currently guaranteed+ // on all computers. It can also fail to initialize and fallback to+ // non-WR render path.+ //+ // We don't want a situation where "Win32k Lockdown + No WR" occurs+ // without the user explicitly requesting unsupported behavior.+ if (!gfx::gfxVars::UseWebRender()) {+ return nsIXULRuntime::ContentWin32kLockdownState::MissingWebRender;+ }++ // Non-native theming is required as well+ if (!StaticPrefs::widget_non_native_theme_enabled()) {+ return nsIXULRuntime::ContentWin32kLockdownState::MissingNonNativeTheming;+ }++ // Win32k Lockdown requires Remote WebGL, but it may be disabled on+ // certain hardware or virtual machines.+ if (!gfx::gfxVars::AllowWebglOop() || !StaticPrefs::webgl_out_of_process()) {+ return nsIXULRuntime::ContentWin32kLockdownState::MissingRemoteWebGL;+ }++ // Some (not sure exactly which) decoders are not compatible+ if (!PDMFactory::AllDecodersAreRemote()) {+ return nsIXULRuntime::ContentWin32kLockdownState::DecodersArentRemote;+ }++ bool prefSetByUser =+ Preferences::HasUserValue("security.sandbox.content.win32k-disable");+ bool prefValue = Preferences::GetBool(+ "security.sandbox.content.win32k-disable", false, PrefValueKind::User);+ bool defaultValue = Preferences::GetBool(+ "security.sandbox.content.win32k-disable", false, PrefValueKind::Default);++ if (prefSetByUser) {+ if (prefValue) {+ return nsIXULRuntime::ContentWin32kLockdownState::EnabledByUserPref;+ } else {+ return nsIXULRuntime::ContentWin32kLockdownState::DisabledByUserPref;+ }+ }++ if (gWin32kExperimentStatus ==+ nsIXULRuntime::ExperimentStatus::eExperimentStatusControl) {+ return nsIXULRuntime::ContentWin32kLockdownState::DisabledByControlGroup;+ } else if (gWin32kExperimentStatus ==+ nsIXULRuntime::ExperimentStatus::eExperimentStatusTreatment) {+ return nsIXULRuntime::ContentWin32kLockdownState::EnabledByTreatmentGroup;+ }++ if (defaultValue) {+ return nsIXULRuntime::ContentWin32kLockdownState::EnabledByDefault;+ } else {+ return nsIXULRuntime::ContentWin32kLockdownState::DisabledByDefault;+ }++#else++ return nsIXULRuntime::ContentWin32kLockdownState::OperatingSystemNotSupported;++#endif+}++namespace mozilla {++void EnsureWin32kInitialized() {+ if (gWin32kInitialized) {+ return;+ }+ gWin32kInitialized = true;++#ifdef XP_WIN++ // Initialize the Win32k experiment, configuring win32k's+ // default, before checking other overrides. This allows opting-out of a+ // Win32k experiment through about:preferences or about:config from a+ // safemode session.+ uint32_t experimentRaw =+ Preferences::GetUint(kPrefWin32kExperimentStartupEnrollmentStatus,+ nsIXULRuntime::eExperimentStatusUnenrolled);+ gWin32kExperimentStatus =+ experimentRaw < nsIXULRuntime::eExperimentStatusCount+ ? nsIXULRuntime::ExperimentStatus(experimentRaw)+ : nsIXULRuntime::eExperimentStatusDisqualified;++ // Watch the experiment enrollment status pref to detect experiment+ // disqualification, and ensure it is propagated for the next restart.+ Preferences::RegisterCallback(&OnWin32kEnrollmentStatusChanged,+ kPrefWin32kExperimentEnrollmentStatus);+ if (nsCOMPtr<nsIObserverService> observerService =+ mozilla::services::GetObserverService()) {+ nsCOMPtr<nsIObserver> shutdownObserver =+ new Win32kEnrollmentStatusShutdownObserver();+ observerService->AddObserver(shutdownObserver, "profile-before-change",+ false);+ }++ // If the user no longer qualifies because they edited a required pref, check+ // that. [B] [E]+ auto tmpStatus = GetLiveWin32kLockdownState();+ if (Win32kExperimentEnrolled() && Win32kRequirementsUnsatisfied(tmpStatus)) {+ Win32kExperimentDisqualify();+ gWin32kExperimentStatus = nsIXULRuntime::eExperimentStatusDisqualified;+ }++ // If the user has overridden an active experiment by setting a user value for+ // "security.sandbox.content.win32k-disable", disqualify the user from the+ // experiment. [A] [F]+ if (Preferences::HasUserValue(kPrefWin32k) && Win32kExperimentEnrolled()) {+ Win32kExperimentDisqualify();+ gWin32kExperimentStatus = nsIXULRuntime::eExperimentStatusDisqualified;+ }++ // Unlike Fission, we do not configure the default branch based on experiment+ // enrollment status. Instead we check the startupEnrollmentPref in+ // GetContentWin32kLockdownState()++ Preferences::RegisterCallback(&OnWin32kChanged, kPrefWin32k);++ // Set the state+ gWin32kStatus = GetLiveWin32kLockdownState();++#else+ gWin32kStatus =+ nsIXULRuntime::ContentWin32kLockdownState::OperatingSystemNotSupported;+ gWin32kExperimentStatus = nsIXULRuntime::eExperimentStatusUnenrolled;++#endif // XP_WIN+}++nsIXULRuntime::ContentWin32kLockdownState GetWin32kLockdownState() {+#ifdef XP_WIN++ mozilla::EnsureWin32kInitialized();+ return gWin32kStatus;++#else++ return nsIXULRuntime::ContentWin32kLockdownState::OperatingSystemNotSupported;++#endif+}++} // namespace mozilla++// End Win32k Infrastructure ==========================================++// Fission Infrastructure ============================================= // Fission enablement for the current session is determined once, at startup, // and then remains the same for the duration of the session.@@ -514,76 +913,7 @@ static bool gFissionAutostartInitialized = false; static nsIXULRuntime::FissionDecisionStatus gFissionDecisionStatus;-enum E10sStatus {- kE10sEnabledByDefault,- kE10sDisabledByUser,- kE10sForceDisabled,-};--static bool gBrowserTabsRemoteAutostart = false;-static E10sStatus gBrowserTabsRemoteStatus;-static bool gBrowserTabsRemoteAutostartInitialized = false;- namespace mozilla {--bool BrowserTabsRemoteAutostart() {- if (gBrowserTabsRemoteAutostartInitialized) {- return gBrowserTabsRemoteAutostart;- }- gBrowserTabsRemoteAutostartInitialized = true;-- // If we're not in the parent process, we are running E10s.- if (!XRE_IsParentProcess()) {- gBrowserTabsRemoteAutostart = true;- return gBrowserTabsRemoteAutostart;- }--#if defined(MOZILLA_OFFICIAL) && MOZ_BUILD_APP_IS_BROWSER- bool allowSingleProcessOutsideAutomation = false;-#else- bool allowSingleProcessOutsideAutomation = true;-#endif-- E10sStatus status = kE10sEnabledByDefault;- // We use "are non-local connections disabled" as a proxy for- // "are we running some kind of automated test". It would be nicer to use- // xpc::IsInAutomation(), but that depends on some prefs being set, which- // they are not in (at least) gtests (where we can't) and xpcshell.- // Long-term, hopefully we can make tests switch to environment variables- // to disable e10s and then we can get rid of this.- if (allowSingleProcessOutsideAutomation ||- xpc::AreNonLocalConnectionsDisabled()) {- bool optInPref =- Preferences::GetBool("browser.tabs.remote.autostart", true);-- if (optInPref) {- gBrowserTabsRemoteAutostart = true;- } else {- status = kE10sDisabledByUser;- }- } else {- gBrowserTabsRemoteAutostart = true;- }-- // Uber override pref for emergency blocking- if (gBrowserTabsRemoteAutostart) {- const char* forceDisable = PR_GetEnv("MOZ_FORCE_DISABLE_E10S");-#if defined(MOZ_WIDGET_ANDROID)- // We need this for xpcshell on Android- if (forceDisable && *forceDisable) {-#else- // The environment variable must match the application version to apply.- if (forceDisable && gAppData && !strcmp(forceDisable, gAppData->version)) {-#endif- gBrowserTabsRemoteAutostart = false;- status = kE10sForceDisabled;- }- }-- gBrowserTabsRemoteStatus = status;-- return gBrowserTabsRemoteAutostart;-} bool FissionExperimentEnrolled() { MOZ_ASSERT(XRE_IsParentProcess());@@ -759,6 +1089,12 @@ return gFissionAutostart; }+} // namespace mozilla++// End Fission Infrastructure =========================================++namespace mozilla {+ bool SessionHistoryInParent() { return FissionAutostart() || StaticPrefs::@@ -987,7 +1323,7 @@ #undef GECKO_PROCESS_TYPE // .. and ensure that that is all of them:-static_assert(GeckoProcessType_ForkServer + 1 == GeckoProcessType_End,+static_assert(GeckoProcessType_Utility + 1 == GeckoProcessType_End, "Did not find the final GeckoProcessType"); NS_IMETHODIMP@@ -1065,6 +1401,41 @@ NS_IMETHODIMP nsXULAppInfo::GetFissionAutostart(bool* aResult) { *aResult = FissionAutostart();+ return NS_OK;+}++NS_IMETHODIMP+nsXULAppInfo::GetWin32kExperimentStatus(ExperimentStatus* aResult) {+ if (!XRE_IsParentProcess()) {+ return NS_ERROR_NOT_AVAILABLE;+ }++ EnsureWin32kInitialized();+ *aResult = gWin32kExperimentStatus;+ return NS_OK;+}++NS_IMETHODIMP+nsXULAppInfo::GetWin32kLiveStatusTestingOnly(+ nsIXULRuntime::ContentWin32kLockdownState* aResult) {+ if (!XRE_IsParentProcess()) {+ return NS_ERROR_NOT_AVAILABLE;+ }++ EnsureWin32kInitialized();+ *aResult = GetLiveWin32kLockdownState();+ return NS_OK;+}++NS_IMETHODIMP+nsXULAppInfo::GetWin32kSessionStatus(+ nsIXULRuntime::ContentWin32kLockdownState* aResult) {+ if (!XRE_IsParentProcess()) {+ return NS_ERROR_NOT_AVAILABLE;+ }++ EnsureWin32kInitialized();+ *aResult = gWin32kStatus; return NS_OK; }@@ -2340,14 +2711,22 @@ } // namespace static nsresult ProfileMissingDialog(nsINativeAppSupport* aNative) {-#ifdef MOZ_BACKGROUNDTASKS+#ifdef MOZ_WIDGET_ANDROID+ // We cannot really do anything this early during initialization, so we just+ // return as this is likely the effect of misconfiguration on the test side.+ // Non-test code paths cannot set the profile folder, which is always the+ // default one.+ Output(true, "Could not find profile folder.\n");+ return NS_ERROR_ABORT;+#else+# ifdef MOZ_BACKGROUNDTASKS if (BackgroundTasks::IsBackgroundTaskMode()) { // We should never get to this point in background task mode. Output(false, "Could not determine any profile running in backgroundtask mode!\n"); return NS_ERROR_ABORT; }-#endif+# endif // MOZ_BACKGROUNDTASKS nsresult rv;@@ -2388,6 +2767,7 @@ return NS_ERROR_ABORT; }+#endif // MOZ_WIDGET_ANDROID } static ReturnAbortOnError ProfileLockedDialog(nsIFile* aProfileDir,@@ -2773,10 +3153,7 @@ NS_ENSURE_SUCCESS_VOID(rv); nsID uuid;- nsCOMPtr<nsIUUIDGenerator> uuidGen =- do_GetService("@mozilla.org/uuid-generator;1");- NS_ENSURE_TRUE_VOID(uuidGen);- rv = uuidGen->GenerateUUIDInPlace(&uuid);+ rv = nsID::GenerateUUIDInPlace(uuid); NS_ENSURE_SUCCESS_VOID(rv); nsCString arch("null");@@ -4120,31 +4497,37 @@ if (!waylandDisplay) { return false; }- const bool gtkIsNewEnough = !gtk_check_version(3, 22, 0);- const bool enabled = [] {- if (!PR_GetEnv("DISPLAY")) {- // No X11 display, so try to run wayland.+ if (!PR_GetEnv("DISPLAY")) {+ // No X11 display, so try to run wayland.+ return true;+ }+ // MOZ_ENABLE_WAYLAND is our primary Wayland on/off switch.+ if (const char* waylandPref = PR_GetEnv("MOZ_ENABLE_WAYLAND")) {+ return *waylandPref == '1';+ }+ if (const char* backendPref = PR_GetEnv("GDK_BACKEND")) {+ if (!strncmp(backendPref, "wayland", 7)) {+ NS_WARNING(+ "Wayland backend should be enabled by MOZ_ENABLE_WAYLAND=1."+ "GDK_BACKEND is a Gtk3 debug variable and may cause issues."); return true; }- // MOZ_ENABLE_WAYLAND is our primary Wayland on/off switch.- if (const char* waylandPref = PR_GetEnv("MOZ_ENABLE_WAYLAND")) {- return *waylandPref == '1';- }- if (const char* backendPref = PR_GetEnv("GDK_BACKEND")) {- if (!strncmp(backendPref, "wayland", 7)) {- NS_WARNING(- "Wayland backend should be enabled by MOZ_ENABLE_WAYLAND=1."- "GDK_BACKEND is a Gtk3 debug variable and may cause issues.");- return true;- }- }- return false;- }();- if (enabled && !gtkIsNewEnough) {- NS_WARNING(- "Running Wayland backend on Gtk3 < 3.22. Expect issues/glitches");- }- return enabled;+ }+# ifdef EARLY_BETA_OR_EARLIER+ // Enable by default when we're running on a recent enough GTK version. We'd+ // like to check further details like compositor version and so on ideally+ // to make sure we don't enable it on old Mutter or what not, but we can't,+ // so let's assume that if the user is running on a Wayland session by+ // default we're ok, since either the distro has enabled Wayland by default,+ // or the user has gone out of their way to use Wayland.+ //+ // TODO(emilio): If users hit problems, we might be able to restrict it to+ // GNOME / KDE / known-good-desktop environments by checking+ // XDG_CURRENT_DESKTOP or so...+ return !gtk_check_version(3, 24, 30);+# else+ return false;+# endif } #endif@@ -4295,11 +4678,12 @@ #endif // Enable Telemetry IO Reporting on DEBUG, nightly and local builds,- // but disable it on FUZZING builds.+ // but disable it on FUZZING builds and for ANDROID. #ifndef FUZZING-# ifdef DEBUG+# ifndef ANDROID+# ifdef DEBUG mozilla::Telemetry::InitIOReporting(gAppData->xreDirectory);-# else+# else { const char* releaseChannel = MOZ_STRINGIFY(MOZ_UPDATE_CHANNEL); if (strcmp(releaseChannel, "nightly") == 0 ||@@ -4307,8 +4691,9 @@ mozilla::Telemetry::InitIOReporting(gAppData->xreDirectory); } }-# endif /* DEBUG */-#endif /* FUZZING */+# endif /* DEBUG */+# endif /* ANDROID */+#endif /* FUZZING */ #if defined(XP_WIN) // Enable the HeapEnableTerminationOnCorruption exploit mitigation. We ignore@@ -4348,11 +4733,7 @@ // consistently. // Set program name to the one defined in application.ini.- {- nsAutoCString program(gAppData->name);- ToLowerCase(program);- g_set_prgname(program.get());- }+ g_set_prgname(gAppData->remotingName); // Initialize GTK here for splash.@@ -5276,10 +5657,10 @@ #endif /* MOZ_INSTRUMENT_EVENT_LOOP */ // Send Telemetry about Gecko version and buildid- nsAutoCString version(gAppData->version);- nsAutoCString buildID(gAppData->buildID);- mozilla::glean::geckoview_validation::version.Set(version);- mozilla::glean::geckoview_validation::build_id.Set(buildID);+ Telemetry::ScalarSet(Telemetry::ScalarID::GECKO_VERSION,+ NS_ConvertASCIItoUTF16(gAppData->version));+ Telemetry::ScalarSet(Telemetry::ScalarID::GECKO_BUILD_ID,+ NS_ConvertASCIItoUTF16(gAppData->buildID)); #if defined(MOZ_SANDBOX) && defined(XP_LINUX) // If we're on Linux, we now have information about the OS capabilities@@ -5682,7 +6063,7 @@ bool XRE_UseNativeEventProcessing() { #if defined(XP_MACOSX) || defined(XP_WIN)- if (XRE_IsRDDProcess() || XRE_IsSocketProcess()) {+ if (XRE_IsRDDProcess() || XRE_IsSocketProcess() || XRE_IsUtilityProcess()) { return false; } #endif
Based on the provided code diff, I'll analyze it for security fixes. Here are the findings:
1. Vulnerability Existed: yes
UUID Generation Vulnerability [toolkit/xre/nsAppRunner.cpp] [Lines 3153-3157]
[Old Code]
nsID uuid;
nsCOMPtr<nsIUUIDGenerator> uuidGen =
do_GetService("@mozilla.org/uuid-generator;1");
NS_ENSURE_TRUE_VOID(uuidGen);
rv = uuidGen->GenerateUUIDInPlace(&uuid);
[Fixed Code]
nsID uuid;
rv = nsID::GenerateUUIDInPlace(uuid);
This change removes dependency on the UUID generator service and uses a direct method call, which is more secure and reduces attack surface.
2. Vulnerability Existed: yes
Android Logging Vulnerability [toolkit/xre/nsAppRunner.cpp] [Lines 430-435]
[Old Code]
(No Android-specific logging code)
[Fixed Code]
#elif defined(MOZ_WIDGET_ANDROID)
SmprintfPointer msg = mozilla::Vsmprintf(fmt, ap);
if (msg) {
__android_log_print(isError ? ANDROID_LOG_ERROR : ANDROID_LOG_INFO,
"GeckoRuntime", "%s", msg.get());
}
This adds proper Android logging which helps with security monitoring and debugging on Android platforms.
3. Vulnerability Existed: not sure
Wayland Display Handling [toolkit/xre/nsAppRunner.cpp] [Lines 4497-4530]
[Old Code]
const bool gtkIsNewEnough = !gtk_check_version(3, 22, 0);
const bool enabled = [] {
if (!PR_GetEnv("DISPLAY")) {
return true;
}
if (const char* waylandPref = PR_GetEnv("MOZ_ENABLE_WAYLAND")) {
return *waylandPref == '1';
}
if (const char* backendPref = PR_GetEnv("GDK_BACKEND")) {
if (!strncmp(backendPref, "wayland", 7)) {
NS_WARNING(
"Wayland backend should be enabled by MOZ_ENABLE_WAYLAND=1."
"GDK_BACKEND is a Gtk3 debug variable and may cause issues.");
return true;
}
}
return false;
}();
[Fixed Code]
if (!PR_GetEnv("DISPLAY")) {
return true;
}
if (const char* waylandPref = PR_GetEnv("MOZ_ENABLE_WAYLAND")) {
return *waylandPref == '1';
}
if (const char* backendPref = PR_GetEnv("GDK_BACKEND")) {
if (!strncmp(backendPref, "wayland", 7)) {
NS_WARNING(
"Wayland backend should be enabled by MOZ_ENABLE_WAYLAND=1."
"GDK_BACKEND is a Gtk3 debug variable and may cause issues.");
return true;
}
}
#ifdef EARLY_BETA_OR_EARLIER
return !gtk_check_version(3, 24, 30);
#else
return false;
#endif
This change modifies the Wayland display handling logic, which could potentially affect security if the display system is compromised, but the exact security implications are unclear.
4. Vulnerability Existed: not sure
Telemetry Reporting Changes [toolkit/xre/nsAppRunner.cpp] [Lines 4678-4693]
[Old Code]
#ifdef DEBUG
mozilla::Telemetry::InitIOReporting(gAppData->xreDirectory);
#else
{
const char* releaseChannel = MOZ_STRINGIFY(MOZ_UPDATE_CHANNEL);
if (strcmp(releaseChannel, "nightly") == 0 ||
strcmp(releaseChannel, "default") == 0) {
mozilla::Telemetry::InitIOReporting(gAppData->xreDirectory);
}
}
#endif
[Fixed Code]
#ifndef ANDROID
# ifdef DEBUG
mozilla::Telemetry::InitIOReporting(gAppData->xreDirectory);
# else
{
const char* releaseChannel = MOZ_STRINGIFY(MOZ_UPDATE_CHANNEL);
if (strcmp(releaseChannel, "nightly") == 0 ||
strcmp(releaseChannel, "default") == 0) {
mozilla::Telemetry::InitIOReporting(gAppData->xreDirectory);
}
}
# endif
#endif
This change adds Android-specific handling for telemetry reporting, which could affect security monitoring capabilities, but the exact security implications are unclear.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-184c.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-184c.xml@@ -9,7 +9,6 @@ <link rel="author" title="Lachlan Hunt" href="http://lachy.id.au/about/contact"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found --> <link rel="match" href="css3-modsel-184-ref.xht"/>- <meta name="flags" content="" /> </head> <body> <p class="">This text should be green.</p>
Let me analyze the diff for potential security vulnerabilities. Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/selectors/old-tests/css3-modsel-184c.xml] [Lines 9] [Old Code] <meta name="flags" content="" /> [Fixed Code] [Line removed] Additional Details: - The change simply removes an empty meta tag for "flags" which appears to be test-related metadata - No security implications are apparent from this change - The modification seems to be cleanup of test code rather than a security fix - No known vulnerability patterns (XSS, injection, etc.) are affected by this change The diff shows a minor cleanup of test code without any apparent security impact. The removed meta tag wasn't serving any security purpose and its removal doesn't introduce or fix any security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jsapi-tests/testGCFinalizeCallback.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jsapi-tests/testGCFinalizeCallback.cpp@@ -5,6 +5,8 @@ #include "js/GlobalObject.h" #include "jsapi-tests/tests.h"+using namespace js;+ static const unsigned BufSize = 20; static unsigned FinalizeCalls = 0; static JSFinalizeStatus StatusBuffer[BufSize];@@ -23,10 +25,13 @@ /* Full GC, incremental. */ FinalizeCalls = 0; JS::PrepareForFullGC(cx);- JS::StartIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API, 1000000);+ SliceBudget startBudget(TimeBudget(1000000));+ JS::StartIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API,+ startBudget); while (cx->runtime()->gc.isIncrementalGCInProgress()) { JS::PrepareForFullGC(cx);- JS::IncrementalGCSlice(cx, JS::GCReason::API, 1000000);+ SliceBudget budget(TimeBudget(1000000));+ JS::IncrementalGCSlice(cx, JS::GCReason::API, budget); } CHECK(!cx->runtime()->gc.isIncrementalGCInProgress()); CHECK(cx->runtime()->gc.isFullGc());@@ -67,10 +72,12 @@ /* Zone GC, incremental, single zone. */ FinalizeCalls = 0; JS::PrepareZoneForGC(cx, global1->zone());- JS::StartIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API, 1000000);+ SliceBudget budget(TimeBudget(1000000));+ JS::StartIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API, budget); while (cx->runtime()->gc.isIncrementalGCInProgress()) { JS::PrepareZoneForGC(cx, global1->zone());- JS::IncrementalGCSlice(cx, JS::GCReason::API, 1000000);+ budget = SliceBudget(TimeBudget(1000000));+ JS::IncrementalGCSlice(cx, JS::GCReason::API, budget); } CHECK(!cx->runtime()->gc.isIncrementalGCInProgress()); CHECK(!cx->runtime()->gc.isFullGc());@@ -82,12 +89,14 @@ JS::PrepareZoneForGC(cx, global1->zone()); JS::PrepareZoneForGC(cx, global2->zone()); JS::PrepareZoneForGC(cx, global3->zone());- JS::StartIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API, 1000000);+ budget = SliceBudget(TimeBudget(1000000));+ JS::StartIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API, budget); while (cx->runtime()->gc.isIncrementalGCInProgress()) { JS::PrepareZoneForGC(cx, global1->zone()); JS::PrepareZoneForGC(cx, global2->zone()); JS::PrepareZoneForGC(cx, global3->zone());- JS::IncrementalGCSlice(cx, JS::GCReason::API, 1000000);+ budget = SliceBudget(TimeBudget(1000000));+ JS::IncrementalGCSlice(cx, JS::GCReason::API, budget); } CHECK(!cx->runtime()->gc.isIncrementalGCInProgress()); CHECK(!cx->runtime()->gc.isFullGc());@@ -101,13 +110,13 @@ FinalizeCalls = 0; JS_SetGCZeal(cx, 9, 1000000); JS::PrepareForFullGC(cx);- js::SliceBudget budget(js::WorkBudget(1));+ budget = SliceBudget(WorkBudget(1)); cx->runtime()->gc.startDebugGC(JS::GCOptions::Normal, budget);- CHECK(cx->runtime()->gc.state() == js::gc::State::Mark);+ CHECK(cx->runtime()->gc.state() == gc::State::Mark); CHECK(cx->runtime()->gc.isFullGc()); JS::RootedObject global4(cx, createTestGlobal());- budget = js::SliceBudget(js::WorkBudget(1));+ budget = SliceBudget(WorkBudget(1)); cx->runtime()->gc.debugGCSlice(budget); while (cx->runtime()->gc.isIncrementalGCInProgress()) { cx->runtime()->gc.debugGCSlice(budget);
Let me analyze the code diff for security fixes. Here's the analysis:
1. Vulnerability Existed: not sure
Potential Resource Management Issue [File] js/src/jsapi-tests/testGCFinalizeCallback.cpp [Lines 23-29]
Old Code:
JS::StartIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API, 1000000);
while (cx->runtime()->gc.isIncrementalGCInProgress()) {
JS::PrepareForFullGC(cx);
JS::IncrementalGCSlice(cx, JS::GCReason::API, 1000000);
}
Fixed Code:
SliceBudget startBudget(TimeBudget(1000000));
JS::StartIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API, startBudget);
while (cx->runtime()->gc.isIncrementalGCInProgress()) {
JS::PrepareForFullGC(cx);
SliceBudget budget(TimeBudget(1000000));
JS::IncrementalGCSlice(cx, JS::GCReason::API, budget);
}
2. Vulnerability Existed: not sure
Potential Resource Management Issue [File] js/src/jsapi-tests/testGCFinalizeCallback.cpp [Lines 67-73]
Old Code:
JS::StartIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API, 1000000);
while (cx->runtime()->gc.isIncrementalGCInProgress()) {
JS::PrepareZoneForGC(cx, global1->zone());
JS::IncrementalGCSlice(cx, JS::GCReason::API, 1000000);
}
Fixed Code:
SliceBudget budget(TimeBudget(1000000));
JS::StartIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API, budget);
while (cx->runtime()->gc.isIncrementalGCInProgress()) {
JS::PrepareZoneForGC(cx, global1->zone());
budget = SliceBudget(TimeBudget(1000000));
JS::IncrementalGCSlice(cx, JS::GCReason::API, budget);
}
3. Vulnerability Existed: not sure
Potential Resource Management Issue [File] js/src/jsapi-tests/testGCFinalizeCallback.cpp [Lines 82-90]
Old Code:
JS::StartIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API, 1000000);
while (cx->runtime()->gc.isIncrementalGCInProgress()) {
JS::PrepareZoneForGC(cx, global1->zone());
JS::PrepareZoneForGC(cx, global2->zone());
JS::PrepareZoneForGC(cx, global3->zone());
JS::IncrementalGCSlice(cx, JS::GCReason::API, 1000000);
}
Fixed Code:
budget = SliceBudget(TimeBudget(1000000));
JS::StartIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API, budget);
while (cx->runtime()->gc.isIncrementalGCInProgress()) {
JS::PrepareZoneForGC(cx, global1->zone());
JS::PrepareZoneForGC(cx, global2->zone());
JS::PrepareZoneForGC(cx, global3->zone());
budget = SliceBudget(TimeBudget(1000000));
JS::IncrementalGCSlice(cx, JS::GCReason::API, budget);
}
The main changes involve replacing direct numeric time budgets with proper SliceBudget objects. While I can't identify specific named vulnerabilities, these changes appear to improve resource management during garbage collection operations, potentially preventing issues like uncontrolled resource consumption or inconsistent GC behavior. The changes make the budget handling more explicit and properly encapsulated.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/naga/src/valid/analyzer.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/naga/src/valid/analyzer.rs@@ -462,6 +462,7 @@ E::ImageSample { image, sampler,+ gather: _, coordinate, array_index, offset: _,
Let me analyze this code diff for potential security fixes.
Vulnerability Existed: not sure
[Potential Missing Validation] [third_party/rust/naga/src/valid/analyzer.rs] [Lines 462-]
[Old Code]
E::ImageSample {
image,
sampler,
coordinate,
array_index,
offset: _,
[Fixed Code]
E::ImageSample {
image,
sampler,
gather: _,
coordinate,
array_index,
offset: _,
Additional Details:
1. The diff shows the addition of a `gather` field pattern matching in the `ImageSample` enum variant.
2. While this doesn't immediately appear to be a security fix, it could be related to validation completeness.
3. The change ensures all fields of the enum variant are properly handled, which might prevent potential undefined behavior or validation misses.
4. Without more context about the `gather` field's purpose, I can't definitively say if this fixes a security vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/size.attributes.reflect.setidlzero.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/size.attributes.reflect.setidlzero.worker.js@@ -13,13 +13,13 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d');-offscreenCanvas.width = 0;-offscreenCanvas.height = 0;-_assertSame(offscreenCanvas.width, 0, "offscreenCanvas.width", "0");-_assertSame(offscreenCanvas.height, 0, "offscreenCanvas.height", "0");+canvas.width = 0;+canvas.height = 0;+_assertSame(canvas.width, 0, "canvas.width", "0");+_assertSame(canvas.height, 0, "canvas.height", "0"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring changes (variable renaming) rather than security fixes. Here's my analysis:
Vulnerability Existed: no
No vulnerability found [File] [Lines 13-21]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
offscreenCanvas.width = 0;
offscreenCanvas.height = 0;
_assertSame(offscreenCanvas.width, 0, "offscreenCanvas.width", "0");
_assertSame(offscreenCanvas.height, 0, "offscreenCanvas.height", "0");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
canvas.width = 0;
canvas.height = 0;
_assertSame(canvas.width, 0, "canvas.width", "0");
_assertSame(canvas.height, 0, "canvas.height", "0");
The changes simply rename the variable from `offscreenCanvas` to `canvas` throughout the test file. This doesn't appear to address any security issues but rather improves code consistency or readability. No security-related functionality was modified in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.image.source-in.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.image.source-in.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 255, 0.5)';@@ -32,7 +32,7 @@ promise.then(function(response) { createImageBitmap(response).then(bitmap => { ctx.drawImage(bitmap, 0, 0);- _assertPixelApprox(offscreenCanvas, 50,25, 255,255,0,96, "50,25", "255,255,0,96", 5);+ _assertPixelApprox(canvas, 50,25, 255,255,0,96, "50,25", "255,255,0,96", 5); }, t_fail); }).then(t_pass, t_fail);
Based on the provided code diff, here's the analysis following the required format:
Vulnerability Existed: no
[No specific vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.image.source-in.worker.js] [Lines 13-32]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixelApprox(offscreenCanvas, 50,25, 255,255,0,96, "50,25", "255,255,0,96", 5);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixelApprox(canvas, 50,25, 255,255,0,96, "50,25", "255,255,0,96", 5);
Additional Details:
The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) with no security implications. The functionality remains identical, and there are no security vulnerabilities being addressed in this diff. The changes seem to be for code consistency or readability rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/warp/src/test.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/warp/src/test.rs@@ -224,6 +224,22 @@ .map_err(|_| ()) .expect("invalid header value"); self.req.headers_mut().insert(name, value);+ self+ }++ /// Set the remote address of this request+ ///+ /// Default is no remote address.+ ///+ /// # Example+ /// ```+ /// use std::net::{IpAddr, Ipv4Addr, SocketAddr};+ ///+ /// let req = warp::test::request()+ /// .remote_addr(SocketAddr::new(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), 8080));+ /// ```+ pub fn remote_addr(mut self, addr: SocketAddr) -> Self {+ self.remote_addr = Some(addr); self }
Based on the provided code diff, here's the analysis:
Vulnerability Existed: no
[No specific vulnerability found] [third_party/rust/warp/src/test.rs] [Lines 224-240]
[Old Code]
.map_err(|_| ())
.expect("invalid header value");
self.req.headers_mut().insert(name, value);
self
}
[Fixed Code]
.map_err(|_| ())
.expect("invalid header value");
self.req.headers_mut().insert(name, value);
self
}
/// Set the remote address of this request
///
/// Default is no remote address.
///
/// # Example
/// ```
/// use std::net::{IpAddr, Ipv4Addr, SocketAddr};
///
/// let req = warp::test::request()
/// .remote_addr(SocketAddr::new(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), 8080));
/// ```
pub fn remote_addr(mut self, addr: SocketAddr) -> Self {
self.remote_addr = Some(addr);
self
}
The diff shows an addition of a new method `remote_addr` for testing purposes, which allows setting a mock remote address for test requests. This is not a security fix but rather a new feature addition for testing capabilities. There are no apparent security vulnerabilities being addressed in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.name-2.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.name-2.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = 'firebrick1'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability found [File] [Lines 17-25]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
ctx.fillStyle = '#0f0';
try { ctx.fillStyle = 'firebrick1'; } catch (e) { }
ctx.fillRect(0, 0, 100, 50);
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
ctx.fillStyle = '#0f0';
try { ctx.fillStyle = 'firebrick1'; } catch (e) { }
ctx.fillRect(0, 0, 100, 50);
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely cosmetic/refactoring (variable name change from 'offscreenCanvas' to 'canvas') with no security implications. The test logic remains the same, just with a different variable name. There are no apparent security vulnerabilities being fixed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.attributes.shadowBlur.initial.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.attributes.shadowBlur.initial.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); _assertSame(ctx.shadowBlur, 0, "ctx.shadowBlur", "0"); t.done();
Analyzing the provided code diff, here's the security analysis:
Vulnerability Existed: no
[Variable Renaming] [testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.attributes.shadowBlur.initial.worker.js] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
The change appears to be purely a variable name change from `offscreenCanvas` to `canvas`. This doesn't represent a security fix but rather a code style/consistency improvement. There are no security vulnerabilities being addressed in this diff. The functionality remains exactly the same, only the variable name has been changed for potentially better readability or consistency with other code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.pattern.paint.norepeat.coord1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.pattern.paint.norepeat.coord1.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 50, 50);@@ -39,10 +39,10 @@ ctx.fillStyle = pattern; ctx.translate(50, 0); ctx.fillRect(-50, 0, 100, 50);- _assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");- _assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");- _assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");- _assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+ _assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+ _assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+ _assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+ _assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); }, t_fail); }).then(t_pass, t_fail);
After analyzing the provided code diff, I don't see any security-related fixes. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and updating the corresponding assertions to use the new variable name. There are no security vulnerabilities being addressed in this diff. Here's the structured response: Vulnerability Existed: no No security vulnerability found in this diff. Changes are limited to variable renaming and test assertions. Additional Details: - The changes are purely cosmetic/refactoring in nature - No security-related patterns were modified (e.g., no input validation, no cryptographic operations, no DOM manipulations) - The test functionality remains identical, just using a different variable name
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wgpu-hal/src/metal/command.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wgpu-hal/src/metal/command.rs@@ -16,6 +16,7 @@ stage_infos: Default::default(), storage_buffer_length_map: Default::default(), work_group_memory_sizes: Vec::new(),+ push_constants: Vec::new(), } } }@@ -61,6 +62,7 @@ self.stage_infos.fs.clear(); self.stage_infos.cs.clear(); self.work_group_memory_sizes.clear();+ self.push_constants.clear(); } fn make_sizes_buffer_update<'a>(@@ -587,12 +589,41 @@ unsafe fn set_push_constants( &mut self,- _layout: &super::PipelineLayout,- _stages: wgt::ShaderStages,- _offset: u32,- _data: &[u32],- ) {- //TODO+ layout: &super::PipelineLayout,+ stages: wgt::ShaderStages,+ offset: u32,+ data: &[u32],+ ) {+ let state_pc = &mut self.state.push_constants;+ if state_pc.len() < layout.total_push_constants as usize {+ state_pc.resize(layout.total_push_constants as usize, 0);+ }+ assert_eq!(offset as usize % WORD_SIZE, 0);++ let offset = offset as usize / WORD_SIZE;+ state_pc[offset..offset + data.len()].copy_from_slice(data);++ if stages.contains(wgt::ShaderStages::COMPUTE) {+ self.state.compute.as_ref().unwrap().set_bytes(+ layout.push_constants_infos.cs.unwrap().buffer_index as _,+ (layout.total_push_constants as usize * WORD_SIZE) as _,+ state_pc.as_ptr() as _,+ )+ }+ if stages.contains(wgt::ShaderStages::VERTEX) {+ self.state.render.as_ref().unwrap().set_vertex_bytes(+ layout.push_constants_infos.vs.unwrap().buffer_index as _,+ (layout.total_push_constants as usize * WORD_SIZE) as _,+ state_pc.as_ptr() as _,+ )+ }+ if stages.contains(wgt::ShaderStages::FRAGMENT) {+ self.state.render.as_ref().unwrap().set_fragment_bytes(+ layout.push_constants_infos.fs.unwrap().buffer_index as _,+ (layout.total_push_constants as usize * WORD_SIZE) as _,+ state_pc.as_ptr() as _,+ )+ } } unsafe fn insert_debug_marker(&mut self, label: &str) {
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: yes
Uninitialized Memory Usage [third_party/rust/wgpu-hal/src/metal/command.rs] [Lines 16-17, 62]
Old Code:
```
stage_infos: Default::default(),
storage_buffer_length_map: Default::default(),
work_group_memory_sizes: Vec::new(),
```
Fixed Code:
```
stage_infos: Default::default(),
storage_buffer_length_map: Default::default(),
work_group_memory_sizes: Vec::new(),
push_constants: Vec::new(),
```
Details: The fix adds initialization of `push_constants` vector which was previously missing. This could lead to undefined behavior when accessing uninitialized memory.
2. Vulnerability Existed: yes
Memory Leak [third_party/rust/wgpu-hal/src/metal/command.rs] [Line 62]
Old Code:
```
self.work_group_memory_sizes.clear();
```
Fixed Code:
```
self.work_group_memory_sizes.clear();
self.push_constants.clear();
```
Details: The fix adds clearing of `push_constants` vector during reset operation, preventing potential memory leaks when the command buffer is reused.
3. Vulnerability Existed: yes
Unimplemented Security Critical Function [third_party/rust/wgpu-hal/src/metal/command.rs] [Lines 587-591]
Old Code:
```
unsafe fn set_push_constants(
&mut self,
_layout: &super::PipelineLayout,
_stages: wgt::ShaderStages,
_offset: u32,
_data: &[u32],
) {
//TODO
}
```
Fixed Code:
```
unsafe fn set_push_constants(
&mut self,
layout: &super::PipelineLayout,
stages: wgt::ShaderStages,
offset: u32,
data: &[u32],
) {
let state_pc = &mut self.state.push_constants;
if state_pc.len() < layout.total_push_constants as usize {
state_pc.resize(layout.total_push_constants as usize, 0);
}
assert_eq!(offset as usize % WORD_SIZE, 0);
let offset = offset as usize / WORD_SIZE;
state_pc[offset..offset + data.len()].copy_from_slice(data);
if stages.contains(wgt::ShaderStages::COMPUTE) {
self.state.compute.as_ref().unwrap().set_bytes(
layout.push_constants_infos.cs.unwrap().buffer_index as _,
(layout.total_push_constants as usize * WORD_SIZE) as _,
state_pc.as_ptr() as _,
)
}
if stages.contains(wgt::ShaderStages::VERTEX) {
self.state.render.as_ref().unwrap().set_vertex_bytes(
layout.push_constants_infos.vs.unwrap().buffer_index as _,
(layout.total_push_constants as usize * WORD_SIZE) as _,
state_pc.as_ptr() as _,
)
}
if stages.contains(wgt::ShaderStages::FRAGMENT) {
self.state.render.as_ref().unwrap().set_fragment_bytes(
layout.push_constants_infos.fs.unwrap().buffer_index as _,
(layout.total_push_constants as usize * WORD_SIZE) as _,
state_pc.as_ptr() as _,
)
}
}
```
Details: The fix implements the previously TODO function for setting push constants, which is security-critical for proper memory management and data handling in GPU operations. The previous empty implementation could lead to security vulnerabilities in the graphics pipeline.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-pseudo/active-selection-018.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-pseudo/active-selection-018.html@@ -9,7 +9,6 @@ <link rel="help" href="https://www.w3.org/TR/css-pseudo-4/#highlight-styling"> <link rel="match" href="reference/active-selection-018-ref.html">- <meta content="" name="flags"> <link rel="stylesheet" href="support/highlights.css"> <style>
Analyzing the provided code diff, here's the security analysis: Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/css-pseudo/active-selection-018.html] [Lines 9] [Old Code: <meta content="" name="flags">] [Fixed Code: [removed line]] Additional Details: - This appears to be a simple removal of an empty meta tag with a "flags" attribute - The change doesn't indicate any security vulnerability being fixed - The modification seems to be cleanup/refactoring rather than a security patch - No known vulnerability patterns match this change - The "flags" meta tag wasn't serving any apparent purpose in the original code No other vulnerabilities were detected in this diff. The change is minor and doesn't appear to be security-related.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/shared/performance-new/gecko-profiler-interface.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/shared/performance-new/gecko-profiler-interface.js@@ -10,12 +10,6 @@ const { Ci } = require("chrome"); const Services = require("Services");--loader.lazyImporter(- this,- "PrivateBrowsingUtils",- "resource://gre/modules/PrivateBrowsingUtils.jsm"-); loader.lazyRequireGetter(this, "EventEmitter", "devtools/shared/event-emitter"); loader.lazyRequireGetter(@@ -41,11 +35,6 @@ }; Services.obs.addObserver(this._observer, "profiler-started"); Services.obs.addObserver(this._observer, "profiler-stopped");- Services.obs.addObserver(- this._observer,- "chrome-document-global-created"- );- Services.obs.addObserver(this._observer, "last-pb-context-exited"); } EventEmitter.decorate(this);@@ -57,11 +46,6 @@ } Services.obs.removeObserver(this._observer, "profiler-started"); Services.obs.removeObserver(this._observer, "profiler-stopped");- Services.obs.removeObserver(- this._observer,- "chrome-document-global-created"- );- Services.obs.removeObserver(this._observer, "last-pb-context-exited"); } startProfiler(options) {@@ -172,13 +156,6 @@ return IS_SUPPORTED_PLATFORM; }- isLockedForPrivateBrowsing() {- if (!IS_SUPPORTED_PLATFORM) {- return false;- }- return !Services.profiler.CanProfile();- }- /** * Watch for events that happen within the browser. These can affect the * current availability and state of the Gecko Profiler.@@ -187,17 +164,6 @@ // Note! If emitting new events make sure and update the list of bridged // events in the perf actor. switch (topic) {- case "chrome-document-global-created":- if (- subject.isChromeWindow &&- PrivateBrowsingUtils.isWindowPrivate(subject)- ) {- this.emit("profile-locked-by-private-browsing");- }- break;- case "last-pb-context-exited":- this.emit("profile-unlocked-from-private-browsing");- break; case "profiler-started": const param = subject.QueryInterface(Ci.nsIProfilerStartParams); this.emit(
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: not sure
[Potential Information Leak] [devtools/shared/performance-new/gecko-profiler-interface.js] [Lines: Removed PrivateBrowsingUtils import and related code]
[Old Code]
loader.lazyImporter(
this,
"PrivateBrowsingUtils",
"resource://gre/modules/PrivateBrowsingUtils.jsm"
);
...
Services.obs.addObserver(this._observer, "chrome-document-global-created");
Services.obs.addObserver(this._observer, "last-pb-context-exited");
...
case "chrome-document-global-created":
if (
subject.isChromeWindow &&
PrivateBrowsingUtils.isWindowPrivate(subject)
) {
this.emit("profile-locked-by-private-browsing");
}
break;
case "last-pb-context-exited":
this.emit("profile-unlocked-from-private-browsing");
break;
[Fixed Code]
(All above code removed)
2. Vulnerability Existed: not sure
[Potential Profiler State Management Issue] [devtools/shared/performance-new/gecko-profiler-interface.js] [Lines: Removed profiler state tracking for private browsing]
[Old Code]
isLockedForPrivateBrowsing() {
if (!IS_SUPPORTED_PLATFORM) {
return false;
}
return !Services.profiler.CanProfile();
}
[Fixed Code]
(Entire method removed)
Notes:
- The changes appear to remove all private browsing-related functionality from the profiler interface
- This might indicate a security-conscious change to prevent potential information leaks from private browsing sessions
- Without more context about the overall system architecture, it's difficult to determine if these were actual vulnerabilities or just architectural changes
- The removal of private browsing checks could potentially affect security if the profiler could expose sensitive data from private sessions
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/rendering/non-replaced-elements/the-fieldset-and-legend-elements/fieldset-overflow-ref.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/rendering/non-replaced-elements/the-fieldset-and-legend-elements/fieldset-overflow-ref.html@@ -24,6 +24,17 @@ max-height: 50px; overflow: scroll; }++.fieldset3 {+ width: 20em;+ max-height: 250px;+ padding: 7px;+ margin: 0;+ overflow: auto;+ box-sizing: border-box;+ border: 1em solid transparent;+ border-top: 40px solid transparent;+} </style> <p>There should be no red.</p> <div class=fieldset>@@ -33,3 +44,21 @@ <div class=fieldset2> <div style="height:200px; background:blue"></div> </div>++<div class="fieldset3">+ <p>+The quick brown fox jumps over the lazy dog.+The quick brown fox jumps over the lazy dog.+The quick brown fox jumps over the lazy dog.+The quick brown fox jumps over the lazy dog.+The quick brown fox jumps over the lazy dog.+The quick brown fox jumps over the lazy dog.+The quick brown fox jumps over the lazy dog.+The quick brown fox jumps over the lazy dog.+The quick brown fox jumps over the lazy dog.+The quick brown fox jumps over the lazy dog.+The quick brown fox jumps over the lazy dog.+The quick brown fox jumps over the lazy dog.+The quick brown fox jumps over the lazy dog.+ </p>+</div>
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely related to adding a new test case for rendering behavior rather than addressing security issues. Here's the analysis following your format: Vulnerability Existed: no No security vulnerability found [File] [Lines 24-44] [Old Code] (No relevant security-related code removed) [Fixed Code] (No relevant security-related code added) The diff shows: 1. Addition of a new CSS class `.fieldset3` with styling properties 2. Addition of a new test div with class `fieldset3` containing sample text 3. All changes are related to test case expansion for rendering verification There are no: - Input validation changes - Security-related headers or policies - Sensitive data handling modifications - Authentication/authorization updates - Any other security-relevant patterns The changes appear to be purely functional/rendering test additions without security implications.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.