Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/base/Selection.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/base/Selection.cpp@@ -1809,7 +1809,9 @@ nsPresContext* presContext = aFrame->PresContext(); RefPtr<PresShell> presShell = presContext->PresShell(); nsRootPresContext* rootPC = presContext->GetRootPresContext();- if (!rootPC) return NS_OK;+ if (!rootPC) {+ return NS_OK;+ } nsIFrame* rootmostFrame = rootPC->PresShell()->GetRootFrame(); AutoWeakFrame weakRootFrame(rootmostFrame); AutoWeakFrame weakFrame(aFrame);@@ -1827,22 +1829,18 @@ return NS_OK; } if (!didScroll && !done) {- // If aPoint is at the screen edge then try to scroll anyway, once.- RefPtr<nsDeviceContext> dx =- presShell->GetViewManager()->GetDeviceContext();- nsRect screen;- dx->GetRect(screen);- nsPoint screenPoint =- globalPoint + rootmostFrame->GetScreenRectInAppUnits().TopLeft();+ // If aPoint is at the very edge of the root, then try to scroll anyway,+ // once.+ nsRect rootRect = rootmostFrame->GetRect(); nscoord onePx = AppUnitsPerCSSPixel(); nscoord scrollAmount = 10 * onePx;- if (std::abs(screen.x - screenPoint.x) <= onePx) {+ if (std::abs(rootRect.x - globalPoint.x) <= onePx) { aPoint.x -= scrollAmount;- } else if (std::abs(screen.XMost() - screenPoint.x) <= onePx) {+ } else if (std::abs(rootRect.XMost() - globalPoint.x) <= onePx) { aPoint.x += scrollAmount;- } else if (std::abs(screen.y - screenPoint.y) <= onePx) {+ } else if (std::abs(rootRect.y - globalPoint.y) <= onePx) { aPoint.y -= scrollAmount;- } else if (std::abs(screen.YMost() - screenPoint.y) <= onePx) {+ } else if (std::abs(rootRect.YMost() - globalPoint.y) <= onePx) { aPoint.y += scrollAmount; } else { break;@@ -1856,8 +1854,7 @@ // Start the AutoScroll timer if necessary. // `ScrollFrameRectIntoView` above may have run script and this may have // forbidden to continue scrolling.- if (didScroll &&- (mFurtherScrollingAllowed == FurtherScrollingAllowed::kYes)) {+ if (didScroll && mFurtherScrollingAllowed == FurtherScrollingAllowed::kYes) { nsPoint presContextPoint = globalPoint - presShell->GetRootFrame()->GetOffsetToCrossDoc(rootmostFrame);
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Information Leak] [dom/base/Selection.cpp] [Lines 1827-1845]
[Old Code]
RefPtr<nsDeviceContext> dx = presShell->GetViewManager()->GetDeviceContext();
nsRect screen;
dx->GetRect(screen);
nsPoint screenPoint = globalPoint + rootmostFrame->GetScreenRectInAppUnits().TopLeft();
[Fixed Code]
nsRect rootRect = rootmostFrame->GetRect();
Additional Details: The change removes access to screen coordinates and device context information, potentially addressing an information leak concern by using only the root frame's rectangle instead of screen coordinates.
2. Vulnerability Existed: not sure
[Potential Timing Side Channel] [dom/base/Selection.cpp] [Lines 1856-1858]
[Old Code]
if (didScroll &&
(mFurtherScrollingAllowed == FurtherScrollingAllowed::kYes)) {
[Fixed Code]
if (didScroll && mFurtherScrollingAllowed == FurtherScrollingAllowed::kYes) {
Additional Details: The change simplifies the condition check, which might reduce timing variations in the comparison operation, though it's unclear if this was the actual motivation for the change.
Note: While these changes could potentially address security concerns, the diff doesn't clearly indicate specific vulnerabilities being fixed. The modifications appear to be more about code robustness and simplification than explicit security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wgpu-types/src/lib.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wgpu-types/src/lib.rs@@ -505,13 +505,13 @@ /// /// This is a native-only feature. const VERTEX_WRITABLE_STORAGE = 1 << 36;- /// Enables clear to zero for buffers & textures.+ /// Enables clear to zero for textures. /// /// Supported platforms: /// - All /// /// This is a native only feature.- const CLEAR_COMMANDS = 1 << 37;+ const CLEAR_TEXTURE = 1 << 37; /// Enables creating shader modules from SPIR-V binary data (unsafe). /// /// SPIR-V data is not parsed or interpreted in any way; you can use@@ -628,9 +628,9 @@ pub max_sampled_textures_per_shader_stage: u32, /// Amount of samplers visible in a single shader stage. Defaults to 16. Higher is "better". pub max_samplers_per_shader_stage: u32,- /// Amount of storage buffers visible in a single shader stage. Defaults to 4. Higher is "better".+ /// Amount of storage buffers visible in a single shader stage. Defaults to 8. Higher is "better". pub max_storage_buffers_per_shader_stage: u32,- /// Amount of storage textures visible in a single shader stage. Defaults to 4. Higher is "better".+ /// Amount of storage textures visible in a single shader stage. Defaults to 8. Higher is "better". pub max_storage_textures_per_shader_stage: u32, /// Amount of uniform buffers visible in a single shader stage. Defaults to 12. Higher is "better". pub max_uniform_buffers_per_shader_stage: u32,@@ -667,11 +667,13 @@ /// Defaults to 256. Lower is "better". pub min_storage_buffer_offset_alignment: u32, /// Maximum allowed number of components (scalars) of input or output locations for- /// inter-stage communication (vertex outputs to fragment inputs).+ /// inter-stage communication (vertex outputs to fragment inputs). Defaults to 60. pub max_inter_stage_shader_components: u32,- /// Maximum number of bytes used for workgroup memory in a compute entry point.+ /// Maximum number of bytes used for workgroup memory in a compute entry point. Defaults to+ /// 16352. pub max_compute_workgroup_storage_size: u32, /// Maximum value of the product of the `workgroup_size` dimensions for a compute entry-point.+ /// Defaults to 256. pub max_compute_invocations_per_workgroup: u32, /// The maximum value of the workgroup_size X dimension for a compute stage `ShaderModule` entry-point. /// Defaults to 256.@@ -680,7 +682,7 @@ /// Defaults to 256. pub max_compute_workgroup_size_y: u32, /// The maximum value of the workgroup_size Z dimension for a compute stage `ShaderModule` entry-point.- /// Defaults to 256.+ /// Defaults to 64. pub max_compute_workgroup_size_z: u32, /// The maximum value for each dimension of a `ComputePass::dispatch(x, y, z)` operation. /// Defaults to 65535.@@ -1408,12 +1410,20 @@ /// Feature flags for a texture format. #[repr(transparent)] pub struct TextureFormatFeatureFlags: u32 {+ /// If not present, the texture can't be sampled with a filtering sampler.+ /// This may overwrite TextureSampleType::Float.filterable+ const FILTERABLE = 1 << 0;+ /// Allows [`TextureDescriptor::sample_count`] greater than `1`.+ const MULTISAMPLE = 1 << 1;+ /// Allows a texture of this format to back a view passed as `resolve_target`+ /// to a render pass for an automatic driver-implemented resolve.+ const MULTISAMPLE_RESOLVE = 1 << 2; /// When used as a STORAGE texture, then a texture with this format can be bound with /// [`StorageTextureAccess::ReadOnly`] or [`StorageTextureAccess::ReadWrite`].- const STORAGE_READ_WRITE = 1 << 0;+ const STORAGE_READ_WRITE = 1 << 3; /// When used as a STORAGE texture, then a texture with this format can be written to with atomics. // TODO: No access flag exposed as of writing- const STORAGE_ATOMICS = 1 << 1;+ const STORAGE_ATOMICS = 1 << 4; } }@@ -1429,9 +1439,6 @@ pub allowed_usages: TextureUsages, /// Additional property flags for the format. pub flags: TextureFormatFeatureFlags,- /// If `filterable` is false, the texture can't be sampled with a filtering sampler.- /// This may overwrite TextureSampleType::Float.filterable- pub filterable: bool, } /// Information about a texture format.@@ -1451,6 +1458,13 @@ pub srgb: bool, /// Format features guaranteed by the WebGPU spec. Additional features are available if `Features::TEXTURE_ADAPTER_SPECIFIC_FORMAT_FEATURES` is enabled. pub guaranteed_format_features: TextureFormatFeatures,+}++impl TextureFormatInfo {+ /// Return `true` for compressed formats.+ pub fn is_compressed(&self) -> bool {+ self.block_dimensions != (1, 1)+ } } /// Underlying texture data format.@@ -1982,9 +1996,18 @@ let float = TextureSampleType::Float { filterable: true }; let depth = TextureSampleType::Depth;- // Color spaces- let linear = false;- let srgb = true;+ enum ColorSpace {+ Linear,+ Corrected,+ }+ let linear = ColorSpace::Linear;+ let corrected = ColorSpace::Corrected;++ // Multisampling+ let noaa = TextureFormatFeatureFlags::empty();+ let msaa = TextureFormatFeatureFlags::MULTISAMPLE;+ let msaa_resolve =+ TextureFormatFeatureFlags::MULTISAMPLE | TextureFormatFeatureFlags::MULTISAMPLE_RESOLVE; // Flags let basic =@@ -1997,133 +2020,224 @@ let ( required_features, sample_type,- srgb,+ color_space,+ msaa_flags, block_dimensions, block_size, allowed_usages, components, ) = match self { // Normal 8 bit textures- Self::R8Unorm => (native, float, linear, (1, 1), 1, attachment, 1),- Self::R8Snorm => (native, float, linear, (1, 1), 1, basic, 1),- Self::R8Uint => (native, uint, linear, (1, 1), 1, attachment, 1),- Self::R8Sint => (native, sint, linear, (1, 1), 1, attachment, 1),+ Self::R8Unorm => (+ native,+ float,+ linear,+ msaa_resolve,+ (1, 1),+ 1,+ attachment,+ 1,+ ),+ Self::R8Snorm => (native, float, linear, msaa, (1, 1), 1, basic, 1),+ Self::R8Uint => (native, uint, linear, msaa, (1, 1), 1, attachment, 1),+ Self::R8Sint => (native, sint, linear, msaa, (1, 1), 1, attachment, 1), // Normal 16 bit textures- Self::R16Uint => (native, uint, linear, (1, 1), 2, attachment, 1),- Self::R16Sint => (native, sint, linear, (1, 1), 2, attachment, 1),- Self::R16Float => (native, float, linear, (1, 1), 2, attachment, 1),- Self::Rg8Unorm => (native, float, linear, (1, 1), 2, attachment, 2),- Self::Rg8Snorm => (native, float, linear, (1, 1), 2, attachment, 2),- Self::Rg8Uint => (native, uint, linear, (1, 1), 2, attachment, 2),- Self::Rg8Sint => (native, sint, linear, (1, 1), 2, basic, 2),+ Self::R16Uint => (native, uint, linear, msaa, (1, 1), 2, attachment, 1),+ Self::R16Sint => (native, sint, linear, msaa, (1, 1), 2, attachment, 1),+ Self::R16Float => (+ native,+ float,+ linear,+ msaa_resolve,+ (1, 1),+ 2,+ attachment,+ 1,+ ),+ Self::Rg8Unorm => (+ native,+ float,+ linear,+ msaa_resolve,+ (1, 1),+ 2,+ attachment,+ 2,+ ),+ Self::Rg8Snorm => (native, float, linear, msaa, (1, 1), 2, attachment, 2),+ Self::Rg8Uint => (native, uint, linear, msaa, (1, 1), 2, attachment, 2),+ Self::Rg8Sint => (native, sint, linear, msaa, (1, 1), 2, basic, 2), // Normal 32 bit textures- Self::R32Uint => (native, uint, linear, (1, 1), 4, all_flags, 1),- Self::R32Sint => (native, sint, linear, (1, 1), 4, all_flags, 1),- Self::R32Float => (native, nearest, linear, (1, 1), 4, all_flags, 1),- Self::Rg16Uint => (native, uint, linear, (1, 1), 4, attachment, 2),- Self::Rg16Sint => (native, sint, linear, (1, 1), 4, attachment, 2),- Self::Rg16Float => (native, float, linear, (1, 1), 4, attachment, 2),- Self::Rgba8Unorm => (native, float, linear, (1, 1), 4, all_flags, 4),- Self::Rgba8UnormSrgb => (native, float, srgb, (1, 1), 4, attachment, 4),- Self::Rgba8Snorm => (native, float, linear, (1, 1), 4, storage, 4),- Self::Rgba8Uint => (native, uint, linear, (1, 1), 4, all_flags, 4),- Self::Rgba8Sint => (native, sint, linear, (1, 1), 4, all_flags, 4),- Self::Bgra8Unorm => (native, float, linear, (1, 1), 4, attachment, 4),- Self::Bgra8UnormSrgb => (native, float, srgb, (1, 1), 4, attachment, 4),+ Self::R32Uint => (native, uint, linear, noaa, (1, 1), 4, all_flags, 1),+ Self::R32Sint => (native, sint, linear, noaa, (1, 1), 4, all_flags, 1),+ Self::R32Float => (native, nearest, linear, msaa, (1, 1), 4, all_flags, 1),+ Self::Rg16Uint => (native, uint, linear, msaa, (1, 1), 4, attachment, 2),+ Self::Rg16Sint => (native, sint, linear, msaa, (1, 1), 4, attachment, 2),+ Self::Rg16Float => (+ native,+ float,+ linear,+ msaa_resolve,+ (1, 1),+ 4,+ attachment,+ 2,+ ),+ Self::Rgba8Unorm => (native, float, linear, msaa_resolve, (1, 1), 4, all_flags, 4),+ Self::Rgba8UnormSrgb => (+ native,+ float,+ corrected,+ msaa_resolve,+ (1, 1),+ 4,+ attachment,+ 4,+ ),+ Self::Rgba8Snorm => (native, float, linear, msaa, (1, 1), 4, storage, 4),+ Self::Rgba8Uint => (native, uint, linear, msaa, (1, 1), 4, all_flags, 4),+ Self::Rgba8Sint => (native, sint, linear, msaa, (1, 1), 4, all_flags, 4),+ Self::Bgra8Unorm => (+ native,+ float,+ linear,+ msaa_resolve,+ (1, 1),+ 4,+ attachment,+ 4,+ ),+ Self::Bgra8UnormSrgb => (+ native,+ float,+ corrected,+ msaa_resolve,+ (1, 1),+ 4,+ attachment,+ 4,+ ), // Packed 32 bit textures- Self::Rgb10a2Unorm => (native, float, linear, (1, 1), 4, attachment, 4),- Self::Rg11b10Float => (native, float, linear, (1, 1), 4, basic, 3),+ Self::Rgb10a2Unorm => (+ native,+ float,+ linear,+ msaa_resolve,+ (1, 1),+ 4,+ attachment,+ 4,+ ),+ Self::Rg11b10Float => (native, float, linear, msaa, (1, 1), 4, basic, 3), // Packed 32 bit textures- Self::Rg32Uint => (native, uint, linear, (1, 1), 8, all_flags, 2),- Self::Rg32Sint => (native, sint, linear, (1, 1), 8, all_flags, 2),- Self::Rg32Float => (native, nearest, linear, (1, 1), 8, all_flags, 2),- Self::Rgba16Uint => (native, uint, linear, (1, 1), 8, all_flags, 4),- Self::Rgba16Sint => (native, sint, linear, (1, 1), 8, all_flags, 4),- Self::Rgba16Float => (native, float, linear, (1, 1), 8, all_flags, 4),+ Self::Rg32Uint => (native, uint, linear, noaa, (1, 1), 8, all_flags, 2),+ Self::Rg32Sint => (native, sint, linear, noaa, (1, 1), 8, all_flags, 2),+ Self::Rg32Float => (native, nearest, linear, noaa, (1, 1), 8, all_flags, 2),+ Self::Rgba16Uint => (native, uint, linear, msaa, (1, 1), 8, all_flags, 4),+ Self::Rgba16Sint => (native, sint, linear, msaa, (1, 1), 8, all_flags, 4),+ Self::Rgba16Float => (native, float, linear, msaa_resolve, (1, 1), 8, all_flags, 4), // Packed 32 bit textures- Self::Rgba32Uint => (native, uint, linear, (1, 1), 16, all_flags, 4),- Self::Rgba32Sint => (native, sint, linear, (1, 1), 16, all_flags, 4),- Self::Rgba32Float => (native, nearest, linear, (1, 1), 16, all_flags, 4),+ Self::Rgba32Uint => (native, uint, linear, noaa, (1, 1), 16, all_flags, 4),+ Self::Rgba32Sint => (native, sint, linear, noaa, (1, 1), 16, all_flags, 4),+ Self::Rgba32Float => (native, nearest, linear, noaa, (1, 1), 16, all_flags, 4), // Depth-stencil textures- Self::Depth32Float => (native, depth, linear, (1, 1), 4, attachment, 1),- Self::Depth24Plus => (native, depth, linear, (1, 1), 4, attachment, 1),- Self::Depth24PlusStencil8 => (native, depth, linear, (1, 1), 4, attachment, 2),+ Self::Depth32Float => (native, depth, linear, msaa, (1, 1), 4, attachment, 1),+ Self::Depth24Plus => (native, depth, linear, msaa, (1, 1), 4, attachment, 1),+ Self::Depth24PlusStencil8 => (native, depth, linear, msaa, (1, 1), 4, attachment, 2), // Packed uncompressed- Self::Rgb9e5Ufloat => (native, float, linear, (1, 1), 4, basic, 3),+ Self::Rgb9e5Ufloat => (native, float, linear, noaa, (1, 1), 4, basic, 3), // BCn compressed textures- Self::Bc1RgbaUnorm => (bc, float, linear, (4, 4), 8, basic, 4),- Self::Bc1RgbaUnormSrgb => (bc, float, srgb, (4, 4), 8, basic, 4),- Self::Bc2RgbaUnorm => (bc, float, linear, (4, 4), 16, basic, 4),- Self::Bc2RgbaUnormSrgb => (bc, float, srgb, (4, 4), 16, basic, 4),- Self::Bc3RgbaUnorm => (bc, float, linear, (4, 4), 16, basic, 4),- Self::Bc3RgbaUnormSrgb => (bc, float, srgb, (4, 4), 16, basic, 4),- Self::Bc4RUnorm => (bc, float, linear, (4, 4), 8, basic, 1),- Self::Bc4RSnorm => (bc, float, linear, (4, 4), 8, basic, 1),- Self::Bc5RgUnorm => (bc, float, linear, (4, 4), 16, basic, 2),- Self::Bc5RgSnorm => (bc, float, linear, (4, 4), 16, basic, 2),- Self::Bc6hRgbUfloat => (bc, float, linear, (4, 4), 16, basic, 3),- Self::Bc6hRgbSfloat => (bc, float, linear, (4, 4), 16, basic, 3),- Self::Bc7RgbaUnorm => (bc, float, linear, (4, 4), 16, basic, 4),- Self::Bc7RgbaUnormSrgb => (bc, float, srgb, (4, 4), 16, basic, 4),+ Self::Bc1RgbaUnorm => (bc, float, linear, noaa, (4, 4), 8, basic, 4),+ Self::Bc1RgbaUnormSrgb => (bc, float, corrected, noaa, (4, 4), 8, basic, 4),+ Self::Bc2RgbaUnorm => (bc, float, linear, noaa, (4, 4), 16, basic, 4),+ Self::Bc2RgbaUnormSrgb => (bc, float, corrected, noaa, (4, 4), 16, basic, 4),+ Self::Bc3RgbaUnorm => (bc, float, linear, noaa, (4, 4), 16, basic, 4),+ Self::Bc3RgbaUnormSrgb => (bc, float, corrected, noaa, (4, 4), 16, basic, 4),+ Self::Bc4RUnorm => (bc, float, linear, noaa, (4, 4), 8, basic, 1),+ Self::Bc4RSnorm => (bc, float, linear, noaa, (4, 4), 8, basic, 1),+ Self::Bc5RgUnorm => (bc, float, linear, noaa, (4, 4), 16, basic, 2),+ Self::Bc5RgSnorm => (bc, float, linear, noaa, (4, 4), 16, basic, 2),+ Self::Bc6hRgbUfloat => (bc, float, linear, noaa, (4, 4), 16, basic, 3),+ Self::Bc6hRgbSfloat => (bc, float, linear, noaa, (4, 4), 16, basic, 3),+ Self::Bc7RgbaUnorm => (bc, float, linear, noaa, (4, 4), 16, basic, 4),+ Self::Bc7RgbaUnormSrgb => (bc, float, corrected, noaa, (4, 4), 16, basic, 4), // ETC compressed textures- Self::Etc2Rgb8Unorm => (etc2, float, linear, (4, 4), 8, basic, 3),- Self::Etc2Rgb8UnormSrgb => (etc2, float, srgb, (4, 4), 8, basic, 3),- Self::Etc2Rgb8A1Unorm => (etc2, float, linear, (4, 4), 8, basic, 4),- Self::Etc2Rgb8A1UnormSrgb => (etc2, float, srgb, (4, 4), 8, basic, 4),- Self::Etc2Rgba8Unorm => (etc2, float, linear, (4, 4), 16, basic, 4),- Self::Etc2Rgba8UnormSrgb => (etc2, float, srgb, (4, 4), 16, basic, 4),- Self::EacR11Unorm => (etc2, float, linear, (4, 4), 8, basic, 1),- Self::EacR11Snorm => (etc2, float, linear, (4, 4), 8, basic, 1),- Self::EacRg11Unorm => (etc2, float, linear, (4, 4), 16, basic, 2),- Self::EacRg11Snorm => (etc2, float, linear, (4, 4), 16, basic, 2),+ Self::Etc2Rgb8Unorm => (etc2, float, linear, noaa, (4, 4), 8, basic, 3),+ Self::Etc2Rgb8UnormSrgb => (etc2, float, corrected, noaa, (4, 4), 8, basic, 3),+ Self::Etc2Rgb8A1Unorm => (etc2, float, linear, noaa, (4, 4), 8, basic, 4),+ Self::Etc2Rgb8A1UnormSrgb => (etc2, float, corrected, noaa, (4, 4), 8, basic, 4),+ Self::Etc2Rgba8Unorm => (etc2, float, linear, noaa, (4, 4), 16, basic, 4),+ Self::Etc2Rgba8UnormSrgb => (etc2, float, corrected, noaa, (4, 4), 16, basic, 4),+ Self::EacR11Unorm => (etc2, float, linear, noaa, (4, 4), 8, basic, 1),+ Self::EacR11Snorm => (etc2, float, linear, noaa, (4, 4), 8, basic, 1),+ Self::EacRg11Unorm => (etc2, float, linear, noaa, (4, 4), 16, basic, 2),+ Self::EacRg11Snorm => (etc2, float, linear, noaa, (4, 4), 16, basic, 2), // ASTC compressed textures- Self::Astc4x4RgbaUnorm => (astc_ldr, float, linear, (4, 4), 16, basic, 4),- Self::Astc4x4RgbaUnormSrgb => (astc_ldr, float, srgb, (4, 4), 16, basic, 4),- Self::Astc5x4RgbaUnorm => (astc_ldr, float, linear, (5, 4), 16, basic, 4),- Self::Astc5x4RgbaUnormSrgb => (astc_ldr, float, srgb, (5, 4), 16, basic, 4),- Self::Astc5x5RgbaUnorm => (astc_ldr, float, linear, (5, 5), 16, basic, 4),- Self::Astc5x5RgbaUnormSrgb => (astc_ldr, float, srgb, (5, 5), 16, basic, 4),- Self::Astc6x5RgbaUnorm => (astc_ldr, float, linear, (6, 5), 16, basic, 4),- Self::Astc6x5RgbaUnormSrgb => (astc_ldr, float, srgb, (6, 5), 16, basic, 4),- Self::Astc6x6RgbaUnorm => (astc_ldr, float, linear, (6, 6), 16, basic, 4),- Self::Astc6x6RgbaUnormSrgb => (astc_ldr, float, srgb, (6, 6), 16, basic, 4),- Self::Astc8x5RgbaUnorm => (astc_ldr, float, linear, (8, 5), 16, basic, 4),- Self::Astc8x5RgbaUnormSrgb => (astc_ldr, float, srgb, (8, 5), 16, basic, 4),- Self::Astc8x6RgbaUnorm => (astc_ldr, float, linear, (8, 6), 16, basic, 4),- Self::Astc8x6RgbaUnormSrgb => (astc_ldr, float, srgb, (8, 6), 16, basic, 4),- Self::Astc10x5RgbaUnorm => (astc_ldr, float, linear, (10, 5), 16, basic, 4),- Self::Astc10x5RgbaUnormSrgb => (astc_ldr, float, srgb, (10, 5), 16, basic, 4),- Self::Astc10x6RgbaUnorm => (astc_ldr, float, linear, (10, 6), 16, basic, 4),- Self::Astc10x6RgbaUnormSrgb => (astc_ldr, float, srgb, (10, 6), 16, basic, 4),- Self::Astc8x8RgbaUnorm => (astc_ldr, float, linear, (8, 8), 16, basic, 4),- Self::Astc8x8RgbaUnormSrgb => (astc_ldr, float, srgb, (8, 8), 16, basic, 4),- Self::Astc10x8RgbaUnorm => (astc_ldr, float, linear, (10, 8), 16, basic, 4),- Self::Astc10x8RgbaUnormSrgb => (astc_ldr, float, srgb, (10, 8), 16, basic, 4),- Self::Astc10x10RgbaUnorm => (astc_ldr, float, linear, (10, 10), 16, basic, 4),- Self::Astc10x10RgbaUnormSrgb => (astc_ldr, float, srgb, (10, 10), 16, basic, 4),- Self::Astc12x10RgbaUnorm => (astc_ldr, float, linear, (12, 10), 16, basic, 4),- Self::Astc12x10RgbaUnormSrgb => (astc_ldr, float, srgb, (12, 10), 16, basic, 4),- Self::Astc12x12RgbaUnorm => (astc_ldr, float, linear, (12, 12), 16, basic, 4),- Self::Astc12x12RgbaUnormSrgb => (astc_ldr, float, srgb, (12, 12), 16, basic, 4),+ Self::Astc4x4RgbaUnorm => (astc_ldr, float, linear, noaa, (4, 4), 16, basic, 4),+ Self::Astc4x4RgbaUnormSrgb => (astc_ldr, float, corrected, noaa, (4, 4), 16, basic, 4),+ Self::Astc5x4RgbaUnorm => (astc_ldr, float, linear, noaa, (5, 4), 16, basic, 4),+ Self::Astc5x4RgbaUnormSrgb => (astc_ldr, float, corrected, noaa, (5, 4), 16, basic, 4),+ Self::Astc5x5RgbaUnorm => (astc_ldr, float, linear, noaa, (5, 5), 16, basic, 4),+ Self::Astc5x5RgbaUnormSrgb => (astc_ldr, float, corrected, noaa, (5, 5), 16, basic, 4),+ Self::Astc6x5RgbaUnorm => (astc_ldr, float, linear, noaa, (6, 5), 16, basic, 4),+ Self::Astc6x5RgbaUnormSrgb => (astc_ldr, float, corrected, noaa, (6, 5), 16, basic, 4),+ Self::Astc6x6RgbaUnorm => (astc_ldr, float, linear, noaa, (6, 6), 16, basic, 4),+ Self::Astc6x6RgbaUnormSrgb => (astc_ldr, float, corrected, noaa, (6, 6), 16, basic, 4),+ Self::Astc8x5RgbaUnorm => (astc_ldr, float, linear, noaa, (8, 5), 16, basic, 4),+ Self::Astc8x5RgbaUnormSrgb => (astc_ldr, float, corrected, noaa, (8, 5), 16, basic, 4),+ Self::Astc8x6RgbaUnorm => (astc_ldr, float, linear, noaa, (8, 6), 16, basic, 4),+ Self::Astc8x6RgbaUnormSrgb => (astc_ldr, float, corrected, noaa, (8, 6), 16, basic, 4),+ Self::Astc10x5RgbaUnorm => (astc_ldr, float, linear, noaa, (10, 5), 16, basic, 4),+ Self::Astc10x5RgbaUnormSrgb => {+ (astc_ldr, float, corrected, noaa, (10, 5), 16, basic, 4)+ }+ Self::Astc10x6RgbaUnorm => (astc_ldr, float, linear, noaa, (10, 6), 16, basic, 4),+ Self::Astc10x6RgbaUnormSrgb => {+ (astc_ldr, float, corrected, noaa, (10, 6), 16, basic, 4)+ }+ Self::Astc8x8RgbaUnorm => (astc_ldr, float, linear, noaa, (8, 8), 16, basic, 4),+ Self::Astc8x8RgbaUnormSrgb => (astc_ldr, float, corrected, noaa, (8, 8), 16, basic, 4),+ Self::Astc10x8RgbaUnorm => (astc_ldr, float, linear, noaa, (10, 8), 16, basic, 4),+ Self::Astc10x8RgbaUnormSrgb => {+ (astc_ldr, float, corrected, noaa, (10, 8), 16, basic, 4)+ }+ Self::Astc10x10RgbaUnorm => (astc_ldr, float, linear, noaa, (10, 10), 16, basic, 4),+ Self::Astc10x10RgbaUnormSrgb => {+ (astc_ldr, float, corrected, noaa, (10, 10), 16, basic, 4)+ }+ Self::Astc12x10RgbaUnorm => (astc_ldr, float, linear, noaa, (12, 10), 16, basic, 4),+ Self::Astc12x10RgbaUnormSrgb => {+ (astc_ldr, float, corrected, noaa, (12, 10), 16, basic, 4)+ }+ Self::Astc12x12RgbaUnorm => (astc_ldr, float, linear, noaa, (12, 12), 16, basic, 4),+ Self::Astc12x12RgbaUnormSrgb => {+ (astc_ldr, float, corrected, noaa, (12, 12), 16, basic, 4)+ } // Optional normalized 16-bit-per-channel formats- Self::R16Unorm => (norm16bit, float, linear, (1, 1), 2, storage, 1),- Self::R16Snorm => (norm16bit, float, linear, (1, 1), 2, storage, 1),- Self::Rg16Unorm => (norm16bit, float, linear, (1, 1), 4, storage, 2),- Self::Rg16Snorm => (norm16bit, float, linear, (1, 1), 4, storage, 2),- Self::Rgba16Unorm => (norm16bit, float, linear, (1, 1), 8, storage, 4),- Self::Rgba16Snorm => (norm16bit, float, linear, (1, 1), 8, storage, 4),+ Self::R16Unorm => (norm16bit, float, linear, msaa, (1, 1), 2, storage, 1),+ Self::R16Snorm => (norm16bit, float, linear, msaa, (1, 1), 2, storage, 1),+ Self::Rg16Unorm => (norm16bit, float, linear, msaa, (1, 1), 4, storage, 2),+ Self::Rg16Snorm => (norm16bit, float, linear, msaa, (1, 1), 4, storage, 2),+ Self::Rgba16Unorm => (norm16bit, float, linear, msaa, (1, 1), 8, storage, 4),+ Self::Rgba16Snorm => (norm16bit, float, linear, msaa, (1, 1), 8, storage, 4), };++ let mut flags = msaa_flags;+ flags.set(+ TextureFormatFeatureFlags::FILTERABLE,+ sample_type == TextureSampleType::Float { filterable: true },+ ); TextureFormatInfo { required_features,@@ -2131,11 +2245,13 @@ block_dimensions, block_size, components,- srgb,+ srgb: match color_space {+ ColorSpace::Linear => false,+ ColorSpace::Corrected => true,+ }, guaranteed_format_features: TextureFormatFeatures { allowed_usages,- flags: TextureFormatFeatureFlags::empty(),- filterable: sample_type == TextureSampleType::Float { filterable: true },+ flags, }, } }@@ -2846,25 +2962,6 @@ /// /// This is the texture extent that you must upload at when uploading to _mipmaps_ of compressed textures. ///- /// ```rust- /// # use wgpu_types as wgpu;- /// let format = wgpu::TextureFormat::Bc1RgbaUnormSrgb; // 4x4 blocks- /// assert_eq!(- /// wgpu::Extent3d { width: 7, height: 7, depth_or_array_layers: 1 }.physical_size(format),- /// wgpu::Extent3d { width: 8, height: 8, depth_or_array_layers: 1 }- /// );- /// // Doesn't change, already aligned- /// assert_eq!(- /// wgpu::Extent3d { width: 8, height: 8, depth_or_array_layers: 1 }.physical_size(format),- /// wgpu::Extent3d { width: 8, height: 8, depth_or_array_layers: 1 }- /// );- /// let format = wgpu::TextureFormat::Astc8x5RgbaUnorm; // 8x5 blocks- /// assert_eq!(- /// wgpu::Extent3d { width: 7, height: 7, depth_or_array_layers: 1 }.physical_size(format),- /// wgpu::Extent3d { width: 8, height: 10, depth_or_array_layers: 1 }- /// );- /// ```- /// /// [physical size]: https://gpuweb.github.io/gpuweb/#physical-size pub fn physical_size(&self, format: TextureFormat) -> Self { let (block_width, block_height) = format.describe().block_dimensions;@@ -2885,16 +2982,18 @@ /// /// Treats the depth as part of the mipmaps. If calculating /// for a 2DArray texture, which does not mipmap depth, set depth to 1.- ///- /// ```rust- /// # use wgpu_types as wgpu;- /// assert_eq!(wgpu::Extent3d { width: 1, height: 1, depth_or_array_layers: 1 }.max_mips(), 1);- /// assert_eq!(wgpu::Extent3d { width: 60, height: 60, depth_or_array_layers: 1 }.max_mips(), 6);- /// assert_eq!(wgpu::Extent3d { width: 240, height: 1, depth_or_array_layers: 1 }.max_mips(), 8);- /// ```- pub fn max_mips(&self) -> u32 {- let max_dim = self.width.max(self.height.max(self.depth_or_array_layers));- 32 - max_dim.leading_zeros()+ pub fn max_mips(&self, dim: TextureDimension) -> u32 {+ match dim {+ TextureDimension::D1 => 1,+ TextureDimension::D2 => {+ let max_dim = self.width.max(self.height);+ 32 - max_dim.leading_zeros()+ }+ TextureDimension::D3 => {+ let max_dim = self.width.max(self.height.max(self.depth_or_array_layers));+ 32 - max_dim.leading_zeros()+ }+ } } /// Calculates the extent at a given mip level.@@ -2909,6 +3008,104 @@ }, } }+}++#[test]+fn test_physical_size() {+ let format = TextureFormat::Bc1RgbaUnormSrgb; // 4x4 blocks+ assert_eq!(+ Extent3d {+ width: 7,+ height: 7,+ depth_or_array_layers: 1+ }+ .physical_size(format),+ Extent3d {+ width: 8,+ height: 8,+ depth_or_array_layers: 1+ }+ );+ // Doesn't change, already aligned+ assert_eq!(+ Extent3d {+ width: 8,+ height: 8,+ depth_or_array_layers: 1+ }+ .physical_size(format),+ Extent3d {+ width: 8,+ height: 8,+ depth_or_array_layers: 1+ }+ );+ let format = TextureFormat::Astc8x5RgbaUnorm; // 8x5 blocks+ assert_eq!(+ Extent3d {+ width: 7,+ height: 7,+ depth_or_array_layers: 1+ }+ .physical_size(format),+ Extent3d {+ width: 8,+ height: 10,+ depth_or_array_layers: 1+ }+ );+}++#[test]+fn test_max_mips() {+ // 1D+ assert_eq!(+ Extent3d {+ width: 240,+ height: 1,+ depth_or_array_layers: 1+ }+ .max_mips(TextureDimension::D1),+ 1+ );+ // 2D+ assert_eq!(+ Extent3d {+ width: 1,+ height: 1,+ depth_or_array_layers: 1+ }+ .max_mips(TextureDimension::D2),+ 1+ );+ assert_eq!(+ Extent3d {+ width: 60,+ height: 60,+ depth_or_array_layers: 1+ }+ .max_mips(TextureDimension::D2),+ 6+ );+ assert_eq!(+ Extent3d {+ width: 240,+ height: 1,+ depth_or_array_layers: 1000+ }+ .max_mips(TextureDimension::D2),+ 8+ );+ // 3D+ assert_eq!(+ Extent3d {+ width: 16,+ height: 30,+ depth_or_array_layers: 60+ }+ .max_mips(TextureDimension::D3),+ 6+ ); } /// Describes a [`Texture`].
After analyzing the provided code diff, I don't find any clear security vulnerabilities that were fixed. The changes appear to be primarily feature improvements, documentation updates, and code refactoring. Here's my analysis: 1. Vulnerability Existed: no Feature Renaming [third_party/rust/wgpu-types/src/lib.rs] [Lines 505-513] Old Code: `const CLEAR_COMMANDS = 1 << 37;` Fixed Code: `const CLEAR_TEXTURE = 1 << 37;` 2. Vulnerability Existed: no Default Value Changes [third_party/rust/wgpu-types/src/lib.rs] [Lines 628-632] Old Code: Defaults to 4 for storage buffers and textures Fixed Code: Defaults to 8 for storage buffers and textures 3. Vulnerability Existed: no Documentation Improvements [third_party/rust/wgpu-types/src/lib.rs] [Lines 667-682] Old Code: Missing default value documentation Fixed Code: Added default value documentation 4. Vulnerability Existed: no Texture Format Feature Flags Restructuring [third_party/rust/wgpu-types/src/lib.rs] [Lines 1408-1439] Old Code: Separate filterable field Fixed Code: Integrated into TextureFormatFeatureFlags The changes appear to be focused on: 1. Making feature naming more specific (CLEAR_COMMANDS → CLEAR_TEXTURE) 2. Increasing default resource limits 3. Improving documentation 4. Refactoring texture format handling 5. Adding test cases None of these changes appear to address security vulnerabilities, but rather improve functionality and code organization.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.pattern.repeat.unrecognised.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.pattern.repeat.unrecognised.html@@ -17,10 +17,10 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d');-assert_throws_dom("SYNTAX_ERR", function() { ctx.createPattern(offscreenCanvas, "invalid"); });+assert_throws_dom("SYNTAX_ERR", function() { ctx.createPattern(canvas, "invalid"); }); t.done(); });
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: no
No Vulnerability Found [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.pattern.repeat.unrecognised.html] [Lines 17-23]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
assert_throws_dom("SYNTAX_ERR", function() { ctx.createPattern(offscreenCanvas, "invalid"); });
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
assert_throws_dom("SYNTAX_ERR", function() { ctx.createPattern(canvas, "invalid"); });
The changes appear to be purely cosmetic, renaming a variable from `offscreenCanvas` to `canvas` without altering any security-relevant functionality. The test continues to verify that invalid pattern repetition modes throw the expected SYNTAX_ERR exception. No security vulnerability is being addressed in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/layers/ipc/VideoBridgeChild.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/layers/ipc/VideoBridgeChild.h@@ -51,8 +51,7 @@ PTextureChild* CreateTexture( const SurfaceDescriptor& aSharedData, ReadLockDescriptor&& aReadLock, LayersBackend aLayersBackend, TextureFlags aFlags, uint64_t aSerial,- wr::MaybeExternalImageId& aExternalImageId,- nsISerialEventTarget* aTarget = nullptr) override;+ wr::MaybeExternalImageId& aExternalImageId) override; // ClientIPCAllocator base::ProcessId GetParentPid() const override { return OtherPid(); }
Let me analyze the provided code diff for security fixes.
Vulnerability Existed: not sure
[Potential Parameter Injection/API Security] [gfx/layers/ipc/VideoBridgeChild.h] [Lines 51-58]
[Old Code]
PTextureChild* CreateTexture(
const SurfaceDescriptor& aSharedData, ReadLockDescriptor&& aReadLock,
LayersBackend aLayersBackend, TextureFlags aFlags, uint64_t aSerial,
wr::MaybeExternalImageId& aExternalImageId,
nsISerialEventTarget* aTarget = nullptr) override;
[Fixed Code]
PTextureChild* CreateTexture(
const SurfaceDescriptor& aSharedData, ReadLockDescriptor&& aReadLock,
LayersBackend aLayersBackend, TextureFlags aFlags, uint64_t aSerial,
wr::MaybeExternalImageId& aExternalImageId) override;
Additional Details:
The main change is the removal of the optional parameter `nsISerialEventTarget* aTarget = nullptr`. While this could potentially be a security fix (removing an injection vector or reducing attack surface), without more context about how this parameter was used, I can't definitively say if this was fixing a specific vulnerability. The change might also be purely architectural. The removal of optional parameters can sometimes improve security by reducing complexity and potential misuse, but this isn't tied to a specific known vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/vr/VRDisplayPresentation.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/vr/VRDisplayPresentation.cpp@@ -40,14 +40,12 @@ } dom::HTMLCanvasElement* canvasElement = aLayer->GetCanvas();- nsCOMPtr<nsISerialEventTarget> target =- canvasElement->OwnerDoc()->EventTargetFor(TaskCategory::Other); if (mLayers.Length() == 0) { // WebXR uses a single layer for now. RefPtr<VRLayerChild> vrLayer = static_cast<VRLayerChild*>(manager->CreateVRLayer(- mDisplayClient->GetDisplayInfo().GetDisplayID(), target, mGroup));+ mDisplayClient->GetDisplayInfo().GetDisplayID(), mGroup)); mLayers.AppendElement(vrLayer); } RefPtr<VRLayerChild> vrLayer = mLayers[0];@@ -104,14 +102,11 @@ continue; }- nsCOMPtr<nsISerialEventTarget> target =- canvasElement->OwnerDoc()->EventTargetFor(TaskCategory::Other);- if (mLayers.Length() <= iLayer) { // Not enough layers, let's add one RefPtr<VRLayerChild> vrLayer = static_cast<VRLayerChild*>(manager->CreateVRLayer(- mDisplayClient->GetDisplayInfo().GetDisplayID(), target, mGroup));+ mDisplayClient->GetDisplayInfo().GetDisplayID(), mGroup)); if (!vrLayer) { NS_WARNING("CreateVRLayer returned null!"); continue;
Analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be removing the `target` parameter from `CreateVRLayer` calls, which seems more like a refactoring or simplification rather than a security fix. Here's the analysis following your format: 1. Vulnerability Existed: no No specific vulnerability found [File] gfx/vr/VRDisplayPresentation.cpp [Lines] 40-46, 104-110 [Old Code] nsCOMPtr<nsISerialEventTarget> target = canvasElement->OwnerDoc()->EventTargetFor(TaskCategory::Other); RefPtr<VRLayerChild> vrLayer = static_cast<VRLayerChild*>(manager->CreateVRLayer(mDisplayClient->GetDisplayInfo().GetDisplayID(), target, mGroup)); [Fixed Code] RefPtr<VRLayerChild> vrLayer = static_cast<VRLayerChild*>(manager->CreateVRLayer(mDisplayClient->GetDisplayInfo().GetDisplayID(), mGroup)); 2. Vulnerability Existed: no No specific vulnerability found [File] gfx/vr/VRDisplayPresentation.cpp [Lines] 104-110 [Old Code] nsCOMPtr<nsISerialEventTarget> target = canvasElement->OwnerDoc()->EventTargetFor(TaskCategory::Other); RefPtr<VRLayerChild> vrLayer = static_cast<VRLayerChild*>(manager->CreateVRLayer(mDisplayClient->GetDisplayInfo().GetDisplayID(), target, mGroup)); [Fixed Code] RefPtr<VRLayerChild> vrLayer = static_cast<VRLayerChild*>(manager->CreateVRLayer(mDisplayClient->GetDisplayInfo().GetDisplayID(), mGroup)); The changes appear to be removing an unused parameter (the event target) from the VRLayer creation calls. There's no indication of any security vulnerability being addressed here - it seems to be either a performance optimization or code simplification. No CVE or known vulnerability patterns are evident in these changes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/jpeg-xl/lib/jxl/image_metadata.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/jpeg-xl/lib/jxl/image_metadata.h@@ -65,7 +65,7 @@ using EC = ExtraChannel; return MakeBit(EC::kAlpha) | MakeBit(EC::kDepth) | MakeBit(EC::kSpotColor) | MakeBit(EC::kSelectionMask) | MakeBit(EC::kBlack) | MakeBit(EC::kCFA) |- MakeBit(EC::kUnknown) | MakeBit(EC::kOptional);+ MakeBit(EC::kThermal) | MakeBit(EC::kUnknown) | MakeBit(EC::kOptional); } // Used in ImageMetadata and ExtraChannelInfo.
Let me analyze the provided code diff for security fixes.
Vulnerability Existed: not sure
[Potential Missing Enumeration Value] [third_party/jpeg-xl/lib/jxl/image_metadata.h] [Lines 65-67]
[Old Code]
return MakeBit(EC::kAlpha) | MakeBit(EC::kDepth) | MakeBit(EC::kSpotColor) |
MakeBit(EC::kSelectionMask) | MakeBit(EC::kBlack) | MakeBit(EC::kCFA) |
MakeBit(EC::kUnknown) | MakeBit(EC::kOptional);
[Fixed Code]
return MakeBit(EC::kAlpha) | MakeBit(EC::kDepth) | MakeBit(EC::kSpotColor) |
MakeBit(EC::kSelectionMask) | MakeBit(EC::kBlack) | MakeBit(EC::kCFA) |
MakeBit(EC::kThermal) | MakeBit(EC::kUnknown) | MakeBit(EC::kOptional);
Additional Details:
The diff shows the addition of `MakeBit(EC::kThermal)` to the list of ExtraChannel types being processed. While this doesn't appear to be a direct security vulnerability, it could potentially be related to fixing incomplete handling of channel types which might have led to parsing issues or incomplete data processing. Without more context about how this enumeration is used, I can't determine if this was an actual security fix or just a feature addition.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/places/nsPlacesIndexes.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/places/nsPlacesIndexes.h@@ -108,4 +108,18 @@ CREATE_PLACES_IDX("placecreated_uniqueindex", "moz_places_metadata", \ "place_id, created_at", "UNIQUE")+#define CREATE_IDX_MOZ_PLACES_METADATA_REFERRER \+ CREATE_PLACES_IDX("referrerindex", "moz_places_metadata", \+ "referrer_place_id", "")++// moz_places_metadata_snapshots+#define CREATE_IDX_MOZ_PLACES_METADATA_SNAPSHOTS_PINNNED \+ CREATE_PLACES_IDX("pinnedindex", "moz_places_metadata_snapshots", \+ "user_persisted, last_interaction_at", "")++// moz_places_metadata_snapshots_extra+#define CREATE_IDX_MOZ_PLACES_METADATA_SNAPSHOTS_EXTRA_TYPE \+ CREATE_PLACES_IDX("typeindex", "moz_places_metadata_snapshots_extra", \+ "type", "")+ #endif // nsPlacesIndexes_h__
After analyzing the provided code diff, I don't find any clear security vulnerabilities being fixed. The changes appear to be adding new database indexes rather than patching security issues. Here's the analysis following your requested format: Vulnerability Existed: no [No security vulnerability found] [File: toolkit/components/places/nsPlacesIndexes.h] [Lines: 108-122] [Old Code: Only contained CREATE_IDX_MOZ_PLACES_METADATA_PLACECREATED] [Fixed Code: Added new index definitions for metadata tables] The changes consist of: 1. Adding a referrer index for moz_places_metadata 2. Adding a pinned index for moz_places_metadata_snapshots 3. Adding a type index for moz_places_metadata_snapshots_extra These appear to be performance optimizations or feature additions rather than security fixes. No CVE or specific vulnerability is being addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/mediaqueries/mq-gamut-005.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/mediaqueries/mq-gamut-005.html@@ -5,7 +5,6 @@ <link rel="help" href="https://github.com/w3c/csswg-drafts/issues/4535"> <link rel="match" href="../reference/ref-filled-green-100px-square.xht"> <meta name="assert" content="the rec-2020 (old name for rec2020) color-gamut is not syntactically supported">-<meta name="flags" content=""> <style> div { width: 100px;
Based on the provided code diff, here's the analysis: Vulnerability Existed: no No security vulnerability found [File] testing/web-platform/tests/css/mediaqueries/mq-gamut-005.html [Lines] 5 [Old Code] <meta name="flags" content=""> [Fixed Code] (removed line) Additional Details: The change simply removes an empty meta tag for "flags" which doesn't appear to have any security implications. This seems to be a minor cleanup rather than a security fix. The removed line was an empty attribute that served no functional purpose in the test file. No known vulnerability patterns or security concerns are addressed by this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/geckodriver/src/browser.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/geckodriver/src/browser.rs@@ -10,9 +10,10 @@ use mozprofile::profile::{PrefFile, Profile}; use mozrunner::runner::{FirefoxProcess, FirefoxRunner, Runner, RunnerProcess}; use std::fs;-use std::path::PathBuf;+use std::io::Read;+use std::path::{Path, PathBuf}; use std::time;-+use url::{Host, Url}; use webdriver::error::{ErrorStatus, WebDriverError, WebDriverResult}; /// A running Gecko instance.@@ -22,7 +23,7 @@ Remote(RemoteBrowser), /// An existing browser instance not controlled by GeckoDriver- Existing,+ Existing(u16), } impl Browser {@@ -30,7 +31,15 @@ match self { Browser::Local(x) => x.close(wait_for_shutdown), Browser::Remote(x) => x.close(),- Browser::Existing => Ok(()),+ Browser::Existing(_) => Ok(()),+ }+ }++ pub(crate) fn marionette_port(&mut self) -> Option<u16> {+ match self {+ Browser::Local(x) => x.marionette_port(),+ Browser::Remote(x) => x.marionette_port(),+ Browser::Existing(x) => Some(*x), } } }@@ -38,14 +47,18 @@ #[derive(Debug)] /// A local Firefox process, running on this (host) device. pub(crate) struct LocalBrowser {+ marionette_port: u16,+ prefs_backup: Option<PrefsBackup>, process: FirefoxProcess,- prefs_backup: Option<PrefsBackup>,+ profile_path: PathBuf, } impl LocalBrowser { pub(crate) fn new( options: FirefoxOptions, marionette_port: u16,+ allow_hosts: Vec<Host>,+ allow_origins: Vec<Url>, jsdebugger: bool, ) -> WebDriverResult<LocalBrowser> { let binary = options.binary.ok_or_else(|| {@@ -70,6 +83,8 @@ &mut profile, is_custom_profile, options.prefs,+ allow_hosts,+ allow_origins, jsdebugger, ) .map_err(|e| {@@ -79,6 +94,7 @@ ) })?;+ let profile_path = profile.path.clone(); let mut runner = FirefoxRunner::new(&binary, profile); runner.arg("--marionette");@@ -109,8 +125,10 @@ }; Ok(LocalBrowser {+ marionette_port,+ prefs_backup, process,- prefs_backup,+ profile_path, }) }@@ -130,6 +148,17 @@ prefs_backup.restore(); }; Ok(())+ }++ fn marionette_port(&mut self) -> Option<u16> {+ if self.marionette_port != 0 {+ return Some(self.marionette_port);+ }+ let port = read_marionette_port(&self.profile_path);+ if let Some(port) = port {+ self.marionette_port = port;+ }+ port } pub(crate) fn check_status(&mut self) -> Option<String> {@@ -146,10 +175,33 @@ } }+fn read_marionette_port(profile_path: &Path) -> Option<u16> {+ let port_file = profile_path.join("MarionetteActivePort");+ let mut port_str = String::with_capacity(6);+ let mut file = match fs::File::open(&port_file) {+ Ok(file) => file,+ Err(_) => {+ trace!("Failed to open {}", &port_file.to_string_lossy());+ return None;+ }+ };+ if let Err(e) = file.read_to_string(&mut port_str) {+ trace!("Failed to read {}: {}", &port_file.to_string_lossy(), e);+ return None;+ };+ println!("Read port: {}", port_str);+ let port = port_str.parse::<u16>().ok();+ if port.is_none() {+ warn!("Failed fo convert {} to u16", &port_str);+ }+ port+}+ #[derive(Debug)] /// A remote instance, running on a (target) Android device. pub(crate) struct RemoteBrowser { handler: AndroidHandler,+ marionette_port: u16, } impl RemoteBrowser {@@ -157,6 +209,8 @@ options: FirefoxOptions, marionette_port: u16, websocket_port: Option<u16>,+ allow_hosts: Vec<Host>,+ allow_origins: Vec<Url>, ) -> WebDriverResult<RemoteBrowser> { let android_options = options.android.unwrap();@@ -172,6 +226,8 @@ &mut profile, is_custom_profile, options.prefs,+ allow_hosts,+ allow_origins, false, ) .map_err(|e| {@@ -185,12 +241,19 @@ handler.launch()?;- Ok(RemoteBrowser { handler })+ Ok(RemoteBrowser {+ handler,+ marionette_port,+ }) } fn close(self) -> WebDriverResult<()> { self.handler.force_stop()?; Ok(())+ }++ fn marionette_port(&mut self) -> Option<u16> {+ Some(self.marionette_port) } }@@ -199,6 +262,8 @@ profile: &mut Profile, custom_profile: bool, extra_prefs: Vec<(String, Pref)>,+ allow_hosts: Vec<Host>,+ allow_origins: Vec<Url>, js_debugger: bool, ) -> WebDriverResult<Option<PrefsBackup>> { let prefs = profile.user_prefs().map_err(|_| {@@ -232,8 +297,27 @@ prefs.insert("marionette.port", Pref::new(port)); prefs.insert("remote.log.level", logging::max_level().into());- // Deprecated since Firefox 91.- prefs.insert("marionette.log.level", logging::max_level().into());+ // Origins and host names to allow for WebDriver BiDi+ prefs.insert(+ "remote.hosts.allowed",+ Pref::new(+ allow_hosts+ .iter()+ .map(|host| host.to_string())+ .collect::<Vec<String>>()+ .join(","),+ ),+ );+ prefs.insert(+ "remote.origins.allowed",+ Pref::new(+ allow_origins+ .iter()+ .map(|origin| origin.to_string())+ .collect::<Vec<String>>()+ .join(","),+ ),+ ); prefs.write().map_err(|e| { WebDriverError::new(@@ -284,12 +368,15 @@ #[cfg(test)] mod tests { use super::set_prefs;+ use crate::browser::read_marionette_port; use crate::capabilities::FirefoxOptions; use mozprofile::preferences::{Pref, PrefValue}; use mozprofile::profile::Profile; use serde_json::{Map, Value}; use std::fs::File; use std::io::{Read, Write};+ use std::path::Path;+ use tempfile::tempdir; fn example_profile() -> Value { let mut profile_data = Vec::with_capacity(1024);@@ -304,7 +391,7 @@ #[test] fn test_remote_log_level() { let mut profile = Profile::new().unwrap();- set_prefs(2828, &mut profile, false, vec![], false).ok();+ set_prefs(2828, &mut profile, false, vec![], vec![], vec![], false).ok(); let user_prefs = profile.user_prefs().unwrap(); let pref = user_prefs.get("remote.log.level").unwrap();@@ -344,7 +431,8 @@ let mut profile = opts.profile.expect("valid firefox profile");- set_prefs(2828, &mut profile, true, opts.prefs, false).expect("set preferences");+ set_prefs(2828, &mut profile, true, opts.prefs, vec![], vec![], false)+ .expect("set preferences"); let prefs_set = profile.user_prefs().expect("valid user preferences"); println!("{:#?}", prefs_set.prefs);@@ -384,7 +472,7 @@ .read_to_string(&mut initial_prefs_data) .unwrap();- let backup = set_prefs(2828, &mut profile, true, vec![], false)+ let backup = set_prefs(2828, &mut profile, true, vec![], vec![], vec![], false) .unwrap() .unwrap(); let user_prefs = profile.user_prefs().unwrap();@@ -420,4 +508,24 @@ .unwrap(); assert_eq!(final_prefs_data, initial_prefs_data); }-}++ #[test]+ fn test_local_marionette_port() {+ fn create_port_file(profile_path: &Path, data: &[u8]) {+ let port_path = profile_path.join("MarionetteActivePort");+ let mut file = File::create(&port_path).unwrap();+ file.write_all(data).unwrap();+ }++ let profile_dir = tempdir().unwrap();+ let profile_path = profile_dir.path();+ assert_eq!(read_marionette_port(&profile_path), None);+ assert_eq!(read_marionette_port(&profile_path), None);+ create_port_file(&profile_path, b"");+ assert_eq!(read_marionette_port(&profile_path), None);+ create_port_file(&profile_path, b"1234");+ assert_eq!(read_marionette_port(&profile_path), Some(1234));+ create_port_file(&profile_path, b"1234abc");+ assert_eq!(read_marionette_port(&profile_path), None);+ }+}
Let me analyze the code diff for security fixes:
1. Vulnerability Existed: yes
Cross-Origin Resource Sharing (CORS) Misconfiguration [testing/geckodriver/src/browser.rs] [Lines 262-320]
Old Code:
// Deprecated since Firefox 91.
prefs.insert("marionette.log.level", logging::max_level().into());
Fixed Code:
// Origins and host names to allow for WebDriver BiDi
prefs.insert(
"remote.hosts.allowed",
Pref::new(
allow_hosts
.iter()
.map(|host| host.to_string())
.collect::<Vec<String>>()
.join(","),
);
prefs.insert(
"remote.origins.allowed",
Pref::new(
allow_origins
.iter()
.map(|origin| origin.to_string())
.collect::<Vec<String>>()
.join(","),
),
);
2. Vulnerability Existed: yes
Information Exposure Through Log Files [testing/geckodriver/src/browser.rs] [Lines 189-192]
Old Code:
None (no port reading functionality)
Fixed Code:
println!("Read port: {}", port_str);
let port = port_str.parse::<u16>().ok();
if port.is_none() {
warn!("Failed fo convert {} to u16", &port_str);
}
3. Vulnerability Existed: not sure
Potential Integer Overflow [testing/geckodriver/src/browser.rs] [Lines 189-192]
Old Code:
None (no port reading functionality)
Fixed Code:
let port_str = String::with_capacity(6);
...
let port = port_str.parse::<u16>().ok();
The fixes include:
1. Adding proper CORS controls by implementing allow lists for hosts and origins
2. Adding debug logging for port reading which could potentially expose sensitive information
3. The port reading functionality might be vulnerable to integer overflow if malicious input is provided, though the impact is unclear
The most significant security improvement is the addition of proper CORS controls to restrict which hosts and origins can access the WebDriver BiDi interface.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/jpeg-xl/lib/jxl/modular/transform/enc_rct.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/jpeg-xl/lib/jxl/modular/transform/enc_rct.h@@ -10,7 +10,7 @@ namespace jxl {-Status FwdRCT(Image &input, size_t begin_c, size_t rct_type);+Status FwdRCT(Image &input, size_t begin_c, size_t rct_type, ThreadPool *pool); } // namespace jxl
Here's the analysis of the provided code diff: Vulnerability Existed: not sure Potential Thread Safety Issue [File] third_party/jpeg-xl/lib/jxl/modular/transform/enc_rct.h [Lines] 10 [Old Code] `Status FwdRCT(Image &input, size_t begin_c, size_t rct_type);` [Fixed Code] `Status FwdRCT(Image &input, size_t begin_c, size_t rct_type, ThreadPool *pool);` Additional Details: The change adds a ThreadPool parameter to the FwdRCT function. While this isn't clearly a security fix, it could potentially address: 1. Thread safety concerns by explicitly managing thread pool usage 2. Performance issues that might have led to resource exhaustion 3. Race conditions in the previous implementation However, without more context about the implementation or any associated bug reports, we can't definitively identify this as a security fix. The change appears to be more about adding parallel processing capability than directly fixing a security vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.isPointInPath.bezier.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.isPointInPath.bezier.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.moveTo(25, 25); ctx.bezierCurveTo(50, -50, 50, 100, 75, 25);
Analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The change appears to be a simple variable renaming from `offscreenCanvas` to `canvas`
- No security implications are visible in this change
- The modification doesn't affect any security-sensitive operations
- The change is likely for code consistency or readability purposes
No security vulnerabilities were identified in this diff. The changes are purely cosmetic/refactoring in nature.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.miter.exceeded.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.miter.exceeded.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -31,10 +31,10 @@ ctx.lineTo(200, 200); ctx.lineTo(1000, 201); // slightly non-right-angle to avoid being a special case ctx.stroke();-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 48,1, 0,255,0,255, "48,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 48,48, 0,255,0,255, "48,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 48,1, 0,255,0,255, "48,1", "0,255,0,255");+_assertPixel(canvas, 48,48, 0,255,0,255, "48,48", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, here are the findings:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 17-18, 31-34]
Old Code:
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
```
Fixed Code:
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
```
2. Vulnerability Existed: no
Variable Reference Updates [File] [Lines 31-34]
Old Code:
```javascript
_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
_assertPixel(offscreenCanvas, 48,1, 0,255,0,255, "48,1", "0,255,0,255");
_assertPixel(offscreenCanvas, 48,48, 0,255,0,255, "48,48", "0,255,0,255");
_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");
```
Fixed Code:
```javascript
_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
_assertPixel(canvas, 48,1, 0,255,0,255, "48,1", "0,255,0,255");
_assertPixel(canvas, 48,48, 0,255,0,255, "48,48", "0,255,0,255");
_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");
```
The changes appear to be purely cosmetic/refactoring in nature, simply renaming a variable from `offscreenCanvas` to `canvas` and updating all references to it. There are no security vulnerabilities being fixed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/server/actors/watcher/target-helpers/worker-helper.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/server/actors/watcher/target-helpers/worker-helper.js@@ -3,11 +3,6 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ "use strict";--const {- getAllRemoteBrowsingContexts,- shouldNotifyWindowGlobal,-} = require("devtools/server/actors/watcher/target-helpers/utils.js"); const DEVTOOLS_WORKER_JS_WINDOW_ACTOR_NAME = "DevToolsWorker";@@ -21,7 +16,10 @@ // Go over all existing BrowsingContext in order to: // - Force the instantiation of a DevToolsWorkerChild // - Have the DevToolsWorkerChild to spawn the WorkerTargetActors- const browsingContexts = getFilteredBrowsingContext(watcher.browserElement);+ const browsingContexts = watcher.getAllBrowsingContexts({+ acceptSameProcessIframes: true,+ forceAcceptTopLevelTarget: true,+ }); const promises = []; for (const browsingContext of browsingContexts) { const promise = browsingContext.currentWindowGlobal@@ -48,7 +46,10 @@ */ async function destroyTargets(watcher) { // Go over all existing BrowsingContext in order to destroy all targets- const browsingContexts = getFilteredBrowsingContext(watcher.browserElement);+ const browsingContexts = watcher.getAllBrowsingContexts({+ acceptSameProcessIframes: true,+ forceAcceptTopLevelTarget: true,+ }); for (const browsingContext of browsingContexts) { let windowActor; try {@@ -77,7 +78,10 @@ * The values to be added to this type of data */ async function addSessionDataEntry({ watcher, type, entries }) {- const browsingContexts = getFilteredBrowsingContext(watcher.browserElement);+ const browsingContexts = watcher.getAllBrowsingContexts({+ acceptSameProcessIframes: true,+ forceAcceptTopLevelTarget: true,+ }); const promises = []; for (const browsingContext of browsingContexts) { const promise = browsingContext.currentWindowGlobal@@ -100,7 +104,10 @@ * See addSessionDataEntry for argument documentation. */ function removeSessionDataEntry({ watcher, type, entries }) {- const browsingContexts = getFilteredBrowsingContext(watcher.browserElement);+ const browsingContexts = watcher.getAllBrowsingContexts({+ acceptSameProcessIframes: true,+ forceAcceptTopLevelTarget: true,+ }); for (const browsingContext of browsingContexts) { browsingContext.currentWindowGlobal .getActor(DEVTOOLS_WORKER_JS_WINDOW_ACTOR_NAME)@@ -113,29 +120,6 @@ } }-/**- * Get the list of all BrowsingContext we should interact with.- * The precise condition of which BrowsingContext we should interact with are defined- * in `shouldNotifyWindowGlobal`- *- * @param BrowserElement browserElement (optional)- * If defined, this will restrict to only the Browsing Context matching this- * Browser Element and any of its (nested) children iframes.- */-function getFilteredBrowsingContext(browserElement) {- const browsingContexts = getAllRemoteBrowsingContexts(- browserElement?.browsingContext- );- if (browserElement?.browsingContext) {- browsingContexts.push(browserElement?.browsingContext);- }- return browsingContexts.filter(browsingContext =>- shouldNotifyWindowGlobal(browsingContext, browserElement?.browserId, {- acceptNonRemoteFrame: true,- })- );-}- module.exports = { createTargets, destroyTargets,
Let me analyze the code diff for potential security vulnerabilities. Here's my analysis:
1. Vulnerability Existed: not sure
[Potential Information Leak] [devtools/server/actors/watcher/target-helpers/worker-helper.js] [Lines 3-6, 113-129]
[Old Code]
const {
getAllRemoteBrowsingContexts,
shouldNotifyWindowGlobal,
} = require("devtools/server/actors/watcher/target-helpers/utils.js");
function getFilteredBrowsingContext(browserElement) {
const browsingContexts = getAllRemoteBrowsingContexts(
browserElement?.browsingContext
);
if (browserElement?.browsingContext) {
browsingContexts.push(browserElement?.browsingContext);
}
return browsingContexts.filter(browsingContext =>
shouldNotifyWindowGlobal(browsingContext, browserElement?.browserId, {
acceptNonRemoteFrame: true,
})
);
}
[Fixed Code]
(Removed entirely)
Additional Details: The removal of the custom filtering function and its dependencies might indicate a security improvement. The old code had custom logic for browsing context filtering which could potentially lead to information leaks if not properly implemented. The new version uses a more standardized watcher.getAllBrowsingContexts() method with explicit parameters.
2. Vulnerability Existed: not sure
[Potential Cross-Process Security Issue] [devtools/server/actors/watcher/target-helpers/worker-helper.js] [Multiple locations]
[Old Code]
const browsingContexts = getFilteredBrowsingContext(watcher.browserElement);
[Fixed Code]
const browsingContexts = watcher.getAllBrowsingContexts({
acceptSameProcessIframes: true,
forceAcceptTopLevelTarget: true,
});
Additional Details: The change to explicitly handle same-process iframes and top-level targets suggests improved security around cross-process communication. The old version's filtering might have inadvertently exposed sensitive browsing contexts.
Note: While these changes appear to be security-related improvements, without more context about the specific threat model and the removed functions' implementations, I can't definitively identify specific vulnerabilities. The changes suggest a move toward more controlled and explicit browsing context handling, which generally improves security.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/editing/data/forwarddelete.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/editing/data/forwarddelete.js@@ -1,3 +1,5 @@+class MyCustomElement extends HTMLElement {};+customElements.define("custom-element", MyCustomElement); // For documentation of the format, see README in this directory. var browserTests = [ ["foo[]",@@ -2627,4 +2629,61 @@ "<p contenteditable=\"false\"><unknown-element contenteditable=\"\"></unknown-element></p>", [true], {"forwarddelete":[false,false,"",false,false,""]}],+["<div contenteditable=\"false\"><custom-element contenteditable=\"\"><p>[ab</p><p>c]d</p></custom-element></div>",+ [["forwarddelete",""]],+ ["<div contenteditable=\"false\"><custom-element contenteditable=\"\"><p>d</p></custom-element></div>",+ "<div contenteditable=\"false\"><custom-element contenteditable=\"\"><p>d<br></p></custom-element></div>"],+ [true],+ {"forwarddelete":[false,false,"",false,false,""]}],+["<div contenteditable=\"false\"><custom-element contenteditable=\"\"><p>a[b</p><p>cd]</p></custom-element></div>",+ [["forwarddelete",""]],+ ["<div contenteditable=\"false\"><custom-element contenteditable=\"\"><p>a</p></custom-element></div>",+ "<div contenteditable=\"false\"><custom-element contenteditable=\"\"><p>a<br></p></custom-element></div>"],+ [true],+ {"forwarddelete":[false,false,"",false,false,""]}],+["<div contenteditable=\"false\"><custom-element contenteditable=\"\"><p><b>[ab</b></p><p><i>c]d</i></p></custom-element></div>",+ [["forwarddelete",""]],+ ["<div contenteditable=\"false\"><custom-element contenteditable=\"\"><p><i>d</i></p></custom-element></div>",+ "<div contenteditable=\"false\"><custom-element contenteditable=\"\"><p><i>d</i><br></p></custom-element></div>"],+ [true],+ {"forwarddelete":[false,false,"",false,false,""]}],+["<div contenteditable=\"false\"><custom-element contenteditable=\"\"><p><b>a[b</b></p><p><i>cd]</i></p></custom-element></div>",+ [["forwarddelete",""]],+ ["<div contenteditable=\"false\"><custom-element contenteditable=\"\"><p><b>a</b></p></custom-element></div>",+ "<div contenteditable=\"false\"><custom-element contenteditable=\"\"><p><b>a</b><br></p></custom-element></div>"],+ [true],+ {"forwarddelete":[false,false,"",false,false,""]}],++// Non-editable elements in editable content should be removed by hitting the+// Delete key. Delete the non-editable things, then, blocks should be merged.+["<p>abc[]</p><ul contenteditable=\"false\"><li>def</li></ul><p>ghi</p>",+ [["forwarddelete",""]],+ ["<p>abcghi</p>",+ "<p>abcghi<br></p>"],+ [true],+ {"forwarddelete":[false,false,"",false,false,""]}],+["<p>abc[]</p><ul><li contenteditable=\"false\">def</li></ul><p>ghi</p>",+ [["forwarddelete",""]],+ ["<p>abcghi</p>",+ "<p>abcghi<br></p>"],+ [true],+ {"forwarddelete":[false,false,"",false,false,""]}],+["<ul><li>abc[]</li><li contenteditable=\"false\">def</li><li>ghi</li></ul>",+ [["forwarddelete",""]],+ ["<ul><li>abcghi</li></ul>",+ "<ul><li>abcghi<br></li></ul>"],+ [true],+ {"forwarddelete":[false,false,"",false,false,""]}],+["<p>abc[]</p><ul><li contenteditable=\"false\">def</li><li>ghi</li></ul>",+ [["forwarddelete",""]],+ ["<p>abcghi</p>",+ "<p>abcghi<br></p>"],+ [true],+ {"forwarddelete":[false,false,"",false,false,""]}],+["<ul><li>abc[]</li><li contenteditable=\"false\">def</li></ul><p>ghi</p>",+ [["forwarddelete",""]],+ ["<ul><li>abcghi</li></ul>",+ "<ul><li>abcghi<br></li></ul>"],+ [true],+ {"forwarddelete":[false,false,"",false,false,""]}], ]
Based on the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be adding test cases for custom elements and contenteditable behavior rather than addressing security issues. Here's the analysis following your requested format: Vulnerability Existed: no No security vulnerability found [File] [Lines 1-3, 2627-2629, and all added test cases] [Old Code - various test cases missing] [Fixed Code - added test cases for custom elements and contenteditable behavior] The changes consist of: 1. Adding a custom element definition at the start 2. Adding multiple test cases for: - Custom elements with contenteditable attributes - Nested contenteditable scenarios - Deletion behavior around non-editable elements - Various combinations of these cases These appear to be functional test additions rather than security fixes. The tests verify expected behavior of content editing operations involving custom elements and non-editable content within editable regions. No security-related patterns (like XSS, injection vulnerabilities, etc.) are evident in the changes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.font.parse.basic.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.font.parse.basic.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.font = '20px serif'; _assertSame(ctx.font, '20px serif', "ctx.font", "'20px serif'");
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability found [testing/web-platform/tests/html/canvas/offscreen/text/2d.text.font.parse.basic.html] [Lines 17-18]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Notes:
- The change appears to be a simple variable renaming from `offscreenCanvas` to `canvas`
- No security-related changes or vulnerability fixes are evident in this diff
- The modification seems to be for code consistency or readability rather than security
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/xpcom/components/nsComponentManager.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/xpcom/components/nsComponentManager.cpp@@ -110,6 +110,10 @@ if (type == GeckoProcessType_VR) { return !!(aSelector & Module::ALLOW_IN_VR_PROCESS);+ }++ if (type == GeckoProcessType_Utility) {+ return !!(aSelector & Module::ALLOW_IN_UTILITY_PROCESS); } if (aSelector & Module::MAIN_PROCESS_ONLY) {@@ -341,9 +345,17 @@ ProcessSelectorMatches( ProcessSelector::ALLOW_IN_GPU_RDD_AND_SOCKET_PROCESS); gProcessMatchTable[size_t(+ ProcessSelector::ALLOW_IN_GPU_RDD_SOCKET_AND_UTILITY_PROCESS)] =+ ProcessSelectorMatches(+ ProcessSelector::ALLOW_IN_GPU_RDD_SOCKET_AND_UTILITY_PROCESS);+ gProcessMatchTable[size_t( ProcessSelector::ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS)] = ProcessSelectorMatches( ProcessSelector::ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS);+ gProcessMatchTable[size_t(+ ProcessSelector::ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS)] =+ ProcessSelectorMatches(+ ProcessSelector::ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS); } MOZ_ASSERT(NOT_INITIALIZED == mStatus);
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Process Isolation Control] [xpcom/components/nsComponentManager.cpp] [Lines 110-114]
[Old Code]
if (type == GeckoProcessType_VR) {
return !!(aSelector & Module::ALLOW_IN_VR_PROCESS);
}
[Fixed Code]
if (type == GeckoProcessType_VR) {
return !!(aSelector & Module::ALLOW_IN_VR_PROCESS);
}
if (type == GeckoProcessType_Utility) {
return !!(aSelector & Module::ALLOW_IN_UTILITY_PROCESS);
}
2. Vulnerability Existed: not sure
[Process Isolation Control] [xpcom/components/nsComponentManager.cpp] [Lines 341-354]
[Old Code]
gProcessMatchTable[size_t(
ProcessSelector::ALLOW_IN_GPU_RDD_AND_SOCKET_PROCESS)] =
ProcessSelectorMatches(
ProcessSelector::ALLOW_IN_GPU_RDD_AND_SOCKET_PROCESS);
gProcessMatchTable[size_t(
ProcessSelector::ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS)] =
ProcessSelectorMatches(
ProcessSelector::ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS);
[Fixed Code]
gProcessMatchTable[size_t(
ProcessSelector::ALLOW_IN_GPU_RDD_AND_SOCKET_PROCESS)] =
ProcessSelectorMatches(
ProcessSelector::ALLOW_IN_GPU_RDD_AND_SOCKET_PROCESS);
gProcessMatchTable[size_t(
ProcessSelector::ALLOW_IN_GPU_RDD_SOCKET_AND_UTILITY_PROCESS)] =
ProcessSelectorMatches(
ProcessSelector::ALLOW_IN_GPU_RDD_SOCKET_AND_UTILITY_PROCESS);
gProcessMatchTable[size_t(
ProcessSelector::ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS)] =
ProcessSelectorMatches(
ProcessSelector::ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS);
gProcessMatchTable[size_t(
ProcessSelector::ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS)] =
ProcessSelectorMatches(
ProcessSelector::ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS);
The changes appear to be adding support for a new Utility process type and updating process isolation controls. While these changes relate to security (process isolation), I can't determine if they're fixing specific vulnerabilities or just adding new functionality. The modifications ensure proper process isolation for the new Utility process type, which is a security-related feature, but there's no clear evidence they're fixing an existing vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.pattern.image.string.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.pattern.image.string.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); assert_throws_js(TypeError, function() { ctx.createPattern('../images/red.png', 'repeat'); }); t.done();
Analyzing the provided code diff, here's the security analysis: 1. Vulnerability Existed: no No specific vulnerability was found in this diff. The changes appear to be primarily variable renaming (from `offscreenCanvas` to `canvas`) and don't involve any security fixes. The diff shows: - Old variable name: `offscreenCanvas` - New variable name: `canvas` - The functionality remains the same (testing canvas pattern creation with invalid input) This appears to be a code style/readability change rather than a security fix. The test continues to verify that `createPattern` throws a TypeError when given an invalid image path, which is the expected behavior. No known vulnerabilities (like XSS, path traversal, etc.) are being addressed in this change. The test case itself is security-related (verifying proper error handling), but the diff doesn't represent a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/taskcluster/gecko_taskgraph/transforms/task.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/taskcluster/gecko_taskgraph/transforms/task.py@@ -836,6 +836,7 @@ "mac_single_file", ), Optional("entitlements-url"): str,+ Optional("requirements-plist-url"): str, }, ) def build_scriptworker_signing_payload(config, task, task_def):@@ -847,8 +848,9 @@ } if worker.get("mac-behavior"): task_def["payload"]["behavior"] = worker["mac-behavior"]- if worker.get("entitlements-url"):- task_def["payload"]["entitlements-url"] = worker["entitlements-url"]+ for attribute in ("entitlements-url", "requirements-plist-url"):+ if worker.get(attribute):+ task_def["payload"][attribute] = worker[attribute] artifacts = set(task.get("release-artifacts", [])) for upstream_artifact in worker["upstream-artifacts"]: for path in upstream_artifact["paths"]:@@ -1205,6 +1207,7 @@ "push-msix", schema={ Required("channel"): str,+ Optional("publish-mode"): str, Required("upstream-artifacts"): [ { Required("taskId"): taskref_or_string,@@ -1221,6 +1224,8 @@ "channel": worker["channel"], "upstreamArtifacts": worker["upstream-artifacts"], }+ if worker.get("publish-mode"):+ task_def["payload"]["publishMode"] = worker["publish-mode"] @payload_builder(@@ -1481,6 +1486,26 @@ worker.setdefault("commit", False) yield task++[email protected]+def setup_raptor(config, tasks):+ """Add options that are specific to raptor jobs (identified by suite=raptor).++ This variant uses a separate set of transforms for manipulating the tests at the+ task-level. Currently only used for setting the taskcluster proxy setting and+ the scopes required for perftest secrets.+ """+ from gecko_taskgraph.transforms.test.raptor import (+ task_transforms as raptor_transforms,+ )++ for task in tasks:+ if task.get("extra", {}).get("suite", "") != "raptor":+ yield task+ continue++ yield from raptor_transforms(config, [task]) @transforms.add
I'll analyze the code diff and provide the security findings following the specified format.
1. Vulnerability Existed: not sure
[Potential Missing Input Validation] [taskcluster/gecko_taskgraph/transforms/task.py] [Lines 836-848]
[Old Code]
Optional("entitlements-url"): str,
[Fixed Code]
Optional("entitlements-url"): str,
Optional("requirements-plist-url"): str,
Additional Details: The change adds a new optional field "requirements-plist-url" but doesn't show any validation for the URL format or content. While this might not be a direct vulnerability, lack of input validation could potentially lead to security issues.
2. Vulnerability Existed: not sure
[Potential Information Disclosure] [taskcluster/gecko_taskgraph/transforms/task.py] [Lines 1205-1224]
[Old Code]
Required("channel"): str,
[Fixed Code]
Required("channel"): str,
Optional("publish-mode"): str,
Additional Details: The addition of "publish-mode" could potentially affect how artifacts are published, but without seeing the implementation details, it's unclear if this could lead to information disclosure if misconfigured.
3. Vulnerability Existed: not sure
[Potential Scope Escalation] [taskcluster/gecko_taskgraph/transforms/task.py] [Lines 1486-1506]
[Old Code]
(none - new code added)
[Fixed Code]
@transforms.add
def setup_raptor(config, tasks):
"""Add options that are specific to raptor jobs (identified by suite=raptor).
This variant uses a separate set of transforms for manipulating the tests at the
task-level. Currently only used for setting the taskcluster proxy setting and
the scopes required for perftest secrets.
"""
Additional Details: The new raptor setup function mentions handling "scopes required for perftest secrets" which could potentially be a security-sensitive area if not properly implemented, but we can't see the actual implementation details.
Note: The analysis is limited by only seeing the diff and not the full context of how these changes are implemented and used. Most changes appear to be feature additions rather than direct security fixes, but could have security implications depending on their implementation.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/shared/test/browser_filter-editor-10.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/shared/test/browser_filter-editor-10.js@@ -72,6 +72,7 @@ "Should work if a there is a selection, starting with the number" );+ widget.destroy(); triggerKey = null; });
Analyzing the provided code diff, here's the security assessment:
1. Vulnerability Existed: not sure
[Potential Resource Leak] [devtools/client/shared/test/browser_filter-editor-10.js] [Lines 72]
[Old Code]
(no explicit widget destruction)
[Fixed Code]
widget.destroy();
Additional Details:
- The diff shows the addition of `widget.destroy()` call before clearing the `triggerKey` variable.
- While this isn't a classic security vulnerability, it could potentially lead to resource leaks if widgets aren't properly destroyed.
- The change appears to be more about proper resource management than fixing a specific security vulnerability.
- Without more context about the widget's implementation and its potential security implications, I can't definitively say this fixes a security issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-167.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-167.xml@@ -8,7 +8,6 @@ ]]></style> <link rel="author" title="Ian Hickson" href="mailto:[email protected]"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found -->- <meta name="flags" content="" /> </head> <body> <p>The first line of this paragraph should have a green background.</p>
Based on the provided diff, I'll analyze it for potential security vulnerabilities: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/selectors/old-tests/css3-modsel-167.xml [Lines] 8 [Old Code] <meta name="flags" content="" /> [Fixed Code] (removed line) Additional Details: - The change simply removes an empty meta tag with a "flags" attribute, which doesn't appear to have any security implications - This seems to be a test file cleanup rather than a security fix - No known vulnerabilities are associated with this change - The modification doesn't affect any security-sensitive functionality The change appears to be a minor cleanup of test metadata rather than addressing any security concern. The removed line was an empty meta tag that didn't serve any apparent security purpose.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.