tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit 4da7b38901d0bf6f5ed88f888e84eb9b3d5ca4f6
parent 922ca40345c12f12ed236363f1645597a697f3db
Author: Ed Guloien <edgul@mozilla.com>
Date:   Mon, 29 Dec 2025 18:54:57 +0000

Bug 2001652 - Revendor in urlpattern 0.4.2 to get fuzzing crash fix r=necko-reviewers,supply-chain-reviewers,valentin

Differential Revision: https://phabricator.services.mozilla.com/D277203

Diffstat:

MCargo.lock | 4++--


Mnetwerk/base/urlpattern_glue/Cargo.toml | 2+-


Msupply-chain/audits.toml | 5+++++


Mthird_party/rust/urlpattern/.cargo-checksum.json | 4++--


Mthird_party/rust/urlpattern/Cargo.lock | 18+++++++++---------


Mthird_party/rust/urlpattern/Cargo.toml | 2+-


Mthird_party/rust/urlpattern/src/canonicalize_and_process.rs | 6+++++-


Mthird_party/rust/urlpattern/src/lib.rs | 6++++++


Mtoolkit/library/rust/shared/Cargo.toml | 2+-


9 files changed, 32 insertions(+), 17 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
@@ -7609,9 +7609,9 @@ dependencies = [
 
 [[package]]
 name = "urlpattern"
-version = "0.4.1"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "957a88ad1abd5d13336275adb17d4f9b6a2404f3baed2e075e0b026dc0b2b58d"
+checksum = "0f805818f843b548bacc19609eb3619dd2850e54746f5cada37927393c2ef4ec"
 dependencies = [
  "icu_properties",
  "regex",
diff --git a/netwerk/base/urlpattern_glue/Cargo.toml b/netwerk/base/urlpattern_glue/Cargo.toml
@@ -6,7 +6,7 @@ authors = ["Ed Guloien <edgul@mozilla.com>"]
 license = "MPL-2.0"
 
 [dependencies]
-urlpattern = "0.4.1"
+urlpattern = "0.4.2"
 url = "2.5.7"
 regex = "1.10.5"
 mozurl = { path = "../../../netwerk/base/mozurl" }
diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml
@@ -6710,6 +6710,11 @@ who = "Valentin Gosu <valentin.gosu@gmail.com>"
 criteria = "safe-to-deploy"
 delta = "0.4.0 -> 0.4.1"
 
+[[audits.urlpattern]]
+who = "Ed Guloien <edgul@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.4.1 -> 0.4.2"
+
 [[audits.utf16_iter]]
 who = "Henri Sivonen <hsivonen@hsivonen.fi>"
 criteria = "safe-to-deploy"
diff --git a/third_party/rust/urlpattern/.cargo-checksum.json b/third_party/rust/urlpattern/.cargo-checksum.json
@@ -1 +1 @@
-{"files":{"Cargo.lock":"d572e29279c1d7a280e7d6989bcdb565d4dcf2447a0db0acd682b5ab38bdc488","Cargo.toml":"ba5dd65763ff17d51d04690a6605f8f4c68e6031704d8b4a1fa8d5d5c3bc2ccf","LICENSE":"5cf1c9dc617e4cad7fa03181ff893601ad5243aa3be527ef39034e1cd6377676","README.md":"b94472cd652246ca8836702b9bdd3809508627aa0a552d09c9b4f222a3034cbb","src/canonicalize_and_process.rs":"6dd8e987b160e1dc4584a2fca3120ec681e74cdc121d3606b8cb7687a36ca0ca","src/component.rs":"68b02db2951883b552c116f172fea285e33c12065fa3d8a8aca327d2652cc7bf","src/constructor_parser.rs":"3373e1e4f50fc4876ffb2792893bdf2a1b2f662aa4605ea0f94fa4b900dec837","src/error.rs":"a8ee97b888e5ee8eddcf2e97d98615856d322d211a2cd61a49d5b10fce5c8c16","src/lib.rs":"a94bd6f332978299c7a66e257ca4f8d000a9759a99ef713352caa9a86673a8f9","src/matcher.rs":"609a4d3b50be6233d626f356fd46d61fc7ff06491e966f0fd4d99662a12d1833","src/parser.rs":"fcd913c9f8e8e205df509c1c5c76b9ad0de01214e380203fd37eae52a9f688c6","src/quirks.rs":"715d0381a798635af1c126d866af8873a2a5e6e38d34349e86b6ba87b0c01387","src/regexp.rs":"54800a3c02622e8efa85b9a8888ffd2842cfb211e34fa299e1eac7d0ee66f403","src/testdata/urlpatterntestdata.json":"4cecfe5bb8a9e688235f75e1fad603cfe1b0e87455b1feece858f143c57af0da","src/tokenizer.rs":"af95251846980cceaeea3f61f6a12367525f4299e511b5c3f84dd8f21a355f6b"},"package":"957a88ad1abd5d13336275adb17d4f9b6a2404f3baed2e075e0b026dc0b2b58d"}
-\ No newline at end of file
+{"files":{"Cargo.lock":"99c5787d518f23d6e7688a25101cc97c04b357dd7e90c01ad672be4e49d98b3a","Cargo.toml":"194ec8e17f0b294bc85cf0b53af176c6ae4ef50056f23776cd716f25513d8cc7","LICENSE":"5cf1c9dc617e4cad7fa03181ff893601ad5243aa3be527ef39034e1cd6377676","README.md":"b94472cd652246ca8836702b9bdd3809508627aa0a552d09c9b4f222a3034cbb","src/canonicalize_and_process.rs":"660863f1b16d941ce5951b8bd2e21f03b28be20bedd3f9d4f0ba056c456ccd10","src/component.rs":"68b02db2951883b552c116f172fea285e33c12065fa3d8a8aca327d2652cc7bf","src/constructor_parser.rs":"3373e1e4f50fc4876ffb2792893bdf2a1b2f662aa4605ea0f94fa4b900dec837","src/error.rs":"a8ee97b888e5ee8eddcf2e97d98615856d322d211a2cd61a49d5b10fce5c8c16","src/lib.rs":"6bfc5743f87e65c5dff51f753e13986c0aba2cce3f5b25717c0bea1ae680466c","src/matcher.rs":"609a4d3b50be6233d626f356fd46d61fc7ff06491e966f0fd4d99662a12d1833","src/parser.rs":"fcd913c9f8e8e205df509c1c5c76b9ad0de01214e380203fd37eae52a9f688c6","src/quirks.rs":"715d0381a798635af1c126d866af8873a2a5e6e38d34349e86b6ba87b0c01387","src/regexp.rs":"54800a3c02622e8efa85b9a8888ffd2842cfb211e34fa299e1eac7d0ee66f403","src/testdata/urlpatterntestdata.json":"4cecfe5bb8a9e688235f75e1fad603cfe1b0e87455b1feece858f143c57af0da","src/tokenizer.rs":"af95251846980cceaeea3f61f6a12367525f4299e511b5c3f84dd8f21a355f6b"},"package":"0f805818f843b548bacc19609eb3619dd2850e54746f5cada37927393c2ef4ec"}
+\ No newline at end of file
diff --git a/third_party/rust/urlpattern/Cargo.lock b/third_party/rust/urlpattern/Cargo.lock
@@ -79,9 +79,9 @@ checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a"
 
 [[package]]
 name = "icu_properties"
-version = "2.1.1"
+version = "2.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e93fcd3157766c0c8da2f8cff6ce651a31f0810eaa1c51ec363ef790bbb5fb99"
+checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec"
 dependencies = [
  "icu_collections",
  "icu_locale_core",
@@ -93,9 +93,9 @@ dependencies = [
 
 [[package]]
 name = "icu_properties_data"
-version = "2.1.1"
+version = "2.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "02845b3647bb045f1100ecd6480ff52f34c35f82d9880e029d329c21d1054899"
+checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af"
 
 [[package]]
 name = "icu_provider"
@@ -177,9 +177,9 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.41"
+version = "1.0.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ce25767e7b499d1b604768e7cde645d14cc8584231ea6b295e9c9eb22c02e1d1"
+checksum = "a338cc41d27e6cc6dce6cefc13a0729dfbb81c262b1f519331575dd80ef3067f"
 dependencies = [
  "proc-macro2",
 ]
@@ -276,9 +276,9 @@ checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"
 
 [[package]]
 name = "syn"
-version = "2.0.108"
+version = "2.0.111"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da58917d35242480a05c2897064da0a80589a2a0476c9a3f2fdc83b53502e917"
+checksum = "390cc9a294ab71bdb1aa2e99d13be9c753cd2d7bd6560c77118597410c4d2e87"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -326,7 +326,7 @@ dependencies = [
 
 [[package]]
 name = "urlpattern"
-version = "0.4.1"
+version = "0.4.2"
 dependencies = [
  "icu_properties",
  "regex",
diff --git a/third_party/rust/urlpattern/Cargo.toml b/third_party/rust/urlpattern/Cargo.toml
@@ -12,7 +12,7 @@
 [package]
 edition = "2021"
 name = "urlpattern"
-version = "0.4.1"
+version = "0.4.2"
 authors = [
     "the Deno authors",
     "crowlKats <crowlkats@toaxl.com>",
diff --git a/third_party/rust/urlpattern/src/canonicalize_and_process.rs b/third_party/rust/urlpattern/src/canonicalize_and_process.rs
@@ -98,7 +98,11 @@ pub fn canonicalize_pathname(value: &str) -> Result<String, Error> {
   let mut url = url::Url::parse("http://dummy.test").unwrap();
   url.set_path(&modified_value);
   let mut pathname = url::quirks::pathname(&url);
-  if !leading_slash {
+
+  // If the original value didn't have a leading slash, we prepended "/-".
+  // Only strip this prefix if it's still there after URL parsing.
+  // If the ".." segments were resolved, the "/-" prefix may have been removed.
+  if !leading_slash && pathname.starts_with("/-") {
     pathname = &pathname[2..];
   }
   Ok(pathname.to_string())
diff --git a/third_party/rust/urlpattern/src/lib.rs b/third_party/rust/urlpattern/src/lib.rs
@@ -1132,4 +1132,10 @@ mod tests {
     )
     .unwrap();
   }
+
+  #[test]
+  fn issue78() {
+    use crate::canonicalize_and_process::canonicalize_pathname;
+    assert!(canonicalize_pathname("3�/..").is_ok());
+  }
 }
diff --git a/toolkit/library/rust/shared/Cargo.toml b/toolkit/library/rust/shared/Cargo.toml
@@ -110,7 +110,7 @@ aa-stroke = { git = "https://github.com/FirefoxGraphics/aa-stroke", rev = "5776b
 etagere = { version = "0.2.13", features = ["ffi"] }
 
 url = "2.5.7"
-urlpattern = "0.4.1"
+urlpattern = "0.4.2"
 urlpattern_glue = { path = "../../../../netwerk/base/urlpattern_glue" }
 uritemplate_glue = { path = "../../../../netwerk/base/uritemplate_glue" }