tor-browser

commit 5c7b1adb9c3f08f3402dc3402cd4ddc959984e5e
parent e53d1ca4562176038a2f16bc410f90177fb11a57
Author: Hubert Boma Manilla <hmanilla@mozilla.com>
Date:   Sat, 22 Nov 2025 19:39:28 +0000

Bug 1996761 - [devtools] Replace any other whitespace like characters with space r=devtools-reviewers,nchevobbe

Certain control characters (e.g tab or form feed) are whitespace like characters.
This replaces those with a simple space.

Differential Revision: https://phabricator.services.mozilla.com/D272425

Diffstat:
M
devtools/client/netmonitor/test/browser_net_curl-utils.js
 | 
7
+++++++
M
devtools/client/shared/curl.js
 | 
10
+++++++++-

2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/devtools/client/netmonitor/test/browser_net_curl-utils.js b/devtools/client/netmonitor/test/browser_net_curl-utils.js
@@ -368,6 +368,13 @@ function testEscapeStringWin() {
     '^\" - \u0007 \u0010 \u0014 \u001b \u001a - ^\"',
     "Control characters should not be escaped with ^."
   );
+
+  const controlCharsWithWhitespaces = " -\tcalc.exe\f- ";
+  is(
+    CurlUtils.escapeStringWin(controlCharsWithWhitespaces),
+    '^\" - calc.exe - ^\"',
+    "Control (non-printable) characters which are whitespace like charaters e.g (tab & form feed)"
+  );
 }
 
 async function createCurlData(selected, getLongString, requestData) {
diff --git a/devtools/client/shared/curl.js b/devtools/client/shared/curl.js
@@ -463,7 +463,7 @@ const CurlUtils = {
 
         // Then escape all characters we are not sure about with ^ to ensure it
         // gets to MS Crt parser safely.
-        // Note: Also do not escape unicode control (C) non-printable characters 
+        // Note: Also do not escape unicode control (C) non-printable characters
         // https://www.compart.com/en/unicode/category (this is captured with `\p{C}` and the `u` unicode flag)
         .replace(/[^-a-zA-Z0-9\s_:=+~\/.',?;()*`\p{C}]/gu, "^$&")
 
@@ -476,6 +476,14 @@ const CurlUtils = {
         // by the previous replace.
         .replace(/%(?=[a-zA-Z0-9_])/g, "%^")
 
+        // All other whitespace characters are replaced with a single space, as there
+        // is no way to enter their literal values in a command line, and they do break
+        // the command allowing for injection.
+        // Since want to keep line breaks, we need to exclude them in the regex (`[^\r\n]`),
+        // and use double negations to get the other whitespace chars (`[^\S]` translates
+        // to "not not whitespace")
+        .replace(/[^\S\r\n]/g, " ")
+
         // Lastly we replace new lines with ^ and TWO new lines because the first
         // new line is there to enact the escape command the second is the character
         // to escape (in this case new line).