From 5e4b699e9200c1689f9a0e90a31846eb9ae1993f Mon Sep 17 00:00:00 2001
From: hht8 <huanghaitao8@huawei.com>
Date: Wed, 13 May 2020 18:27:04 +0800
Subject: [PATCH] fix CVE-2020-6811

---
 CVE-2020-6811.patch | 102 ++++++++++++++++++++++++++++++++++++++++++++
 firefox.spec        |  10 ++++-
 2 files changed, 111 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-6811.patch

diff --git a/CVE-2020-6811.patch b/CVE-2020-6811.patch
new file mode 100644
index 0000000..c93f204
--- /dev/null
+++ b/CVE-2020-6811.patch
@@ -0,0 +1,102 @@
+From c73d875661b96789047dd5cdccff82f1f639924d Mon Sep 17 00:00:00 2001
+From: Jan Odvarko <odvarko@gmail.com>
+Date: Wed, 12 Feb 2020 11:52:30 +0000
+Subject: [PATCH] Bug 1607742 - Escape method argument r=Gijs
+
+Differential Revision: https://phabricator.services.mozilla.com/D60413
+
+--HG--
+extra : moz-landing-system : lando
+---
+devtools/client/shared/curl.js | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/devtools/client/shared/curl.js b/devtools/client/shared/curl.js
+index 30d8382..6d862be 100644
+--- a/devtools/client/shared/curl.js
++++ b/devtools/client/shared/curl.js
+@@ -59,6 +59,17 @@ const Curl = {
+     const utils = CurlUtils;
+ 
+     let command = ["curl"];
++    // Make sure to use the following helpers to sanitize arguments before execution.
++    const addParam = value => {
++      const safe = /^[a-zA-Z-]+$/.test(value) ? value : escapeString(value);
++      command.push(safe);
++    };
++ 
++    const addPostData = value => {
++      const safe = /^[a-zA-Z-]+$/.test(value) ? value : escapeString(value);
++      postData.push(safe);
++    };
++
+     const ignoredHeaders = new Set();
+ 
+     // The cURL command is expected to run on the same platform that Firefox runs
+@@ -67,7 +78,7 @@ const Curl = {
+                        utils.escapeStringWin : utils.escapeStringPosix;
+ 
+     // Add URL.
+-    command.push(escapeString(data.url));
++    addParam(data.url);
+ 
+     let postDataText = null;
+     const multipartRequest = utils.isMultipartRequest(data);
+@@ -77,15 +88,15 @@ const Curl = {
+     if (utils.isUrlEncodedRequest(data) ||
+           ["PUT", "POST", "PATCH"].includes(data.method)) {
+       postDataText = data.postDataText;
+-      postData.push("--data");
+-      postData.push(escapeString(utils.writePostDataTextParams(postDataText)));
++      addPostData("--data");
++      addPostData(utils.writePostDataTextParams(postDataText));
+       ignoredHeaders.add("content-length");
+     } else if (multipartRequest) {
+       postDataText = data.postDataText;
+-      postData.push("--data-binary");
++      addPostData("--data-binary");
+       const boundary = utils.getMultipartBoundary(data);
+       const text = utils.removeBinaryDataFromMultipartText(postDataText, boundary);
+-      postData.push(escapeString(text));
++      addPostData(text);
+       ignoredHeaders.add("content-length");
+     }
+     // curl generates the host header itself based on the given URL
+@@ -95,13 +106,13 @@ const Curl = {
+     // For servers that supports HEAD.
+     // This will fetch the header of a document only.
+     if (data.method == "HEAD") {
+-      command.push("-I");
++      addParam("-I");
+     } else if (!(data.method == "GET" || data.method == "POST")) {
+       // Add method.
+       // For HEAD, GET and POST requests this is not necessary. GET is the
+       // default, if --data or --binary is added POST is used, -I implies HEAD.
+-      command.push("-X");
+-      command.push(data.method);
++      addParam("-X");
++      addParam(data.method);
+     }
+ 
+     // Add request headers.
+@@ -113,14 +124,14 @@ const Curl = {
+     for (let i = 0; i < headers.length; i++) {
+       const header = headers[i];
+       if (header.name.toLowerCase() === "accept-encoding") {
+-        command.push("--compressed");
++        addParam("--compressed");
+         continue;
+       }
+       if (ignoredHeaders.has(header.name.toLowerCase())) {
+         continue;
+       }
+-      command.push("-H");
+-      command.push(escapeString(header.name + ": " + header.value));
++      addParam("-H");
++      addParam(header.name + ": " + header.value);
+     }
+ 
+     // Add post data.
+-- 
+2.23.0
+
diff --git a/firefox.spec b/firefox.spec
index aad6d93..fda5e1f 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -1,7 +1,7 @@
 Name:           firefox
 Summary:        Mozilla Firefox Web browser
 Version:        62.0.3
-Release:        4
+Release:        5
 URL:            https://www.mozilla.org/firefox/
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:        http://download-origin.cdn.mozilla.net/pub/firefox/releases/62.0.3/source/firefox-62.0.3.source.tar.xz
@@ -29,6 +29,8 @@ Patch0016:      mozilla-1467125.patch
 Patch0017:      mozilla-1467128.patch
 Patch0018:      mozilla-1415078.patch
 
+Patch6000:      CVE-2020-6811.patch
+
 BuildRequires:  pkgconfig(nspr) >= 4.19 pkgconfig(nss) >= 3.37.3 pkgconfig(libpng) pkgconfig(libffi)
 BuildRequires:  pkgconfig(zlib) pkgconfig(libIDL-2.0) pkgconfig(gtk+-3.0) pkgconfig(gtk+-2.0) pkgconfig(krb5)
 BuildRequires:  pkgconfig(pango) pkgconfig(freetype2) >= 2.1.9 pkgconfig(xt) pkgconfig(xrender) pkgconfig(dri)
@@ -315,5 +317,11 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %{_datadir}/applications/firefox-wayland.desktop
 
 %changelog
+* Wed May 13 2020 huanghaitao <huanghaitao8@huawei.com> - 62.0.3-5
+- Type:cves
+- ID: CVE-2020-6811
+- SUG:restart
+- DESC: fix CVE-2020-6811
+
 * Wen Feb 26 2020 xuxijian<xuxijian@huawei.com> - 62.0.3-4
 - Package init
-- 
Gitee