!30 sync from 2203 LTS

From: @sun_hai_10 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng

backport-CVE-2023-23599.patch

@@ -0,0 +1,102 @@
+From 20abf3bf81bfe657e5af6741fa7b1b2268b6a457 Mon Sep 17 00:00:00 2001
+From: s30028044 <sunhai10@huawei.com>
+Date: Wed, 13 Mar 2024 14:17:29 +0800
+Subject: [PATCH] CVE-2023-23599
+
+---
+ devtools/client/shared/curl.js | 75 ++++++++++++++++++----------------
+ 1 file changed, 39 insertions(+), 36 deletions(-)
+
+diff --git a/devtools/client/shared/curl.js b/devtools/client/shared/curl.js
+index 022158bebd..c42e2d0580 100644
+--- a/devtools/client/shared/curl.js
++++ b/devtools/client/shared/curl.js
+@@ -426,46 +426,49 @@ const CurlUtils = {
+    */
+   escapeStringWin: function(str) {
+     /*
+-       Replace the backtick character ` with `` in order to escape it.
+-       The backtick character is an escape character in PowerShell and
+-       can, among other things, be used to disable the effect of some
+-       of the other escapes created below.
+-       Also see http://www.rlmueller.net/PowerShellEscape.htm for
+-       useful details.
+-
+-       Replace dollar sign because of commands in powershell when using
+-       double quotes. e.g $(calc.exe) Also see
+-       http://www.rlmueller.net/PowerShellEscape.htm for details.
+-
+-       Replace quote by double quote (but not by \") because it is
+-       recognized by both cmd.exe and MS Crt arguments parser.
+-
+-       Replace % by "%" because it could be expanded to an environment
+-       variable value. So %% becomes "%""%". Even if an env variable ""
+-       (2 doublequotes) is declared, the cmd.exe will not
+-       substitute it with its value.
+-
+-       Replace each backslash with double backslash to make sure
+-       MS Crt arguments parser won't collapse them.
+-
+-       Replace new line outside of quotes since cmd.exe doesn't let
+-       to do it inside. At the same time it gets duplicated,
+-       because first newline is consumed by ^.
+-       So for quote: `"Text-start\r\ntext-continue"`,
+-       we get: `"Text-start"^\r\n\r\n"text-continue"`,
+-       where `^\r\n` is just breaking the command, the `\r\n` right
+-       after is actual escaped newline.
++      Because cmd.exe parser and MS Crt arguments parsers use some of the
++      same escape characters, they can interact with each other in
++      horrible ways, the order of operations is critical.
+     */
++    const encapsChars = '"';
+     return (
+-      '"' +
++      encapsChars +
+       str
+-        .replaceAll("`", "``")
+-        .replaceAll("$", "`$")
+-        .replaceAll('"', '""')
+-        .replaceAll("%", '"%"')
++
++       //  Replace \ with \\ first because it is an escape character for certain
++        // conditions in both parsers.
+         .replace(/\\/g, "\\\\")
+-        .replace(/[\r\n]{1,2}/g, '"^$&$&"') +
+-      '"'
++ 
++        // Replace double quote chars with two double quotes (not by escaping with \") because it is
++        // recognized by both cmd.exe and MS Crt arguments parser.
++        .replace(/"/g, '""')
++ 
++        // Escape ` and $ so commands do not get executed e.g $(calc.exe) or `\$(calc.exe)
++        .replace(/[`$]/g, "\\$&")
++ 
++        // Then escape all characters we are not sure about with ^ to ensure it
++        // gets to MS Crt parser safely.
++        .replace(/[^a-zA-Z0-9\s_\-:=+~\/.',?;()*\$&\\{}\"`]/g, "^$&")
++
++        // The % character is special because MS Crt parser will try and look for
++        // ENV variables and fill them in its place. We cannot escape them with %
++        // and cannot escape them with ^ (because it's cmd.exe's escape not MS Crt
++        // parser); So we can get cmd.exe parser to escape the character after it,
++        // if it is followed by a valid beginning character of an ENV variable.
++        // This ensures we do not try and double escape another ^ if it was placed
++        // by the previous replace.
++        .replace(/%(?=[a-zA-Z0-9_])/g, "%^")
++
++        // We replace \r and \r\n with \n, this allows to consistently escape all new
++        // lines in the next replace
++        .replace(/\r\n?/g, "\n")
++
++        // Lastly we replace new lines with ^ and TWO new lines because the first
++        // new line is there to enact the escape command the second is the character
++        // to escape (in this case new line).
++        // The extra " enables escaping new lines with ^ within quotes in cmd.exe.
++        .replace(/\n/g, '"^\r\n\r\n"') +
++      encapsChars
+     );
+   },
+ };
+-- 
+2.27.0
+

backport-CVE-2023-23601.patch

@@ -0,0 +1,126 @@
+From 6ee2be9efaae3ca33e0c1284966ee0a142026089 Mon Sep 17 00:00:00 2001
+From: s30028044 <sunhai10@huawei.com>
+Date: Sat, 9 Mar 2024 22:00:16 +0800
+Subject: [PATCH] CVE-2023-23601
+
+---
+ dom/base/ContentAreaDropListener.jsm | 25 +++++++------------------
+ dom/events/DataTransfer.cpp          | 12 ++++++++++++
+ dom/events/DataTransfer.h            |  3 +++
+ dom/webidl/DataTransfer.webidl       |  7 +++++++
+ 4 files changed, 29 insertions(+), 18 deletions(-)
+
+diff --git a/dom/base/ContentAreaDropListener.jsm b/dom/base/ContentAreaDropListener.jsm
+index d3d64d9a81..e812c96656 100644
+--- a/dom/base/ContentAreaDropListener.jsm
++++ b/dom/base/ContentAreaDropListener.jsm
+@@ -261,30 +261,19 @@ ContentAreaDropListener.prototype = {
+       return true;
+     }
+ 
+-    let sourceNode = dataTransfer.mozSourceNode;
+-    if (!sourceNode) {
++    // If this is an external drag, allow drop.
++    let sourceWC = dataTransfer.sourceWindowContext;
++    if (!sourceWC) {
+       return true;
+     }
+ 
+-    // don't allow a drop of a node from the same document onto this one
+-    let sourceDocument = sourceNode.ownerDocument;
+-    let eventDocument = aEvent.originalTarget.ownerDocument;
+-    if (sourceDocument == eventDocument) {
++    // If drag source and drop target are in the same top window, don't allow.
++    let eventWC =
++      aEvent.originalTarget.ownerGlobal.browsingContext.currentWindowContext;
++    if (eventWC && sourceWC.topWindowContext == eventWC.topWindowContext) {
+       return false;
+     }
+ 
+-    // also check for nodes in other child or sibling frames by checking
+-    // if both have the same top window.
+-    if (sourceDocument && eventDocument) {
+-      if (sourceDocument.defaultView == null) {
+-        return true;
+-      }
+-      let sourceRoot = sourceDocument.defaultView.top;
+-      if (sourceRoot && sourceRoot == eventDocument.defaultView.top) {
+-        return false;
+-      }
+-    }
+-
+     return true;
+   },
+ 
+diff --git a/dom/events/DataTransfer.cpp b/dom/events/DataTransfer.cpp
+index 243b102d43..82a5a99a17 100644
+--- a/dom/events/DataTransfer.cpp
++++ b/dom/events/DataTransfer.cpp
+@@ -40,6 +40,7 @@
+ #include "mozilla/dom/FileList.h"
+ #include "mozilla/dom/BindingUtils.h"
+ #include "mozilla/dom/OSFileSystem.h"
++#include "mozilla/dom/WindowContext.h"
+ #include "mozilla/dom/Promise.h"
+ #include "nsComponentManagerUtils.h"
+ #include "nsNetUtil.h"
+@@ -436,6 +437,17 @@ already_AddRefed<nsINode> DataTransfer::GetMozSourceNode() {
+   return sourceNode.forget();
+ }
+ 
++already_AddRefed<WindowContext> DataTransfer::GetSourceWindowContext() {
++  nsCOMPtr<nsIDragSession> dragSession = nsContentUtils::GetDragSession();
++  if (!dragSession) {
++    return nullptr;
++  }
++
++  RefPtr<WindowContext> sourceWindowContext;
++  dragSession->GetSourceWindowContext(getter_AddRefs(sourceWindowContext));
++  return sourceWindowContext.forget();
++}
++
+ already_AddRefed<DOMStringList> DataTransfer::MozTypesAt(
+     uint32_t aIndex, CallerType aCallerType, ErrorResult& aRv) const {
+   // Only the first item is valid for clipboard events
+diff --git a/dom/events/DataTransfer.h b/dom/events/DataTransfer.h
+index a091f2069f..614b33ed25 100644
+--- a/dom/events/DataTransfer.h
++++ b/dom/events/DataTransfer.h
+@@ -41,6 +41,7 @@ class FileList;
+ class Promise;
+ template <typename T>
+ class Optional;
++class WindowContext;
+ 
+ #define NS_DATATRANSFER_IID                          \
+   {                                                  \
+@@ -261,6 +262,8 @@ class DataTransfer final : public nsISupports, public nsWrapperCache {
+ 
+   already_AddRefed<nsINode> GetMozSourceNode();
+ 
++  already_AddRefed<WindowContext> GetSourceWindowContext();
++
+   /*
+    * Integer version of dropEffect, set to one of the constants in
+    * nsIDragService.
+diff --git a/dom/webidl/DataTransfer.webidl b/dom/webidl/DataTransfer.webidl
+index 7f7528d9c0..da89243b6f 100644
+--- a/dom/webidl/DataTransfer.webidl
++++ b/dom/webidl/DataTransfer.webidl
+@@ -159,6 +159,13 @@ partial interface DataTransfer {
+   [UseCounter]
+   readonly attribute Node? mozSourceNode;
+ 
++  /**
++   * The window context that mouse was pressed over to begin the drag. For
++   * external drags, this will be null.
++   */
++  [ChromeOnly]
++  readonly attribute WindowContext? sourceWindowContext;
++
+   /**
+    * The URI spec of the triggering principal.  This may be different than
+    * sourceNode's principal when sourceNode is xul:browser and the drag is
+-- 
+2.27.0
+

backport-CVE-2023-23602.patch

@@ -0,0 +1,123 @@
+From 500a65993b8054feec5ff74a57f446722c2564de Mon Sep 17 00:00:00 2001
+From: s30028044 <sunhai10@huawei.com>
+Date: Sat, 9 Mar 2024 21:43:47 +0800
+Subject: [PATCH] CVE-2023-23602
+
+---
+ dom/websocket/WebSocket.cpp | 37 ++++++++++++++++++++++++-------------
+ 1 file changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/dom/websocket/WebSocket.cpp b/dom/websocket/WebSocket.cpp
+index 741f7b4c05..3786788f9e 100644
+--- a/dom/websocket/WebSocket.cpp
++++ b/dom/websocket/WebSocket.cpp
+@@ -152,7 +152,8 @@ class WebSocketImpl final : public nsIInterfaceRequestor,
+   bool IsTargetThread() const;
+ 
+   nsresult Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal,
+-                nsIPrincipal* aPrincipal, bool aIsServerSide,
++                nsIPrincipal* aPrincipal, const Maybe<ClientInfo>& aClientInfo,
++                nsICSPEventListener* aCSPEventListener, bool aIsServerSide,
+                 const nsAString& aURL, nsTArray<nsString>& aProtocolArray,
+                 const nsACString& aScriptFile, uint32_t aScriptLine,
+                 uint32_t aScriptColumn);
+@@ -1082,12 +1083,14 @@ class WebSocketMainThreadRunnable : public WorkerMainThreadRunnable {
+ class InitRunnable final : public WebSocketMainThreadRunnable {
+  public:
+   InitRunnable(WorkerPrivate* aWorkerPrivate, WebSocketImpl* aImpl,
++               const Maybe<mozilla::dom::ClientInfo>& aClientInfo,
+                bool aIsServerSide, const nsAString& aURL,
+                nsTArray<nsString>& aProtocolArray,
+                const nsACString& aScriptFile, uint32_t aScriptLine,
+                uint32_t aScriptColumn)
+       : WebSocketMainThreadRunnable(aWorkerPrivate, "WebSocket :: init"_ns),
+         mImpl(aImpl),
++        mClientInfo(aClientInfo),
+         mIsServerSide(aIsServerSide),
+         mURL(aURL),
+         mProtocolArray(aProtocolArray),
+@@ -1117,10 +1120,10 @@ class InitRunnable final : public WebSocketMainThreadRunnable {
+       return true;
+     }
+ 
+-    mErrorCode =
+-        mImpl->Init(jsapi.cx(), mWorkerPrivate->GetPrincipal(),
+-                    doc->NodePrincipal(), mIsServerSide, mURL, mProtocolArray,
+-                    mScriptFile, mScriptLine, mScriptColumn);
++    mErrorCode = mImpl->Init(
++        jsapi.cx(), mWorkerPrivate->GetPrincipal(), doc->NodePrincipal(),
++        mClientInfo, mWorkerPrivate->CSPEventListener(), mIsServerSide, mURL,
++        mProtocolArray, mScriptFile, mScriptLine, mScriptColumn);
+     return true;
+   }
+ 
+@@ -1130,7 +1133,8 @@ class InitRunnable final : public WebSocketMainThreadRunnable {
+ 
+     mErrorCode =
+         mImpl->Init(nullptr, mWorkerPrivate->GetPrincipal(),
+-                    aTopLevelWorkerPrivate->GetPrincipal(), mIsServerSide, mURL,
++                    aTopLevelWorkerPrivate->GetPrincipal(), mClientInfo,
++                    mWorkerPrivate->CSPEventListener(), mIsServerSide, mURL,
+                     mProtocolArray, mScriptFile, mScriptLine, mScriptColumn);
+     return true;
+   }
+@@ -1138,6 +1142,7 @@ class InitRunnable final : public WebSocketMainThreadRunnable {
+   // Raw pointer. This worker runnable runs synchronously.
+   WebSocketImpl* mImpl;
+ 
++  Maybe<ClientInfo> mClientInfo;
+   bool mIsServerSide;
+   const nsAString& mURL;
+   nsTArray<nsString>& mProtocolArray;
+@@ -1318,8 +1323,8 @@ already_AddRefed<WebSocket> WebSocket::ConstructorCommon(
+     }
+ 
+     aRv = webSocketImpl->Init(aGlobal.Context(), loadingPrincipal, principal,
+-                              !!aTransportProvider, aUrl, protocolArray, ""_ns,
+-                              0, 0);
++                              Nothing(), nullptr, !!aTransportProvider, aUrl,
++                              protocolArray, ""_ns, 0, 0);
+ 
+     if (NS_WARN_IF(aRv.Failed())) {
+       return nullptr;
+@@ -1344,8 +1349,9 @@ already_AddRefed<WebSocket> WebSocket::ConstructorCommon(
+     }
+ 
+     RefPtr<InitRunnable> runnable = new InitRunnable(
+-        workerPrivate, webSocketImpl, !!aTransportProvider, aUrl, protocolArray,
+-        nsDependentCString(file.get()), lineno, column);
++        workerPrivate, webSocketImpl,
++        workerPrivate->GlobalScope()->GetClientInfo(), !!aTransportProvider,
++        aUrl, protocolArray, nsDependentCString(file.get()), lineno, column);
+     runnable->Dispatch(Canceling, aRv);
+     if (NS_WARN_IF(aRv.Failed())) {
+       return nullptr;
+@@ -1526,8 +1532,10 @@ void WebSocket::DisconnectFromOwner() {
+ //-----------------------------------------------------------------------------
+ 
+ nsresult WebSocketImpl::Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal,
+-                             nsIPrincipal* aPrincipal, bool aIsServerSide,
+-                             const nsAString& aURL,
++                             nsIPrincipal* aPrincipal,
++                             const Maybe<ClientInfo>& aClientInfo,
++                             nsICSPEventListener* aCSPEventListener,
++                             bool aIsServerSide, const nsAString& aURL
+                              nsTArray<nsString>& aProtocolArray,
+                              const nsACString& aScriptFile,
+                              uint32_t aScriptLine, uint32_t aScriptColumn) {
+@@ -1624,8 +1632,11 @@ nsresult WebSocketImpl::Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal,
+         aPrincipal,  // loading principal
+         aPrincipal,  // triggering principal
+         originDoc, nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+-        nsIContentPolicy::TYPE_WEBSOCKET);
++        nsIContentPolicy::TYPE_WEBSOCKET, aClientInfo);
+ 
++    if (aCSPEventListener) {
++      secCheckLoadInfo->SetCspEventListener(aCSPEventListener);
++    }
+     int16_t shouldLoad = nsIContentPolicy::ACCEPT;
+     rv = NS_CheckContentLoadPolicy(uri, secCheckLoadInfo, ""_ns, &shouldLoad,
+                                    nsContentUtils::GetContentPolicy());
+-- 
+2.27.0
+

mozjs91.spec

@@ -12,7 +12,7 @@
 # Big endian platforms
 Name:           mozjs%{major}
 Version:        91.6.0
-Release:        2
+Release:        4
 Summary:        SpiderMonkey JavaScript library
 License:        MPL-2.0
 Group:          System/Libraries
@@ -35,6 +35,11 @@ Patch12:        emitter.patch
 Patch14:        init_patch.patch
 # TODO: Check with mozilla for cause of these fails and re-enable spidermonkey compile time checks if needed
 Patch15:        spidermonkey_checks_disable.patch
+Patch16:        spidermonkey_support_loongarch64.patch
+
+Patch17:        backport-CVE-2023-23599.patch
+Patch18:        backport-CVE-2023-23601.patch
+Patch19:        backport-CVE-2023-23602.patch
 
 BuildRequires:  autoconf213 cargo ccache clang-devel gcc gcc-c++ libtool perl-devel llvm llvm-devel nasm pkgconfig python3-devel python3-setuptools
 BuildRequires:  python3-six readline-devel zip rust pkgconfig(icu-i18n) >= 67.1 pkgconfig(libffi) pkgconfig(nspr) pkgconfig(zlib) icu
@@ -206,6 +211,12 @@ popd
 %{_includedir}/mozjs-%{major}/
 
 %changelog
+* Thu Mar 21 2024 sunhai <sunhai10@huawei.com> - 91.6.0-4
+- fix CVEs
+
+* Thu Dec 15 2022 liuyu <liuyu@loongson.cn> - 91.6.0-3
+- support loongarch64 in spidermonkey
+
 * Thu Mar 24 2022 liyanan <liyanan32@huawei.com> - 91.6.0-2
 - remove %dist