Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[patch] TypeError in noscript-spoof scriptlet with invalid meta refresh URL #1676

Closed
8 tasks done
vtriolet opened this issue Jul 31, 2021 · 2 comments
Closed
8 tasks done

[patch] TypeError in noscript-spoof scriptlet with invalid meta refresh URL #1676

vtriolet opened this issue Jul 31, 2021 · 2 comments
Labels
bug Something isn't working fixed issue has been addressed

Comments

@vtriolet
Copy link

Prerequisites

I tried to reproduce the issue when...

  • uBO is the only extension
  • uBO with default lists/settings
  • using a new, unmodified browser profile

Description

The noscript-spoof scriptlet passes meta refresh URLs to the URL constructor without any exception handling:

https://github.com/gorhill/uBlock/blob/1.37.3b2/src/js/scriptlets/noscript-spoof.js#L45

This can cause the scriptlet to trigger a TypeError when an invalid meta refresh URL like "http://foo@" is specified. This uncaught exception prevents subsequent noscript nodes from being processed.

Proposed patch: vtriolet/uBlock@2b9aba2

A specific URL where the issue occurs

https://vtriolet.netlify.app/demos/ubo-invalid_meta_refresh_url.html

Steps to Reproduce

  1. Check the "Disable JavaScript" checkbox on the Settings page
  2. Visit https://vtriolet.netlify.app/demos/ubo-invalid_meta_refresh_url.html
  3. Notice that only the first noscript element has been transformed to a span

POC code for future reference:

<!DOCTYPE html>
<html>
 <head>
  <title>uBO - invalid meta refresh URL</title>
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
 </head>
 <body>
  <noscript><p>Node a should be visible</p></noscript>
  <noscript><meta http-equiv="refresh" content="15;url=https://foo@"></noscript>
  <noscript><p>Node b should also be visible</p></noscript> 
</body>
</html>

Expected behavior

All noscript nodes should be processed.

Actual behavior

Only the first noscript node is fully processed due to an uncaught TypeError:

Uncaught TypeError: Failed to construct 'URL': Invalid URL
    at autoRefresh (noscript-spoof.js:45)
    at noscript-spoof.js:77
    at noscript-spoof.js:81

uBlock Origin version

1.37.2

Browser name and version

Firefox 90.0.2, Chrome 92.0.4515.107

Operating System and version

Arch Linux
@gorhill
Copy link
Member

gorhill commented Jul 31, 2021

Thanks for finding and fixing the issue. I pulled your patch, gorhill/uBlock@2b9aba2. This makes you a contributor and next time you can open a pull request in https://github.com/gorhill/uBlock directly.

@vtriolet
Copy link
Author

Thanks, that sounds great.

@uBlock-user uBlock-user added bug Something isn't working fixed issue has been addressed labels Jul 31, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working fixed issue has been addressed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gorhill @uBlock-user @vtriolet