[tbb-commits] [tor-browser/tor-browser-60.6.1esr-8.5-1] Bug 1532530 - Avoid loss of upload data by webRequest API r=kmag a=lizzard

[gk at torproject.org]

commit 30a070eefe4c881a1804690b8983db2911c2c99b
Author: Rob Wu <rob at robwu.nl>
Date:   Mon Mar 25 21:16:49 2019 +0000

    Bug 1532530 - Avoid loss of upload data by webRequest API r=kmag a=lizzard
    
    When an extension requests access to the request body of a request,
    `nsConverterInputStream` is used to parse the input streams that make up
    a request body. These input streams are later (re)used to upload the
    form data to the original destination (server).
    
    `nsConverterInputStream`'s destructor does however close the input
    streams, which results in data loss when the object is garbage-collected
    before the upload completes.
    
    This patch fixes the issue by explicitly nulling the underlying stream
    before returning from the form parser.
    
    Differential Revision: https://phabricator.services.mozilla.com/D24539
    
    --HG--
    extra : source : 574c141c8dd619a00ffa90fc40c2ba614afb46da
    extra : intermediate-source : 85efc85e2cf3e5d3e26cfdf8a716bbb9ac3551b5
---
 toolkit/modules/addons/WebRequestUpload.jsm | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/toolkit/modules/addons/WebRequestUpload.jsm b/toolkit/modules/addons/WebRequestUpload.jsm
index 10770d7ee771..294a394cd93f 100644
--- a/toolkit/modules/addons/WebRequestUpload.jsm
+++ b/toolkit/modules/addons/WebRequestUpload.jsm
@@ -192,6 +192,7 @@ function parseFormData(stream, channel, lenient = false) {
   const BUFFER_SIZE = 8192;
 
   let touchedStreams = new Set();
+  let converterStreams = [];
 
   /**
    * Creates a converter input stream from the given raw input stream,
@@ -210,10 +211,12 @@ function parseFormData(stream, channel, lenient = false) {
     }
 
     touchedStreams.add(stream);
-    return ConverterInputStream(
+    let converterStream = ConverterInputStream(
       stream, "UTF-8", 0,
       lenient ? Ci.nsIConverterInputStream.DEFAULT_REPLACEMENT_CHARACTER
               : 0);
+    converterStreams.push(converterStream);
+    return converterStream;
   }
 
   /**
@@ -382,6 +385,12 @@ function parseFormData(stream, channel, lenient = false) {
     for (let stream of touchedStreams) {
       rewind(stream);
     }
+    for (let converterStream of converterStreams) {
+      // Release the reference to the underlying input stream, to prevent the
+      // destructor of nsConverterInputStream from closing the stream, which
+      // would cause uploads to break.
+      converterStream.init(null, null, 0, 0);
+    }
   }
 
   return null;