From 9b3b5e050376f2d9d4c8dd17eddce4df417f9ebc Mon Sep 17 00:00:00 2001
From: hackademix
Date: Sun, 9 Sep 2018 15:00:08 +0200
Subject: Prevent total breakages when policies accidentally map to invalid
 match patterns.

---
 src/bg/ChildPolicies.js | 33 +++++++++++++++++++++------------
 src/common/Policy.js    |  2 +-
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/src/bg/ChildPolicies.js b/src/bg/ChildPolicies.js
index e8608ad..d822f61 100644
--- a/src/bg/ChildPolicies.js
+++ b/src/bg/ChildPolicies.js
@@ -65,7 +65,9 @@
   let protocolRx = /^(\w+):/i;
   let pathRx = /(?:[^:/]\/|:\/{3})$/;
   let portRx = /:\d+(?=\/|$)/;
-  let validMatchPatternRx = /^(?:\*|(?:http|ws|ftp)s?|file):\/\/(?:\*\.)?(?:[\w\u0100-\uf000][\w\u0100-\uf000.-]*)?\/(\*|[^*]*)$/;
+  let validMatchPatternRx = /^(?:\*|(?:http|ws|ftp)s?|file):\/\/(?:\*|(?:\*\.)?[\w\u0100-\uf000][\w\u0100-\uf000.-]*)?\/(\*|[^*]*)$/;
+
+  let validMatchPattern = mp => validMatchPatternRx.test(mp);
 
   let siteKey2MatchPattern = site => {
     let hasProtocol = site.match(protocolRx);
@@ -75,10 +77,13 @@
       if (!mp) return false;
     } else {
       let protocol = Sites.isSecureDomainKey(site) ? "https://" : "*://";
+      mp = `${protocol}*`;
       let hostname = Sites.toggleSecureDomainKey(site, false).replace(portRx, '');
-      if (!tld.preserveFQDNs) hostname = tld.normalize(hostname);
-      mp = `${protocol}*.${hostname}`;
-      if (!hostname.includes("/")) mp += "/";
+      if (hostname && hostname !== ".") {
+        if (!tld.preserveFQDNs) hostname = tld.normalize(hostname);
+        mp += hostname.startsWith(".") ? hostname : `.${hostname}`;
+      }
+      if (!(hostname && hostname.includes("/"))) mp += "/";
     }
 
     return validMatchPatternRx.test(mp) && (
@@ -87,14 +92,15 @@
 
   let withFQDNs = patterns => {
     return tld.preserveFQDNs ? patterns : patterns.concat(
-      patterns.map(p => p.replace(/^(?:\w+|\*):\/\/[^/]*[^./]/, '$&.'))
-    );
+      patterns.map(p => p.replace(/^(?:\w+|\*):\/\/[^/]*[^.*/]/, '$&.')
+        ).filter(validMatchPattern)
+      );
   }
 
   let siteKeys2MatchPatterns = keys =>
-    keys && withFQDNs(flatten(keys.map(siteKey2MatchPattern))
-      .filter(p => !!p))
-      || [];
+    keys ? [... new Set(
+      withFQDNs(flatten(keys.map(siteKey2MatchPattern)).filter(p => !!p)))]
+      : [];
 
   var ChildPolicies = {
     async storeTabInfo(tabId, info) {
@@ -110,9 +116,9 @@
         error(e);
       }
     },
-    async update(policy, debug) {
-      if (debug !== "undefined") Scripts.debug = debug;
-
+    async update(policy, tracing) {
+      if (tracing !== "undefined") Scripts.debug = tracing;
+      let t0 = Date.now();
       await Scripts.init();
 
       if (!policy.enforced) {
@@ -167,6 +173,9 @@
         await Scripts.register(Scripts.buildPerms(perms), siteKeys2MatchPatterns(keys), excludeMap.get(perms));
       }
       await Scripts.register(Scripts.buildPerms(serialized.DEFAULT, true), allUrls);
+      if (tracing) {
+        debug("All the child policies registered in %sms", Date.now() - t0);
+      }
     },
 
     getForDocument(policy, url, context = null) {
diff --git a/src/common/Policy.js b/src/common/Policy.js
index ca3c04c..37bd164 100644
--- a/src/common/Policy.js
+++ b/src/common/Policy.js
@@ -116,7 +116,7 @@ var {Permissions, Policy, Sites} = (() => {
     }
 
     set(k, v) {
-      if (!k || SKIP_RX.test(k)) return this;
+      if (!k || SKIP_RX.test(k) || k === "§:") return this;
       let [,domain] = DOMAIN_RX.exec(k);
       if (/[^\u0000-\u007f]/.test(domain)) {
         k = k.replace(domain, punycode.toASCII(domain));
-- 
cgit v1.2.3