Commit graph

13152 commits

Author SHA1 Message Date
Raymond Hill
b4eae1ef0b
Make Firefox dev build auto-update 2025-04-22 09:56:04 -04:00
Raymond Hill
c86beb3a37
Update changelog 2025-04-22 09:40:21 -04:00
Raymond Hill
89ba371fbe
New revision for dev build 2025-04-22 09:38:52 -04:00
Raymond Hill
59f4aca010
Exclude chrome: as valid openers for popup candidates
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/2227
2025-04-22 09:34:26 -04:00
Raymond Hill
9c523f0325
Make Firefox dev build auto-update 2025-04-21 15:51:02 -04:00
Raymond Hill
6cc63d825e
New revision for dev build 2025-04-21 15:46:06 -04:00
Raymond Hill
2ee90bf22f
Update changelog 2025-04-21 15:45:55 -04:00
Raymond Hill
8b964a8c54
Fetch diff patches from "reliable" servers only
Some CDN servers take too long to mirror updated resources,
potentially preventing diff-updating to work reliably as
intended.
2025-04-21 15:42:04 -04:00
Raymond Hill
b5642ba602
[mv3] Minor 2025-04-21 13:21:08 -04:00
Raymond Hill
d3f39c97d1
[mv3-safari] Fix broken zapper due to latest changes
Related commit:
22e848c9c2
2025-04-21 12:58:44 -04:00
Raymond Hill
d17da2b081
Import translation work from https://crowdin.com/project/ublock 2025-04-21 09:42:58 -04:00
Raymond Hill
1d53441456
[mv3] Simplify sendMessage
onMessage() is now a listener installed synchrnously when uBOL
executes, so no longer need to deal with failure to send messages.

Related commit:
ab458b492a
2025-04-21 08:13:16 -04:00
Raymond Hill
22e848c9c2
[mv3] Fix zapper
Regression from:
b5651417aa
2025-04-21 08:11:22 -04:00
Raymond Hill
34d6abca6d
Revert "[mv3] Programmatically inject content scripts on version change"
This reverts commit d0e32a5f47.
2025-04-20 16:58:16 -04:00
Raymond Hill
d0e32a5f47
[mv3] Programmatically inject content scripts on version change
Related issue:
https://github.com/w3c/webextensions/issues/617
2025-04-20 16:44:08 -04:00
Raymond Hill
782fff35ea
[mv3] Split code path for wakeup versus launch status
Additionally, leave more regex rooms for non-strictblock rules.
2025-04-20 12:17:57 -04:00
Raymond Hill
2bd09e6f84
[mv3] Code review of conversion to DNR ruleset
- Ensure no duplicates in domain collection fields
- Sort rules according to the number of entries in their
  domain collections
2025-04-20 12:14:29 -04:00
Raymond Hill
de7a406920
[mv3] Minor code review 2025-04-19 17:52:28 -04:00
Raymond Hill
39b505a52e
[mv3] Fix safari build script 2025-04-19 14:39:00 -04:00
Raymond Hill
39913a8212
Fix Edge build script 2025-04-19 14:17:46 -04:00
Raymond Hill
8a14a8dc6b
Import translation work from https://crowdin.com/project/ublock 2025-04-19 14:02:32 -04:00
Raymond Hill
fbe1ba018e
[mv3] Remove unused file 2025-04-19 13:34:34 -04:00
Raymond Hill
b5651417aa
[mv3] Merge Safari branch
Safari version of uBO Lite can now be built from master branch.

Related issue:
https://github.com/uBlockOrigin/uBOL-home/issues/327
2025-04-19 13:08:59 -04:00
Raymond Hill
8016e7733a
[mv3] Move ruleset details into external config file 2025-04-19 08:37:29 -04:00
Raymond Hill
63ea23f334
[mv3] Minor change to build script 2025-04-18 07:57:21 -04:00
Raymond Hill
fd3a8720e9
Minor test to avoid code path 2025-04-16 16:14:58 -04:00
Raymond Hill
c299d39117
Import translation work from https://crowdin.com/project/ublock 2025-04-16 15:21:14 -04:00
Raymond Hill
a1689fb9d0
[mv3] Fix JSON, add description 2025-04-16 15:13:52 -04:00
Raymond Hill
b8adf5b027
[mv3] Add admin setting defaultFiltering
Setting name: "defaultFiltering"
Type: string
Valid values: "none", "basic", "optimal", "complete"

Additionally, fix default "basic" mode toggling back to "optimal"
upon extension restart when uBOL has broad host permissions. The
default mode will toggle automatically only when there is a change
in broad host permissions status.
2025-04-16 15:04:47 -04:00
Raymond Hill
3b34f9439a
Import translation work from https://crowdin.com/project/ublock 2025-04-16 08:39:43 -04:00
Raymond Hill
ec19e352b1
[mv3] Mitigate issues when hitting regex-based rules limit
When there are too many regex-based rules, uBOL will start to drop
some strict-block rules to comply with the framework limit regarding
the maximum number of regex-based rules.

Related issues:
- https://github.com/uBlockOrigin/uBOL-home/issues/317
- https://github.com/w3c/webextensions/issues/744
2025-04-16 08:19:52 -04:00
Raymond Hill
e20e6addf0
[mv3] Mind excluded to= hostnames in strict-block rules 2025-04-16 08:18:26 -04:00
Raymond Hill
eaedaf5b10
Fix regexes with potential catastrophic backtracking
The quoted email below was sent to ubo-security at raymondhill dot net:

=====
Dear Raymond,

I am writing to report a potential Regular Expression Denial of Service (ReDoS)
vulnerability in the 1p-filters.js script of uBlock Origin. The vulnerability
occurs due to the use of the regular expression /\s+$/, which is used to remove
trailing whitespace. This issue can lead to a denial of service when processing
strings with a large number of trailing spaces, potentially causing a browser to
freeze.

Affected file(s)

    js/1p-filters.js

Vulnerable pattern(s)

    Lines 131 and 167: /\s+$/

Description of the issue

The regular expression /\s+$/ is applied to remove trailing whitespace in user‑
provided content. However, when the content has a large number of spaces
(e.g., ~100,000), this pattern causes excessive backtracking in the regular
expression engine, resulting in performance degradation and UI freezing. This is
a classic ReDoS attack vector.

Steps to reproduce

1. Open the uBlock Origin dashboard and navigate to the My filters tab.
2. Run the following code in the browser's DevTools Console or as a bookmarklet.
3. Observe the UI freezing for several seconds or even longer, depending on the
   number of spaces used.

PoC (Proof of Concept)

/**
 * poc.js — triggers ReDoS in 1p-filters.js
 * Expected: <1 ms; Actual: several seconds – UI freeze
 */
(() => {
  const payload = " ".repeat(100000) + "!";  // 100,000 spaces + sentinel
  const run = () => {
    if (!window.cmEditor) {
      console.error("cmEditor not ready");
      return;
    }
    // Inject payload into the editor
    cmEditor.setValue(payload);

    console.time("ReDoS");
    // Call the vulnerable function (mirroring getEditorText)
    cmEditor.getValue().replace(/\s+$/, '');
    // Alternatively, simulate a realistic user flow:
    // document.querySelector('#userFiltersApply').click();
    console.timeEnd("ReDoS");
  };

  if (document.readyState === "complete") {
    run();
  } else {
    window.addEventListener("load", run, { once: true });
  }
})();

Impact

This issue can significantly degrade the user experience, causing the page to
become unresponsive. If an attacker can inject this malicious string into the
page (for example, through XSS or other attacks), it could lead to a denial of
service (DoS). This vulnerability can be triggered repeatedly, causing the
browser to hang indefinitely.

Suggested fix

The issue can be mitigated by replacing /\s+$/ with a more efficient solution,
such as a look‑behind assertion /(?<=\S)\s+$/ (available in modern browsers)
which ensures no backtracking occurs, or using trimEnd() for legacy support:

// Example of using look-behind:
cmEditor.setValue(text.replace(/(?<=\S)\s+$/, '') + '\n\n');

// Alternatively, using trimEnd():
cmEditor.setValue(text.trimEnd() + '\n\n');

Additional information

If required, I am happy to assist in testing or provide more information.
Please feel free to contact me for further clarification.

Best regards,
[redacted]
=====
2025-04-15 12:47:02 -04:00
Raymond Hill
87007e62c0
[mv3] Ensure POL-3 list is separate from POL-0 list in uBOL 2025-04-14 09:07:46 -04:00
Raymond Hill
b5eea3ce3a
[mv3] Fix Github Actions 2025-04-13 15:45:39 -04:00
Raymond Hill
e11335f5ad
[mv3] Fix Github Actions 2025-04-13 15:37:07 -04:00
Raymond Hill
20f52daf9b
Import translation work from https://crowdin.com/project/ublock 2025-04-13 15:23:08 -04:00
Raymond Hill
f15adcf2d5
[mv3] Ensure strict-blocking is enabled when gaining broad permissions 2025-04-13 10:24:23 -04:00
Raymond Hill
51db128dc2
[mv3] "Enable strict blocking" setting depends on broad host permissions 2025-04-13 10:13:18 -04:00
Raymond Hill
7c5c93f073
Import translation work from https://crowdin.com/project/ublock 2025-04-13 09:34:22 -04:00
Raymond Hill
dc3602985f
[mv3] Update summary description 2025-04-13 09:19:25 -04:00
Raymond Hill
9bf05023c1
Import translation work from https://crowdin.com/project/ublock 2025-04-13 09:16:54 -04:00
Raymond Hill
50f87c21ea
[mv3] Provide console feedback that work is ongoing when building 2025-04-13 09:04:13 -04:00
Raymond Hill
f51a4c79db
[mv3] Determine "genericity" on a per-cosmetic filter basis
Related issue:
https://github.com/uBlockOrigin/uBOL-home/issues/328
2025-04-13 09:02:12 -04:00
Raymond Hill
12c8bc6c5b
Make Firefox dev build auto-update 2025-04-13 07:45:55 -04:00
Raymond Hill
a33e2e4115
New revision for dev build 2025-04-13 07:39:03 -04:00
Raymond Hill
5ed1b07034
Update changelog 2025-04-13 07:38:19 -04:00
Raymond Hill
cac420a22d
Rename trusted-create-element to trusted-create-html
To avoid confusion with AG's own `trusted-create-element`, which has
a different syntax and a different purpose.
2025-04-13 07:34:36 -04:00
Raymond Hill
c15dc9d8ff
Fix scrollbars not following dark theme
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/3604
2025-04-12 15:51:36 -04:00
Raymond Hill
dfd42ebf5f
Improve noscript spoofing
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/2642
2025-04-12 15:20:18 -04:00