[webkit-changes] [257325] releases/WebKitGTK/webkit-2.28

Tue, 25 Feb 2020 08:01:51 -0800

Title: [257325] releases/WebKitGTK/webkit-2.28
Revision
257325
Author
carlo...@webkit.org
Date
2020-02-25 08:00:56 -0800 (Tue, 25 Feb 2020)

Log Message

Merge r256395 - Bug 207424: Crash in WebCore::ParsedContentType::parseContentType when parsing invalid MIME type
<https://webkit.org/b/207424>
<rdar://problem/59250384>

Patch by Rob Buis <rb...@igalia.com> and David Kilzer <ddkil...@apple.com> on 2020-02-11
Reviewed by Rob Buis.

Source/WebCore:

Return StringView directly rather than wrapping
it in Optional, since StringView's can be null tested.

Tests: TestWebKitAPI.ParsedContentType

* platform/network/ParsedContentType.cpp:
(WebCore::parseToken):
(WebCore::parseQuotedString):
(WebCore::ParsedContentType::parseContentType): Don't set type
parameter if parameterName is null string.  Remove unneeded
`parameterName` variable; use keyRange.toString() instead.

Tools:

* TestWebKitAPI/Tests/WebCore/ParsedContentType.cpp:
(TestWebKitAPI::TEST): Add more tests.

Modified Paths

Diff

Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog (257324 => 257325)


--- releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog	2020-02-25 16:00:51 UTC (rev 257324)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog	2020-02-25 16:00:56 UTC (rev 257325)
@@ -1,3 +1,23 @@
+2020-02-11  Rob Buis  <rb...@igalia.com>
+
+        Bug 207424: Crash in WebCore::ParsedContentType::parseContentType when parsing invalid MIME type
+        <https://webkit.org/b/207424>
+        <rdar://problem/59250384>
+
+        Reviewed by Rob Buis.
+
+        Return StringView directly rather than wrapping
+        it in Optional, since StringView's can be null tested.
+
+        Tests: TestWebKitAPI.ParsedContentType
+
+        * platform/network/ParsedContentType.cpp:
+        (WebCore::parseToken):
+        (WebCore::parseQuotedString):
+        (WebCore::ParsedContentType::parseContentType): Don't set type
+        parameter if parameterName is null string.  Remove unneeded
+        `parameterName` variable; use keyRange.toString() instead.
+
 2020-02-11  Youenn Fablet  <you...@apple.com>
 
         Parent service worker controller should be used for child iframe as per https://w3c.github.io/ServiceWorker/#control-and-use-window-client

Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/platform/network/ParsedContentType.cpp (257324 => 257325)


--- releases/WebKitGTK/webkit-2.28/Source/WebCore/platform/network/ParsedContentType.cpp	2020-02-25 16:00:51 UTC (rev 257324)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/platform/network/ParsedContentType.cpp	2020-02-25 16:00:56 UTC (rev 257325)
@@ -56,7 +56,7 @@
 
 using CharacterMeetsCondition = bool (*)(UChar);
 
-static Optional<StringView> parseToken(StringView input, unsigned& startIndex, CharacterMeetsCondition characterMeetsCondition, Mode mode, bool skipTrailingWhitespace = false)
+static StringView parseToken(StringView input, unsigned& startIndex, CharacterMeetsCondition characterMeetsCondition, Mode mode, bool skipTrailingWhitespace = false)
 {
     unsigned inputLength = input.length();
     unsigned tokenStart = startIndex;
@@ -63,7 +63,7 @@
     unsigned& tokenEnd = startIndex;
 
     if (tokenEnd >= inputLength)
-        return WTF::nullopt;
+        return StringView();
 
     while (tokenEnd < inputLength && characterMeetsCondition(input[tokenEnd])) {
         if (mode == Mode::Rfc2045 && !isTokenCharacter(input[tokenEnd]))
@@ -72,7 +72,7 @@
     }
 
     if (tokenEnd == tokenStart)
-        return WTF::nullopt;
+        return StringView();
     if (skipTrailingWhitespace) {
         while (input[tokenEnd - 1] == ' ')
             --tokenEnd;
@@ -125,7 +125,7 @@
     return false;
 }
 
-static Optional<StringView> parseQuotedString(StringView input, unsigned& startIndex)
+static StringView parseQuotedString(StringView input, unsigned& startIndex)
 {
     unsigned inputLength = input.length();
     unsigned quotedStringStart = startIndex + 1;
@@ -132,16 +132,16 @@
     unsigned& quotedStringEnd = startIndex;
 
     if (quotedStringEnd >= inputLength)
-        return WTF::nullopt;
+        return StringView();
 
     if (input[quotedStringEnd++] != '"' || quotedStringEnd >= inputLength)
-        return WTF::nullopt;
+        return StringView();
 
     bool lastCharacterWasBackslash = false;
     char currentCharacter;
     while ((currentCharacter = input[quotedStringEnd++]) != '"' || lastCharacterWasBackslash) {
         if (quotedStringEnd >= inputLength)
-            return WTF::nullopt;
+            return StringView();
         if (currentCharacter == '\\' && !lastCharacterWasBackslash) {
             lastCharacterWasBackslash = true;
             continue;
@@ -234,7 +234,7 @@
 
     unsigned contentTypeStart = index;
     auto typeRange = parseToken(m_contentType, index, isNotForwardSlash, mode);
-    if (!typeRange || containsNonTokenCharacters(*typeRange, mode)) {
+    if (typeRange.isNull() || containsNonTokenCharacters(typeRange, mode)) {
         LOG_ERROR("Invalid Content-Type, invalid type value.");
         return false;
     }
@@ -245,7 +245,7 @@
     }
 
     auto subTypeRange = parseToken(m_contentType, index, isNotSemicolon, mode, mode == Mode::MimeSniff);
-    if (!subTypeRange || containsNonTokenCharacters(*subTypeRange, mode)) {
+    if (subTypeRange.isNull() || containsNonTokenCharacters(subTypeRange, mode)) {
         LOG_ERROR("Invalid Content-Type, invalid subtype value.");
         return false;
     }
@@ -262,7 +262,7 @@
     while (true) {
         skipSpaces(m_contentType, index);
         auto keyRange = parseToken(m_contentType, index, isNotSemicolonOrEqualSign, mode);
-        if (mode == Mode::Rfc2045 && (!keyRange || index >= contentTypeLength)) {
+        if (mode == Mode::Rfc2045 && (keyRange.isNull() || index >= contentTypeLength)) {
             LOG_ERROR("Invalid Content-Type parameter name.");
             return false;
         }
@@ -283,11 +283,10 @@
             if (m_contentType[index++] == ';')
                 continue;
         }
-        String parameterName = keyRange->toString();
 
         // Should we tolerate spaces here?
         String parameterValue;
-        Optional<StringView> valueRange;
+        StringView valueRange;
         if (index < contentTypeLength && m_contentType[index] == '"') {
             if (mode == Mode::MimeSniff) {
                 parameterValue = collectHTTPQuotedString(m_contentType, index);
@@ -297,15 +296,14 @@
         } else
             valueRange = parseToken(m_contentType, index, isNotSemicolon, mode, mode == Mode::MimeSniff);
 
-
         if (parameterValue.isNull()) {
-            if (!valueRange) {
+            if (valueRange.isNull()) {
                 if (mode == Mode::MimeSniff)
                     continue;
                 LOG_ERROR("Invalid Content-Type, invalid parameter value.");
                 return false;
             }
-            parameterValue = valueRange->toString();
+            parameterValue = valueRange.toString();
         }
 
         // Should we tolerate spaces here?
@@ -314,7 +312,8 @@
             return false;
         }
 
-        setContentTypeParameter(parameterName, parameterValue, mode);
+        if (!keyRange.isNull())
+            setContentTypeParameter(keyRange.toString(), parameterValue, mode);
 
         if (index >= contentTypeLength)
             return true;

Modified: releases/WebKitGTK/webkit-2.28/Tools/ChangeLog (257324 => 257325)


--- releases/WebKitGTK/webkit-2.28/Tools/ChangeLog	2020-02-25 16:00:51 UTC (rev 257324)
+++ releases/WebKitGTK/webkit-2.28/Tools/ChangeLog	2020-02-25 16:00:56 UTC (rev 257325)
@@ -1,3 +1,14 @@
+2020-02-11  Rob Buis  <rb...@igalia.com>
+
+        Bug 207424: Crash in WebCore::ParsedContentType::parseContentType when parsing invalid MIME type
+        <https://webkit.org/b/207424>
+        <rdar://problem/59250384>
+
+        Reviewed by Rob Buis.
+
+        * TestWebKitAPI/Tests/WebCore/ParsedContentType.cpp:
+        (TestWebKitAPI::TEST): Add more tests.
+
 2020-02-08  Yusuke Suzuki  <ysuz...@apple.com>
 
         [WTF] Try using 75% load factor for HashTable

Modified: releases/WebKitGTK/webkit-2.28/Tools/TestWebKitAPI/Tests/WebCore/ParsedContentType.cpp (257324 => 257325)


--- releases/WebKitGTK/webkit-2.28/Tools/TestWebKitAPI/Tests/WebCore/ParsedContentType.cpp	2020-02-25 16:00:51 UTC (rev 257324)
+++ releases/WebKitGTK/webkit-2.28/Tools/TestWebKitAPI/Tests/WebCore/ParsedContentType.cpp	2020-02-25 16:00:56 UTC (rev 257325)
@@ -49,16 +49,28 @@
     EXPECT_FALSE(isValidContentType("/plain", Mode::MimeSniff));
 
     EXPECT_TRUE(isValidContentType("text/plain;", Mode::MimeSniff));
+    EXPECT_TRUE(isValidContentType("text/plain;;", Mode::MimeSniff));
+    EXPECT_TRUE(isValidContentType("text/plain;;;", Mode::MimeSniff));
 
     EXPECT_TRUE(isValidContentType("text/plain;test", Mode::MimeSniff));
     EXPECT_TRUE(isValidContentType("text/plain; test", Mode::MimeSniff));
     EXPECT_TRUE(isValidContentType("text/plain;test=", Mode::MimeSniff));
-    EXPECT_TRUE(isValidContentType("text/plain;test=;test=value", Mode::MimeSniff));
     EXPECT_TRUE(isValidContentType("text/plain;test=value", Mode::MimeSniff));
+    EXPECT_TRUE(isValidContentType("text/plain;;test=value", Mode::MimeSniff));
+    EXPECT_TRUE(isValidContentType("text/plain;;;test=value", Mode::MimeSniff));
+    EXPECT_TRUE(isValidContentType("text/plain;test=value;", Mode::MimeSniff));
+    EXPECT_TRUE(isValidContentType("text/plain;test=value;;", Mode::MimeSniff));
+    EXPECT_TRUE(isValidContentType("text/plain;test=value;;;", Mode::MimeSniff));
     EXPECT_TRUE(isValidContentType("text/plain; test=value", Mode::MimeSniff));
     EXPECT_TRUE(isValidContentType("text/plain;test =value", Mode::MimeSniff));
     EXPECT_TRUE(isValidContentType("text/plain;test= value", Mode::MimeSniff));
     EXPECT_TRUE(isValidContentType("text/plain;test=value ", Mode::MimeSniff));
+    EXPECT_TRUE(isValidContentType("text/plain;=;test=value", Mode::MimeSniff));
+    EXPECT_TRUE(isValidContentType("text/plain;test=value;=", Mode::MimeSniff));
+    EXPECT_TRUE(isValidContentType("text/plain;wrong=;test=value", Mode::MimeSniff));
+    EXPECT_TRUE(isValidContentType("text/plain;=wrong;test=value", Mode::MimeSniff));
+    EXPECT_TRUE(isValidContentType("text/plain;test=value;wrong=", Mode::MimeSniff));
+    EXPECT_TRUE(isValidContentType("text/plain;test=value;=wrong", Mode::MimeSniff));
 
     EXPECT_TRUE(isValidContentType("text/plain;test=\"value\"", Mode::MimeSniff));
     EXPECT_TRUE(isValidContentType("text/plain;test=\"value", Mode::MimeSniff));
@@ -82,16 +94,28 @@
     EXPECT_FALSE(isValidContentType("/plain", Mode::Rfc2045));
 
     EXPECT_FALSE(isValidContentType("text/plain;", Mode::Rfc2045));
+    EXPECT_FALSE(isValidContentType("text/plain;;", Mode::Rfc2045));
+    EXPECT_FALSE(isValidContentType("text/plain;;;", Mode::Rfc2045));
 
     EXPECT_FALSE(isValidContentType("text/plain;test", Mode::Rfc2045));
     EXPECT_FALSE(isValidContentType("text/plain; test", Mode::Rfc2045));
     EXPECT_FALSE(isValidContentType("text/plain;test=", Mode::Rfc2045));
-    EXPECT_FALSE(isValidContentType("text/plain;test=;test=value", Mode::Rfc2045));
     EXPECT_TRUE(isValidContentType("text/plain;test=value", Mode::Rfc2045));
+    EXPECT_FALSE(isValidContentType("text/plain;;test=value", Mode::Rfc2045));
+    EXPECT_FALSE(isValidContentType("text/plain;;;test=value", Mode::Rfc2045));
+    EXPECT_TRUE(isValidContentType("text/plain;test=value;", Mode::Rfc2045));
+    EXPECT_FALSE(isValidContentType("text/plain;test=value;;", Mode::Rfc2045));
+    EXPECT_FALSE(isValidContentType("text/plain;test=value;;;", Mode::Rfc2045));
     EXPECT_TRUE(isValidContentType("text/plain; test=value", Mode::Rfc2045));
     EXPECT_FALSE(isValidContentType("text/plain;test =value", Mode::Rfc2045));
     EXPECT_FALSE(isValidContentType("text/plain;test= value", Mode::Rfc2045));
     EXPECT_FALSE(isValidContentType("text/plain;test=value ", Mode::Rfc2045));
+    EXPECT_FALSE(isValidContentType("text/plain;=;test=value", Mode::Rfc2045));
+    EXPECT_FALSE(isValidContentType("text/plain;test=value;=", Mode::Rfc2045));
+    EXPECT_FALSE(isValidContentType("text/plain;wrong=;test=value", Mode::Rfc2045));
+    EXPECT_FALSE(isValidContentType("text/plain;=wrong;test=value", Mode::Rfc2045));
+    EXPECT_FALSE(isValidContentType("text/plain;test=value;wrong=", Mode::Rfc2045));
+    EXPECT_FALSE(isValidContentType("text/plain;test=value;=wrong", Mode::Rfc2045));
 
     EXPECT_TRUE(isValidContentType("text/plain;test=\"value\"", Mode::Rfc2045));
     EXPECT_FALSE(isValidContentType("text/plain;test=\"value", Mode::Rfc2045));
@@ -144,7 +168,13 @@
 TEST(ParsedContentType, Serialize)
 {
     EXPECT_STREQ(serializeIfValid(""), "NOTVALID");
+    EXPECT_STREQ(serializeIfValid(" "), "NOTVALID");
+    EXPECT_STREQ(serializeIfValid("  "), "NOTVALID");
+    EXPECT_STREQ(serializeIfValid("\t"), "NOTVALID");
     EXPECT_STREQ(serializeIfValid(";"), "NOTVALID");
+    EXPECT_STREQ(serializeIfValid(";="), "NOTVALID");
+    EXPECT_STREQ(serializeIfValid("="), "NOTVALID");
+    EXPECT_STREQ(serializeIfValid("=;"), "NOTVALID");
     EXPECT_STREQ(serializeIfValid("text"), "NOTVALID");
     EXPECT_STREQ(serializeIfValid("text/"), "NOTVALID");
     EXPECT_STREQ(serializeIfValid("text/\0"), "NOTVALID");
@@ -200,6 +230,8 @@
     EXPECT_STREQ(serializeIfValid("text/\xD8\x88\x12\x34"), "NOTVALID");
 
     EXPECT_STREQ(serializeIfValid("text/plain;"), "text/plain");
+    EXPECT_STREQ(serializeIfValid("text/plain;;"), "text/plain");
+    EXPECT_STREQ(serializeIfValid("text/plain;;;"), "text/plain");
     EXPECT_STREQ(serializeIfValid("text/plain;test"), "text/plain");
     EXPECT_STREQ(serializeIfValid("text/plain; test"), "text/plain");
     EXPECT_STREQ(serializeIfValid("text/plain;\ttest"), "text/plain");
@@ -212,8 +244,18 @@
     EXPECT_STREQ(serializeIfValid("text/plain;test\r"), "text/plain");
     EXPECT_STREQ(serializeIfValid("text/plain;test\b"), "text/plain");
     EXPECT_STREQ(serializeIfValid("text/plain;test="), "text/plain");
-    EXPECT_STREQ(serializeIfValid("text/plain;test=;test=value"), "text/plain;test=value");
+    EXPECT_STREQ(serializeIfValid("text/plain;=;test=value"), "text/plain;test=value");
+    EXPECT_STREQ(serializeIfValid("text/plain;test=value;="), "text/plain;test=value");
+    EXPECT_STREQ(serializeIfValid("text/plain;wrong=;test=value"), "text/plain;test=value");
+    EXPECT_STREQ(serializeIfValid("text/plain;=wrong;test=value"), "text/plain;test=value");
+    EXPECT_STREQ(serializeIfValid("text/plain;test=value;wrong="), "text/plain;test=value");
+    EXPECT_STREQ(serializeIfValid("text/plain;test=value;=wrong"), "text/plain;test=value");
     EXPECT_STREQ(serializeIfValid("text/plain;test=value"), "text/plain;test=value");
+    EXPECT_STREQ(serializeIfValid("text/plain;;test=value"), "text/plain;test=value");
+    EXPECT_STREQ(serializeIfValid("text/plain;;;test=value"), "text/plain;test=value");
+    EXPECT_STREQ(serializeIfValid("text/plain;test=value;"), "text/plain;test=value");
+    EXPECT_STREQ(serializeIfValid("text/plain;test=value;;"), "text/plain;test=value");
+    EXPECT_STREQ(serializeIfValid("text/plain;test=value;;;"), "text/plain;test=value");
     EXPECT_STREQ(serializeIfValid("text/plain;TEST=value"), "text/plain;test=value");
     EXPECT_STREQ(serializeIfValid("text/plain;test=VALUE"), "text/plain;test=VALUE");
     EXPECT_STREQ(serializeIfValid("text/plain; test=value"), "text/plain;test=value");

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to