Modified: trunk/LayoutTests/ChangeLog (259140 => 259141)
--- trunk/LayoutTests/ChangeLog 2020-03-27 21:25:38 UTC (rev 259140)
+++ trunk/LayoutTests/ChangeLog 2020-03-27 21:32:20 UTC (rev 259141)
@@ -1,3 +1,13 @@
+2020-03-27 Devin Rousso <[email protected]>
+
+ Web Inspector: should also escape the method when Copy as cURL
+ https://bugs.webkit.org/show_bug.cgi?id=209665
+ <rdar://problem/58432154>
+
+ Reviewed by Joseph Pecoraro.
+
+ * http/tests/inspector/network/copy-as-curl.html:
+
2020-03-27 Kenneth Russell <[email protected]>
Use ANGLE_robust_client_memory to replace framebuffer/texture validation
Modified: trunk/LayoutTests/http/tests/inspector/network/copy-as-curl-expected.txt (259140 => 259141)
--- trunk/LayoutTests/http/tests/inspector/network/copy-as-curl-expected.txt 2020-03-27 21:25:38 UTC (rev 259140)
+++ trunk/LayoutTests/http/tests/inspector/network/copy-as-curl-expected.txt 2020-03-27 21:32:20 UTC (rev 259141)
@@ -33,3 +33,6 @@
PASS: Command should have JSON Content-Type.
PASS: Command should contain correct JSON data.
+-- Running test case: SpecialMethodGenerateCURLValidPOSIXOutput
+PASS: Command should contain method with properly escaped special characters.
+
Modified: trunk/LayoutTests/http/tests/inspector/network/copy-as-curl.html (259140 => 259141)
--- trunk/LayoutTests/http/tests/inspector/network/copy-as-curl.html 2020-03-27 21:25:38 UTC (rev 259140)
+++ trunk/LayoutTests/http/tests/inspector/network/copy-as-curl.html 2020-03-27 21:32:20 UTC (rev 259141)
@@ -73,7 +73,7 @@
let curl = resource.generateCURLCommand().split(" \\\n");
InspectorTest.expectThat(curl[0].match("https?://.*?/resources/url\\?query=true") !== null, "Command should contain URL.");
- InspectorTest.expectThat(curl[1] === "-XGET", "Command should be a GET request.");
+ InspectorTest.expectThat(curl[1] === "-X 'GET'", "Command should be a GET request.");
InspectorTest.expectThat(curl.find((cmd) => cmd.includes('User-Agent')) !== undefined, "Command should contain User-Agent header.");
InspectorTest.expectThat(curl.find((cmd) => cmd.includes('X-Custom')) === undefined, "Command should not contain a custom header.");
})
@@ -145,7 +145,7 @@
let resource = event.data.resource;
let curl = resource.generateCURLCommand().split(" \\\n");
- InspectorTest.expectThat(curl[1] === "-XPOST", "Command should be a POST request.");
+ InspectorTest.expectThat(curl[1] === "-X 'POST'", "Command should be a POST request.");
InspectorTest.expectThat(curl.find((cmd) => cmd.includes('Content-Type')) === "-H 'Content-Type: application/x-www-form-urlencoded'", "Command should have correct Content-Type.");
InspectorTest.expectThat(curl.find((cmd) => cmd === "--data $'lorem=ipsum&$dolor=\\'sit\\'&amet={1..20}'") !== undefined, "Command should contain correct data.");
})
@@ -182,7 +182,7 @@
let resource = event.data.resource;
let curl = resource.generateCURLCommand().split(" \\\n");
- InspectorTest.expectThat(curl[1] === "-XPUT", "Command should be a PUT request.");
+ InspectorTest.expectThat(curl[1] === "-X 'PUT'", "Command should be a PUT request.");
InspectorTest.expectThat(curl.find((cmd) => cmd.includes('Content-Type')) === "-H 'Content-Type: application/json'", "Command should have JSON Content-Type.");
InspectorTest.expectThat(curl.find((cmd) => cmd === "--data-binary '{\"update\":\"now\"}'") !== undefined, "Command should contain correct JSON data.");
})
@@ -192,6 +192,22 @@
}
});
+ suite.addTestCase({
+ name: "SpecialMethodGenerateCURLValidPOSIXOutput",
+ description: "Generate cURL command from a request containing special characters in the method and verify valid POSIX output.",
+ test(resolve, reject) {
+ let resource = new WI.Resource("TEST", {
+ requestMethod: "METHOD&a$b-c",
+ });
+
+ let curl = resource.generateCURLCommand().split(" \\\n");
+
+ InspectorTest.expectEqual(curl[1], "-X 'METHOD&a$b-c'", "Command should contain method with properly escaped special characters.");
+
+ resolve();
+ }
+ });
+
suite.runTestCasesAndFinish();
}
</script>
Modified: trunk/Source/WebInspectorUI/ChangeLog (259140 => 259141)
--- trunk/Source/WebInspectorUI/ChangeLog 2020-03-27 21:25:38 UTC (rev 259140)
+++ trunk/Source/WebInspectorUI/ChangeLog 2020-03-27 21:32:20 UTC (rev 259141)
@@ -1,3 +1,16 @@
+2020-03-27 Devin Rousso <[email protected]>
+
+ Web Inspector: should also escape the method when Copy as cURL
+ https://bugs.webkit.org/show_bug.cgi?id=209665
+ <rdar://problem/58432154>
+
+ Reviewed by Joseph Pecoraro.
+
+ * UserInterface/Models/Resource.js:
+ (WI.Resource.prototype.generateCURLCommand):
+ (WI.Resource.prototype.generateCURLCommand.escapeStringPosix):
+ The method could be maliciously crafted, so we should also escape it (if needed).
+
2020-03-26 Devin Rousso <[email protected]>
Web Inspector: add keyboard shortcut to tooltip of pinned tabs
Modified: trunk/Source/WebInspectorUI/UserInterface/Models/Resource.js (259140 => 259141)
--- trunk/Source/WebInspectorUI/UserInterface/Models/Resource.js 2020-03-27 21:25:38 UTC (rev 259140)
+++ trunk/Source/WebInspectorUI/UserInterface/Models/Resource.js 2020-03-27 21:32:20 UTC (rev 259141)
@@ -1093,14 +1093,14 @@
.replace(/\r/g, "\\r")
.replace(/!/g, "\\041")
.replace(/[^\x20-\x7E]/g, escapeCharacter) + "'";
- } else {
- // Use single quote syntax.
- return `'${str}'`;
}
+
+ // Use single quote syntax.
+ return `'${str}'`;
}
let command = ["curl " + escapeStringPosix(this.url).replace(/[[{}\]]/g, "\\$&")];
- command.push(`-X${this.requestMethod}`);
+ command.push("-X " + escapeStringPosix(this.requestMethod));
for (let key in this.requestHeaders)
command.push("-H " + escapeStringPosix(`${key}: ${this.requestHeaders[key]}`));
