[webkit-changes] [167480] trunk

darin Thu, 17 Apr 2014 19:41:26 -0700

Title: [167480] trunk

Revision: 167480
Author: da...@apple.com
Date: 2014-04-17 19:41:00 -0700 (Thu, 17 Apr 2014)

Log Message

Source/WebCore: origin spoofing possible (HTTP Origin, postMessage event.origin) due to inappropriate URL escape sequence decoding
https://bugs.webkit.org/show_bug.cgi?id=131837
rdar://problem/15211936


Reviewed by Anders Carlsson and Dave Hyatt.

Tests: fast/dom/DOMURL/parsing.html
       fast/dom/HTMLAnchorElement/anchor-element-href-parsing.html

* platform/URL.cpp:
(WebCore::URL::host): Removed unnecessary call to decodeURLEscapeSequences, which caused
problems and was not needed.

LayoutTests: hostname extraction from a URL should not decode percent-escape sequences
https://bugs.webkit.org/show_bug.cgi?id=131837
rdar://problem/15211936

Reviewed by Anders Carlsson and Dave Hyatt.

* fast/dom/DOMURL/parsing-expected.txt: Added.
* fast/dom/DOMURL/parsing.html: Added.
* fast/dom/HTMLAnchorElement/anchor-element-href-parsing-expected.txt: Added.
* fast/dom/HTMLAnchorElement/anchor-element-href-parsing.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/platform/URL.cpp

Added Paths

trunk/LayoutTests/fast/dom/DOMURL/parsing-expected.txt
trunk/LayoutTests/fast/dom/DOMURL/parsing.html
trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-element-href-parsing-expected.txt
trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-element-href-parsing.html

Diff

Modified: trunk/LayoutTests/ChangeLog (167479 => 167480)


--- trunk/LayoutTests/ChangeLog	2014-04-18 02:35:32 UTC (rev 167479)
+++ trunk/LayoutTests/ChangeLog	2014-04-18 02:41:00 UTC (rev 167480)
@@ -1,3 +1,16 @@
+2014-04-17  Darin Adler  <da...@apple.com>
+
+        hostname extraction from a URL should not decode percent-escape sequences
+        https://bugs.webkit.org/show_bug.cgi?id=131837
+        rdar://problem/15211936
+
+        Reviewed by Anders Carlsson and Dave Hyatt.
+
+        * fast/dom/DOMURL/parsing-expected.txt: Added.
+        * fast/dom/DOMURL/parsing.html: Added.
+        * fast/dom/HTMLAnchorElement/anchor-element-href-parsing-expected.txt: Added.
+        * fast/dom/HTMLAnchorElement/anchor-element-href-parsing.html: Added.
+
 2014-04-17  David Hyatt  <hy...@apple.com>
 
         [New Multicolumn] Pagination mode messed up with non-inline axis and reversed direction.

Added: trunk/LayoutTests/fast/dom/DOMURL/parsing-expected.txt (0 => 167480)


--- trunk/LayoutTests/fast/dom/DOMURL/parsing-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/DOMURL/parsing-expected.txt	2014-04-18 02:41:00 UTC (rev 167480)
@@ -0,0 +1,20 @@
+PASS breakDownURL('about:blank') is 'protocol=about:, pathname=blank, origin=null'
+PASS breakDownURL('http://example.com/') is 'protocol=http:, host=example.com, pathname=/, origin=http://example.com'
+PASS breakDownURL('http://@example.com/') is 'protocol=http:, host=example.com, pathname=/, origin=http://example.com, toString=http://example.com/'
+PASS breakDownURL('http://a...@example.com/') is 'protocol=http:, username=a, host=example.com, pathname=/, origin=http://example.com'
+PASS breakDownURL('http://a:@example.com/') is 'protocol=http:, username=a, host=example.com, pathname=/, origin=http://example.com, toString=http://a...@example.com/'
+PASS breakDownURL('http://joebob1:abc...@example.com/') is 'protocol=http:, username=joebob1, password=abc123, host=example.com, pathname=/, origin=http://example.com'
+PASS breakDownURL('http://:def...@example.com/') is 'protocol=http:, password=def456, host=example.com, pathname=/, origin=http://example.com'
+PASS breakDownURL('http://example.com/foo/bar') is 'protocol=http:, host=example.com, pathname=/foo/bar, origin=http://example.com'
+PASS breakDownURL('HTTP://example.com/foo/bar') is 'protocol=http:, host=example.com, pathname=/foo/bar, origin=http://example.com, toString=http://example.com/foo/bar'
+PASS breakDownURL('https://example.com/ttt?ggg') is 'protocol=https:, host=example.com, pathname=/ttt, search=?ggg, origin=https://example.com'
+PASS breakDownURL('ftp://example.com/ttt?ggg') is 'protocol=ftp:, host=example.com, pathname=/ttt, search=?ggg, origin=ftp://example.com'
+PASS breakDownURL('file:///Users/darin') is 'protocol=file:, pathname=/Users/darin, origin=file://'
+PASS breakDownURL('data:text/html,<b>foo</b>') is 'protocol=data:, pathname=text/html,<b>foo</b>, origin=null'
+PASS breakDownURL('http://a:b@c:1/e/f?g%h') is 'protocol=http:, username=a, password=b, hostname=c, host=c:1, port=1, pathname=/e/f, search=?g%h, origin=http://c:1'
+PASS breakDownURL('http://ex%61mple.com/') is 'protocol=http:, host=ex%61mple.com, pathname=/, origin=http://ex%61mple.com'
+PASS breakDownURL('http://ex%2fmple.com/') is 'protocol=http:, host=ex%2fmple.com, pathname=/, origin=http://ex%2fmple.com'
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Property changes on: trunk/LayoutTests/fast/dom/DOMURL/parsing-expected.txt
___________________________________________________________________

Added: svn:eol-style

Added: trunk/LayoutTests/fast/dom/DOMURL/parsing.html (0 => 167480)


--- trunk/LayoutTests/fast/dom/DOMURL/parsing.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/DOMURL/parsing.html	2014-04-18 02:41:00 UTC (rev 167480)
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<script src=""
+<script>
+
+function breakDownURL(string)
+{
+    var a = new URL(string);
+
+    var result = "";
+
+    var propertyNames = [
+        "protocol",
+        "username",
+        "password",
+        "hostname",
+        "host",
+        "port",
+        "pathname",
+        "search",
+        "hash",
+        "origin"
+    ];
+    for (var i = 0; i < propertyNames.length; ++i) {
+        var name = propertyNames[i];
+        var value = a[name];
+        if (value == "")
+            continue;
+        if (name == "hostname" && value == a.host)
+            continue;
+        if (typeof value != "string")
+            value = "non-string";
+        if (result != "")
+            result += ", ";
+        result += name + "=" + value;
+    }
+
+    if (string != a.toString())
+        result += ", toString=" + a.toString();
+
+    return result;
+}
+
+shouldBe("breakDownURL('about:blank')", "'protocol=about:, pathname=blank, origin=null'");
+shouldBe("breakDownURL('http://example.com/')", "'protocol=http:, host=example.com, pathname=/, origin=http://example.com'");
+shouldBe("breakDownURL('http://@example.com/')", "'protocol=http:, host=example.com, pathname=/, origin=http://example.com, toString=http://example.com/'");
+shouldBe("breakDownURL('http://a...@example.com/')", "'protocol=http:, username=a, host=example.com, pathname=/, origin=http://example.com'");
+shouldBe("breakDownURL('http://a:@example.com/')", "'protocol=http:, username=a, host=example.com, pathname=/, origin=http://example.com, toString=http://a...@example.com/'");
+shouldBe("breakDownURL('http://joebob1:abc...@example.com/')", "'protocol=http:, username=joebob1, password=abc123, host=example.com, pathname=/, origin=http://example.com'");
+shouldBe("breakDownURL('http://:def...@example.com/')", "'protocol=http:, password=def456, host=example.com, pathname=/, origin=http://example.com'");
+shouldBe("breakDownURL('http://example.com/foo/bar')", "'protocol=http:, host=example.com, pathname=/foo/bar, origin=http://example.com'");
+shouldBe("breakDownURL('HTTP://example.com/foo/bar')", "'protocol=http:, host=example.com, pathname=/foo/bar, origin=http://example.com, toString=http://example.com/foo/bar'");
+shouldBe("breakDownURL('https://example.com/ttt?ggg')", "'protocol=https:, host=example.com, pathname=/ttt, search=?ggg, origin=https://example.com'");
+shouldBe("breakDownURL('ftp://example.com/ttt?ggg')", "'protocol=ftp:, host=example.com, pathname=/ttt, search=?ggg, origin=ftp://example.com'");
+shouldBe("breakDownURL('file:///Users/darin')", "'protocol=file:, pathname=/Users/darin, origin=file://'");
+shouldBe("breakDownURL('data:text/html,<b>foo</b>')", "'protocol=data:, pathname=text/html,<b>foo</b>, origin=null'");
+shouldBe("breakDownURL('http://a:b@c:1/e/f?g%h')", "'protocol=http:, username=a, password=b, hostname=c, host=c:1, port=1, pathname=/e/f, search=?g%h, origin=http://c:1'");
+
+shouldBe("breakDownURL('http://ex%61mple.com/')", "'protocol=http:, host=ex%61mple.com, pathname=/, origin=http://ex%61mple.com'");
+shouldBe("breakDownURL('http://ex%2fmple.com/')", "'protocol=http:, host=ex%2fmple.com, pathname=/, origin=http://ex%2fmple.com'");
+
+</script>
Property changes on: trunk/LayoutTests/fast/dom/DOMURL/parsing.html
___________________________________________________________________

Added: svn:mime-type

Added: svn:eol-style

Added: trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-element-href-parsing-expected.txt (0 => 167480)


--- trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-element-href-parsing-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-element-href-parsing-expected.txt	2014-04-18 02:41:00 UTC (rev 167480)
@@ -0,0 +1,20 @@
+PASS breakDownURL('about:blank') is 'protocol=about:, pathname=blank, origin=null'
+PASS breakDownURL('http://example.com/') is 'protocol=http:, host=example.com, pathname=/, origin=http://example.com'
+PASS breakDownURL('http://@example.com/') is 'protocol=http:, host=example.com, pathname=/, origin=http://example.com, toString=http://example.com/'
+PASS breakDownURL('http://a...@example.com/') is 'protocol=http:, host=example.com, pathname=/, origin=http://example.com'
+PASS breakDownURL('http://a:@example.com/') is 'protocol=http:, host=example.com, pathname=/, origin=http://example.com, toString=http://a...@example.com/'
+PASS breakDownURL('http://joebob1:abc...@example.com/') is 'protocol=http:, host=example.com, pathname=/, origin=http://example.com'
+PASS breakDownURL('http://:def...@example.com/') is 'protocol=http:, host=example.com, pathname=/, origin=http://example.com'
+PASS breakDownURL('http://example.com/foo/bar') is 'protocol=http:, host=example.com, pathname=/foo/bar, origin=http://example.com'
+PASS breakDownURL('HTTP://example.com/foo/bar') is 'protocol=http:, host=example.com, pathname=/foo/bar, origin=http://example.com, toString=http://example.com/foo/bar'
+PASS breakDownURL('https://example.com/ttt?ggg') is 'protocol=https:, host=example.com, pathname=/ttt, search=?ggg, origin=https://example.com'
+PASS breakDownURL('ftp://example.com/ttt?ggg') is 'protocol=ftp:, host=example.com, pathname=/ttt, search=?ggg, origin=ftp://example.com'
+PASS breakDownURL('file:///Users/darin') is 'protocol=file:, pathname=/Users/darin, origin=file://'
+PASS breakDownURL('data:text/html,<b>foo</b>') is 'protocol=data:, pathname=text/html,<b>foo</b>, origin=null'
+PASS breakDownURL('http://a:b@c:1/e/f?g%h') is 'protocol=http:, hostname=c, host=c:1, port=1, pathname=/e/f, search=?g%h, origin=http://c:1'
+PASS breakDownURL('http://ex%61mple.com/') is 'protocol=http:, host=ex%61mple.com, pathname=/, origin=http://ex%61mple.com'
+PASS breakDownURL('http://ex%2fmple.com/') is 'protocol=http:, host=ex%2fmple.com, pathname=/, origin=http://ex%2fmple.com'
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Property changes on: trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-element-href-parsing-expected.txt
___________________________________________________________________

Added: svn:eol-style

Added: trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-element-href-parsing.html (0 => 167480)


--- trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-element-href-parsing.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-element-href-parsing.html	2014-04-18 02:41:00 UTC (rev 167480)
@@ -0,0 +1,60 @@
+<!DOCTYPE html>
+<script src=""
+<script>
+
+function breakDownURL(string)
+{
+    var a = document.createElement("a");
+    a.href = ""
+
+    var result = "";
+
+    var propertyNames = [
+        "protocol",
+        "hostname",
+        "host",
+        "port",
+        "pathname",
+        "search",
+        "hash",
+        "origin"
+    ];
+    for (var i = 0; i < propertyNames.length; ++i) {
+        var name = propertyNames[i];
+        var value = a[name];
+        if (value == "")
+            continue;
+        if (name == "hostname" && value == a.host)
+            continue;
+        if (typeof value != "string")
+            value = "non-string";
+        if (result != "")
+            result += ", ";
+        result += name + "=" + value;
+    }
+
+    if (string != a.toString())
+        result += ", toString=" + a.toString();
+
+    return result;
+}
+
+shouldBe("breakDownURL('about:blank')", "'protocol=about:, pathname=blank, origin=null'");
+shouldBe("breakDownURL('http://example.com/')", "'protocol=http:, host=example.com, pathname=/, origin=http://example.com'");
+shouldBe("breakDownURL('http://@example.com/')", "'protocol=http:, host=example.com, pathname=/, origin=http://example.com, toString=http://example.com/'");
+shouldBe("breakDownURL('http://a...@example.com/')", "'protocol=http:, host=example.com, pathname=/, origin=http://example.com'");
+shouldBe("breakDownURL('http://a:@example.com/')", "'protocol=http:, host=example.com, pathname=/, origin=http://example.com, toString=http://a...@example.com/'");
+shouldBe("breakDownURL('http://joebob1:abc...@example.com/')", "'protocol=http:, host=example.com, pathname=/, origin=http://example.com'");
+shouldBe("breakDownURL('http://:def...@example.com/')", "'protocol=http:, host=example.com, pathname=/, origin=http://example.com'");
+shouldBe("breakDownURL('http://example.com/foo/bar')", "'protocol=http:, host=example.com, pathname=/foo/bar, origin=http://example.com'");
+shouldBe("breakDownURL('HTTP://example.com/foo/bar')", "'protocol=http:, host=example.com, pathname=/foo/bar, origin=http://example.com, toString=http://example.com/foo/bar'");
+shouldBe("breakDownURL('https://example.com/ttt?ggg')", "'protocol=https:, host=example.com, pathname=/ttt, search=?ggg, origin=https://example.com'");
+shouldBe("breakDownURL('ftp://example.com/ttt?ggg')", "'protocol=ftp:, host=example.com, pathname=/ttt, search=?ggg, origin=ftp://example.com'");
+shouldBe("breakDownURL('file:///Users/darin')", "'protocol=file:, pathname=/Users/darin, origin=file://'");
+shouldBe("breakDownURL('data:text/html,<b>foo</b>')", "'protocol=data:, pathname=text/html,<b>foo</b>, origin=null'");
+shouldBe("breakDownURL('http://a:b@c:1/e/f?g%h')", "'protocol=http:, hostname=c, host=c:1, port=1, pathname=/e/f, search=?g%h, origin=http://c:1'");
+
+shouldBe("breakDownURL('http://ex%61mple.com/')", "'protocol=http:, host=ex%61mple.com, pathname=/, origin=http://ex%61mple.com'");
+shouldBe("breakDownURL('http://ex%2fmple.com/')", "'protocol=http:, host=ex%2fmple.com, pathname=/, origin=http://ex%2fmple.com'");
+
+</script>
Property changes on: trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-element-href-parsing.html
___________________________________________________________________

Added: svn:mime-type

Added: svn:eol-style

Modified: trunk/Source/WebCore/ChangeLog (167479 => 167480)


--- trunk/Source/WebCore/ChangeLog	2014-04-18 02:35:32 UTC (rev 167479)
+++ trunk/Source/WebCore/ChangeLog	2014-04-18 02:41:00 UTC (rev 167480)
@@ -1,3 +1,18 @@
+2014-04-17  Darin Adler  <da...@apple.com>
+
+        origin spoofing possible (HTTP Origin, postMessage event.origin) due to inappropriate URL escape sequence decoding
+        https://bugs.webkit.org/show_bug.cgi?id=131837
+        rdar://problem/15211936
+
+        Reviewed by Anders Carlsson and Dave Hyatt.
+
+        Tests: fast/dom/DOMURL/parsing.html
+               fast/dom/HTMLAnchorElement/anchor-element-href-parsing.html
+
+        * platform/URL.cpp:
+        (WebCore::URL::host): Removed unnecessary call to decodeURLEscapeSequences, which caused
+        problems and was not needed.
+
 2014-04-17  David Hyatt  <hy...@apple.com>
 
         [New Multicolumn] Pagination mode messed up with non-inline axis and reversed direction.

Modified: trunk/Source/WebCore/platform/URL.cpp (167479 => 167480)


--- trunk/Source/WebCore/platform/URL.cpp	2014-04-18 02:35:32 UTC (rev 167479)
+++ trunk/Source/WebCore/platform/URL.cpp	2014-04-18 02:41:00 UTC (rev 167480)
@@ -576,7 +576,7 @@
 String URL::host() const
 {
     int start = hostStart();
-    return decodeURLEscapeSequences(m_string.substring(start, m_hostEnd - start));
+    return m_string.substring(start, m_hostEnd - start);
 }
 
 unsigned short URL::port() const

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [167480] trunk

Log Message

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (167479 => 167480)

Added: trunk/LayoutTests/fast/dom/DOMURL/parsing-expected.txt (0 => 167480)

Added: svn:eol-style

Added: trunk/LayoutTests/fast/dom/DOMURL/parsing.html (0 => 167480)

Added: svn:mime-type

Added: svn:eol-style

Added: trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-element-href-parsing-expected.txt (0 => 167480)

Added: svn:eol-style

Added: trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-element-href-parsing.html (0 => 167480)

Added: svn:mime-type

Added: svn:eol-style

Modified: trunk/Source/WebCore/ChangeLog (167479 => 167480)

Modified: trunk/Source/WebCore/platform/URL.cpp (167479 => 167480)

Reply via email to