[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-1414-gc69ee75
ap at apple.com
ap at apple.com
Thu Oct 29 20:52:13 UTC 2009
The following commit has been merged in the webkit-1.1 branch:
commit b92a4fe192e4e56d77f8b221576f1c940dd6b59c
Author: ap at apple.com <ap at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Oct 26 17:26:26 2009 +0000
Reviewed by Adam Barth and Darin Adler.
https://bugs.webkit.org/show_bug.cgi?id=30723
<rdar://problem/6189415> Input names added to multipart/form-data headers need to be escaped.
Test: http/tests/security/escape-form-data-field-names.html
* platform/network/FormDataBuilder.cpp:
(WebCore::appendQuotedString):
(WebCore::FormDataBuilder::beginMultiPartHeader):
(WebCore::FormDataBuilder::addFilenameToMultiPartHeader):
Percent-escape line breaks and quotation marks.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@50072 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 3ed36ac..6526b86 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2009-10-23 Alexey Proskuryakov <ap at apple.com>
+
+ Reviewed by Adam Barth and Darin Adler.
+
+ https://bugs.webkit.org/show_bug.cgi?id=30723
+ <rdar://problem/6189415> Input names added to multipart/form-data headers need to be escaped.
+
+ * http/tests/security/escape-form-data-field-names-expected.txt: Added.
+ * http/tests/security/escape-form-data-field-names.html: Added.
+ * http/tests/security/resources/escape-form-data-field-names.cgi: Added.
+
2009-10-26 Andras Becsi <becsi.andras at stud.u-szeged.hu>
Reviewed by Ariya Hidayat.
diff --git a/LayoutTests/http/tests/security/escape-form-data-field-names-expected.txt b/LayoutTests/http/tests/security/escape-form-data-field-names-expected.txt
new file mode 100644
index 0000000..3d209be
--- /dev/null
+++ b/LayoutTests/http/tests/security/escape-form-data-field-names-expected.txt
@@ -0,0 +1,3 @@
+Test for bug 30723: Input names added to multipart/form-data headers need to be escaped
+
+PASS
diff --git a/LayoutTests/http/tests/security/escape-form-data-field-names.html b/LayoutTests/http/tests/security/escape-form-data-field-names.html
new file mode 100644
index 0000000..88a509e
--- /dev/null
+++ b/LayoutTests/http/tests/security/escape-form-data-field-names.html
@@ -0,0 +1,13 @@
+<form method="post" action="resources/escape-form-data-field-names.cgi" enctype="multipart/form-data">
+<textarea name='file"; filename="filename.ext
+Content-Type: text/html; '>Arbitrary
+Contents</textarea>
+<input type="submit" value='Send "File"'>
+</form>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+document.forms[0].submit();
+</script>
diff --git a/LayoutTests/http/tests/security/resources/escape-form-data-field-names.cgi b/LayoutTests/http/tests/security/resources/escape-form-data-field-names.cgi
new file mode 100755
index 0000000..a46f995
--- /dev/null
+++ b/LayoutTests/http/tests/security/resources/escape-form-data-field-names.cgi
@@ -0,0 +1,26 @@
+#!/usr/bin/perl -w
+
+print "Content-type: text/html\n\n";
+
+print "<p>Test for <a href='https://bugs.webkit.org/show_bug.cgi?id=30723'>bug 30723</a>: Input names added to multipart/form-data headers need to be escaped</p>";
+print "<pre>";
+
+if ($ENV{'REQUEST_METHOD'} eq "POST") {
+ read(STDIN, $request, $ENV{'CONTENT_LENGTH'})
+ || die "Could not get query\n";
+ print $request;
+} else {
+ print "Wrong method: " . $ENV{'REQUEST_METHOD'} . "\n";
+}
+
+print "</pre><script>\n";
+print "var pre = document.getElementsByTagName('pre')[0];\n";
+print "if (pre.textContent.match('\\nContent-Type'))\n";
+print " document.write('FAIL')\n";
+print "else\n";
+print " document.write('PASS')\n";
+print "if (window.layoutTestController) {\n";
+print " pre.setAttribute('style', 'display:none');\n";
+print " layoutTestController.notifyDone();\n";
+print "}\n";
+print "</script>\n";
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index b1621b4..44452c0 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2009-10-23 Alexey Proskuryakov <ap at apple.com>
+
+ Reviewed by Adam Barth and Darin Adler.
+
+ https://bugs.webkit.org/show_bug.cgi?id=30723
+ <rdar://problem/6189415> Input names added to multipart/form-data headers need to be escaped.
+
+ Test: http/tests/security/escape-form-data-field-names.html
+
+ * platform/network/FormDataBuilder.cpp:
+ (WebCore::appendQuotedString):
+ (WebCore::FormDataBuilder::beginMultiPartHeader):
+ (WebCore::FormDataBuilder::addFilenameToMultiPartHeader):
+ Percent-escape line breaks and quotation marks.
+
2009-10-26 Kelly Norton <knorton at google.com>
Reviewed by Pavel Feldman.
diff --git a/WebCore/platform/network/FormDataBuilder.cpp b/WebCore/platform/network/FormDataBuilder.cpp
index 27bdee3..04c7527 100644
--- a/WebCore/platform/network/FormDataBuilder.cpp
+++ b/WebCore/platform/network/FormDataBuilder.cpp
@@ -108,6 +108,34 @@ static inline void append(Vector<char>& buffer, const CString& string)
buffer.append(string.data(), string.length());
}
+static void appendQuotedString(Vector<char>& buffer, const CString& string)
+{
+ // Append a string as a quoted value, escaping quotes and line breaks.
+ // FIXME: Is it correct to use percent escaping here? Other browsers do not encode these characters yet,
+ // so we should test popular servers to find out if there is an encoding form they can handle.
+ unsigned length = string.length();
+ for (unsigned i = 0; i < length; ++i) {
+ unsigned char c = string.data()[i];
+
+ switch (c) {
+ case 0x0a:
+ append(buffer, "%0A");
+ break;
+ case 0x0d:
+ append(buffer, "%0D");
+ break;
+ case '"':
+ append(buffer, "%22");
+ break;
+ case '%':
+ append(buffer, "%25");
+ break;
+ default:
+ append(buffer, c);
+ }
+ }
+}
+
Vector<char> FormDataBuilder::generateUniqueBoundaryString()
{
Vector<char> boundary;
@@ -161,8 +189,10 @@ void FormDataBuilder::beginMultiPartHeader(Vector<char>& buffer, const CString&
{
addBoundaryToMultiPartHeader(buffer, boundary);
+ // FIXME: This loses data irreversibly if the input name includes characters you can't encode
+ // in the website's character set.
append(buffer, "Content-Disposition: form-data; name=\"");
- append(buffer, name);
+ appendQuotedString(buffer, name);
append(buffer, '"');
}
@@ -179,12 +209,10 @@ void FormDataBuilder::addBoundaryToMultiPartHeader(Vector<char>& buffer, const C
void FormDataBuilder::addFilenameToMultiPartHeader(Vector<char>& buffer, const TextEncoding& encoding, const String& filename)
{
- // FIXME: This won't work if the filename includes a " mark,
- // or control characters like CR or LF. This also does strange
- // things if the filename includes characters you can't encode
+ // FIXME: This loses data irreversibly if the filename includes characters you can't encode
// in the website's character set.
append(buffer, "; filename=\"");
- append(buffer, encoding.encode(filename.characters(), filename.length(), QuestionMarksForUnencodables));
+ appendQuotedString(buffer, encoding.encode(filename.characters(), filename.length(), QuestionMarksForUnencodables));
append(buffer, '"');
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list