[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-1414-gc69ee75

ap at apple.com ap at apple.com
Thu Oct 29 20:52:13 UTC 2009 

The following commit has been merged in the webkit-1.1 branch:
commit b92a4fe192e4e56d77f8b221576f1c940dd6b59c
Author: ap at apple.com <ap at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Oct 26 17:26:26 2009 +0000

            Reviewed by Adam Barth and Darin Adler.
    
            https://bugs.webkit.org/show_bug.cgi?id=30723
            <rdar://problem/6189415> Input names added to multipart/form-data headers need to be escaped.
    
            Test: http/tests/security/escape-form-data-field-names.html
    
            * platform/network/FormDataBuilder.cpp:
            (WebCore::appendQuotedString):
            (WebCore::FormDataBuilder::beginMultiPartHeader):
            (WebCore::FormDataBuilder::addFilenameToMultiPartHeader):
            Percent-escape line breaks and quotation marks.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@50072 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 3ed36ac..6526b86 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2009-10-23  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Adam Barth and Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=30723
+        <rdar://problem/6189415> Input names added to multipart/form-data headers need to be escaped.
+
+        * http/tests/security/escape-form-data-field-names-expected.txt: Added.
+        * http/tests/security/escape-form-data-field-names.html: Added.
+        * http/tests/security/resources/escape-form-data-field-names.cgi: Added.
+
 2009-10-26  Andras Becsi  <becsi.andras at stud.u-szeged.hu>
 
         Reviewed by Ariya Hidayat.
diff --git a/LayoutTests/http/tests/security/escape-form-data-field-names-expected.txt b/LayoutTests/http/tests/security/escape-form-data-field-names-expected.txt
new file mode 100644
index 0000000..3d209be
--- /dev/null
+++ b/LayoutTests/http/tests/security/escape-form-data-field-names-expected.txt
@@ -0,0 +1,3 @@
+Test for bug 30723: Input names added to multipart/form-data headers need to be escaped
+
+PASS
diff --git a/LayoutTests/http/tests/security/escape-form-data-field-names.html b/LayoutTests/http/tests/security/escape-form-data-field-names.html
new file mode 100644
index 0000000..88a509e
--- /dev/null
+++ b/LayoutTests/http/tests/security/escape-form-data-field-names.html
@@ -0,0 +1,13 @@
+<form method="post" action="resources/escape-form-data-field-names.cgi" enctype="multipart/form-data">
+<textarea name='file"; filename="filename.ext
+Content-Type: text/html; '>Arbitrary 
+Contents</textarea>
+<input type="submit" value='Send "File"'>
+</form>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+document.forms[0].submit();
+</script>
diff --git a/LayoutTests/http/tests/security/resources/escape-form-data-field-names.cgi b/LayoutTests/http/tests/security/resources/escape-form-data-field-names.cgi
new file mode 100755
index 0000000..a46f995
--- /dev/null
+++ b/LayoutTests/http/tests/security/resources/escape-form-data-field-names.cgi
@@ -0,0 +1,26 @@
+#!/usr/bin/perl -w
+
+print "Content-type: text/html\n\n"; 
+
+print "<p>Test for <a href='https://bugs.webkit.org/show_bug.cgi?id=30723'>bug 30723</a>: Input names added to multipart/form-data headers need to be escaped</p>";
+print "<pre>";
+
+if ($ENV{'REQUEST_METHOD'} eq "POST") {
+    read(STDIN, $request, $ENV{'CONTENT_LENGTH'})
+                || die "Could not get query\n";
+    print $request;
+} else {
+    print "Wrong method: " . $ENV{'REQUEST_METHOD'} . "\n";
+} 
+
+print "</pre><script>\n";
+print "var pre = document.getElementsByTagName('pre')[0];\n";
+print "if (pre.textContent.match('\\nContent-Type'))\n";
+print "  document.write('FAIL')\n";
+print "else\n";
+print "  document.write('PASS')\n";
+print "if (window.layoutTestController) {\n";
+print "  pre.setAttribute('style', 'display:none');\n";
+print "  layoutTestController.notifyDone();\n";
+print "}\n";
+print "</script>\n";
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index b1621b4..44452c0 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2009-10-23  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Adam Barth and Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=30723
+        <rdar://problem/6189415> Input names added to multipart/form-data headers need to be escaped.
+
+        Test: http/tests/security/escape-form-data-field-names.html
+
+        * platform/network/FormDataBuilder.cpp:
+        (WebCore::appendQuotedString):
+        (WebCore::FormDataBuilder::beginMultiPartHeader):
+        (WebCore::FormDataBuilder::addFilenameToMultiPartHeader):
+        Percent-escape line breaks and quotation marks.
+
 2009-10-26  Kelly Norton  <knorton at google.com>
 
         Reviewed by Pavel Feldman.
diff --git a/WebCore/platform/network/FormDataBuilder.cpp b/WebCore/platform/network/FormDataBuilder.cpp
index 27bdee3..04c7527 100644
--- a/WebCore/platform/network/FormDataBuilder.cpp
+++ b/WebCore/platform/network/FormDataBuilder.cpp
@@ -108,6 +108,34 @@ static inline void append(Vector<char>& buffer, const CString& string)
     buffer.append(string.data(), string.length());
 }
 
+static void appendQuotedString(Vector<char>& buffer, const CString& string)
+{
+    // Append a string as a quoted value, escaping quotes and line breaks.
+    // FIXME: Is it correct to use percent escaping here? Other browsers do not encode these characters yet,
+    // so we should test popular servers to find out if there is an encoding form they can handle.
+    unsigned length = string.length();
+    for (unsigned i = 0; i < length; ++i) {
+        unsigned char c = string.data()[i];
+
+        switch (c) {
+        case  0x0a:
+            append(buffer, "%0A");
+            break;
+        case 0x0d:
+            append(buffer, "%0D");
+            break;
+        case '"':
+            append(buffer, "%22");
+            break;
+        case '%':
+            append(buffer, "%25");
+            break;
+        default:
+            append(buffer, c);
+        }
+    }
+}
+
 Vector<char> FormDataBuilder::generateUniqueBoundaryString()
 {
     Vector<char> boundary;
@@ -161,8 +189,10 @@ void FormDataBuilder::beginMultiPartHeader(Vector<char>& buffer, const CString&
 {
     addBoundaryToMultiPartHeader(buffer, boundary);
 
+    // FIXME: This loses data irreversibly if the input name includes characters you can't encode
+    // in the website's character set.
     append(buffer, "Content-Disposition: form-data; name=\"");
-    append(buffer, name);
+    appendQuotedString(buffer, name);
     append(buffer, '"');
 }
 
@@ -179,12 +209,10 @@ void FormDataBuilder::addBoundaryToMultiPartHeader(Vector<char>& buffer, const C
 
 void FormDataBuilder::addFilenameToMultiPartHeader(Vector<char>& buffer, const TextEncoding& encoding, const String& filename)
 {
-    // FIXME: This won't work if the filename includes a " mark,
-    // or control characters like CR or LF. This also does strange
-    // things if the filename includes characters you can't encode
+    // FIXME: This loses data irreversibly if the filename includes characters you can't encode
     // in the website's character set.
     append(buffer, "; filename=\"");
-    append(buffer, encoding.encode(filename.characters(), filename.length(), QuestionMarksForUnencodables));
+    appendQuotedString(buffer, encoding.encode(filename.characters(), filename.length(), QuestionMarksForUnencodables));
     append(buffer, '"');
 }
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list