[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-10851-g50815da
beidson at apple.com
beidson at apple.com
Wed Dec 22 18:38:36 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit ec0fc940172de43a4d29eb3826f250a1bebeb4e7
Author: beidson at apple.com <beidson at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Dec 15 01:50:37 2010 +0000
WebCore: <rdar://problem/8225016> and https://bugs.webkit.org/show_bug.cgi?id=40138
Authorization header is sent from an HTTP Auth protected site on redirect
Test: http/tests/misc/authentication-sent-to-redirect.html
Reviewed by Alexey Proskuryakov.
Add helper to clear the Auth headers from a resource request:
* platform/network/ResourceRequestBase.cpp:
(WebCore::ResourceRequestBase::clearHTTPAuthorization):
* platform/network/ResourceRequestBase.h:
Only Mac and Windows CFNetwork ports seem to have this problem, so plug it for them:
* platform/network/cf/ResourceHandleCFNet.cpp:
(WebCore::ResourceHandle::willSendRequest):
* platform/network/mac/ResourceHandleMac.mm:
(WebCore::ResourceHandle::willSendRequest):
LayoutTests: <rdar://problem/8225016> and https://bugs.webkit.org/show_bug.cgi?id=40138
Authorization header is sent from an HTTP Auth protected site on redirect
Reviewed by Alexey Proskuryakov.
* http/tests/misc/authentication-sent-to-redirect-expected.txt: Added.
* http/tests/misc/authentication-sent-to-redirect.html: Added.
* http/tests/misc/resources/auth-echo.php: Added.
* http/tests/misc/resources/auth-then-redirect.php: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@74084 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index a265d75..d43047b 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-12-14 Brady Eidson <beidson at apple.com>
+
+ Reviewed by Alexey Proskuryakov.
+
+ <rdar://problem/8225016> and https://bugs.webkit.org/show_bug.cgi?id=40138
+ Authorization header is sent from an HTTP Auth protected site on redirect
+
+ * http/tests/misc/authentication-sent-to-redirect-expected.txt: Added.
+ * http/tests/misc/authentication-sent-to-redirect.html: Added.
+ * http/tests/misc/resources/auth-echo.php: Added.
+ * http/tests/misc/resources/auth-then-redirect.php: Added.
+
2010-12-14 Yael Aharon <yael.aharon at nokia.com>
Unreviewed .
diff --git a/LayoutTests/http/tests/misc/authentication-sent-to-redirect-expected.txt b/LayoutTests/http/tests/misc/authentication-sent-to-redirect-expected.txt
new file mode 100644
index 0000000..7ad19b7
--- /dev/null
+++ b/LayoutTests/http/tests/misc/authentication-sent-to-redirect-expected.txt
@@ -0,0 +1,26 @@
+<unknown> - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+https://bugs.webkit.org/show_bug.cgi?id=40138
+This test loads a php script which demands http authentication, then uses it to redirect to another script using that shows what authentication headers were sent with the final request.
+It does this once each for HTTP 301, 302, 303, and 307 redirects.
+If not running under DRT, enter any credentials when asked.
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+Resource loaded with HTTP authentication username '' and password ''
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+Resource loaded with HTTP authentication username '' and password ''
+
+--------
+Frame: '<!--framePath //<!--frame2-->-->'
+--------
+Resource loaded with HTTP authentication username '' and password ''
+
+--------
+Frame: '<!--framePath //<!--frame3-->-->'
+--------
+Resource loaded with HTTP authentication username '' and password ''
diff --git a/LayoutTests/http/tests/misc/authentication-sent-to-redirect.html b/LayoutTests/http/tests/misc/authentication-sent-to-redirect.html
new file mode 100644
index 0000000..2e481f8
--- /dev/null
+++ b/LayoutTests/http/tests/misc/authentication-sent-to-redirect.html
@@ -0,0 +1,46 @@
+<script>
+
+var framesLoaded = 0;
+var redirectCodes = new Array();
+redirectCodes[0] = "301";
+redirectCodes[1] = "302";
+redirectCodes[2] = "303";
+redirectCodes[3] = "307";
+
+function frameLoaded()
+{
+ if (++framesLoaded == 4) {
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ return;
+ }
+
+ appendFrame(redirectCodes[framesLoaded]);
+}
+
+if (window.layoutTestController) {
+ layoutTestController.waitUntilDone();
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.setHandlesAuthenticationChallenges(true);
+ layoutTestController.setAuthenticationUsername("testUser");
+ layoutTestController.setAuthenticationPassword("testPassword");
+}
+
+function appendFrame(code)
+{
+ i = document.createElement("iframe");
+ i.setAttribute("src", "http://localhost:8000/misc/resources/auth-then-redirect.php?redirect=" + code);
+ i.setAttribute("onload", "frameLoaded()");
+ document.body.appendChild(i);
+}
+
+</script>
+
+<body onload="appendFrame('301');">
+https://bugs.webkit.org/show_bug.cgi?id=40138<br>
+This test loads a php script which demands http authentication, then uses it to redirect to another script using that shows what authentication headers were sent with the final request.<br>
+It does this once each for HTTP 301, 302, 303, and 307 redirects.<br>
+If not running under DRT, enter any credentials when asked.<br>
+</body>
+
diff --git a/LayoutTests/http/tests/misc/resources/auth-echo.php b/LayoutTests/http/tests/misc/resources/auth-echo.php
new file mode 100644
index 0000000..9590e7a
--- /dev/null
+++ b/LayoutTests/http/tests/misc/resources/auth-echo.php
@@ -0,0 +1,3 @@
+<?php
+echo "Resource loaded with HTTP authentication username '", $_SERVER["PHP_AUTH_USER"], "' and password '", $_SERVER["PHP_AUTH_PW"], "'\n";
+?>
diff --git a/LayoutTests/http/tests/misc/resources/auth-then-redirect.php b/LayoutTests/http/tests/misc/resources/auth-then-redirect.php
new file mode 100644
index 0000000..0c81648
--- /dev/null
+++ b/LayoutTests/http/tests/misc/resources/auth-then-redirect.php
@@ -0,0 +1,21 @@
+<?php
+
+// prompt for login if not already present
+if (!strlen($_SERVER["PHP_AUTH_USER"]) || !strlen($_SERVER["PHP_AUTH_PW"]))
+{
+ header("WWW-Authenticate: Basic realm=\"WebKit Bug Test\"");
+ header("HTTP/1.0 401 Unauthorized");
+ exit;
+}
+
+// do redirect if called for
+$redirect_codes=array("301", "302", "303", "307");
+if (in_array($_GET["redirect"], $redirect_codes))
+{
+ header("Location: http://127.0.0.1:8000/misc/resources/auth-echo.php", true, $_GET["redirect"]);
+ exit;
+}
+
+echo "Unknown redirect parameter sent";
+
+?>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index ad63713..4264e6e 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2010-12-14 Brady Eidson <beidson at apple.com>
+
+ Reviewed by Alexey Proskuryakov.
+
+ <rdar://problem/8225016> and https://bugs.webkit.org/show_bug.cgi?id=40138
+ Authorization header is sent from an HTTP Auth protected site on redirect
+ Test: http/tests/misc/authentication-sent-to-redirect.html
+
+ Add helper to clear the Auth headers from a resource request:
+ * platform/network/ResourceRequestBase.cpp:
+ (WebCore::ResourceRequestBase::clearHTTPAuthorization):
+ * platform/network/ResourceRequestBase.h:
+
+ Only Mac and Windows CFNetwork ports seem to have this problem, so plug it for them:
+ * platform/network/cf/ResourceHandleCFNet.cpp:
+ (WebCore::ResourceHandle::willSendRequest):
+ * platform/network/mac/ResourceHandleMac.mm:
+ (WebCore::ResourceHandle::willSendRequest):
+
2010-12-14 Simon Fraser <simon.fraser at apple.com>
Reviewed by Chris Marrin.
diff --git a/WebCore/platform/network/ResourceRequestBase.cpp b/WebCore/platform/network/ResourceRequestBase.cpp
index 5312007..ae8316a 100644
--- a/WebCore/platform/network/ResourceRequestBase.cpp
+++ b/WebCore/platform/network/ResourceRequestBase.cpp
@@ -234,6 +234,16 @@ void ResourceRequestBase::setHTTPHeaderField(const char* name, const String& val
setHTTPHeaderField(AtomicString(name), value);
}
+void ResourceRequestBase::clearHTTPAuthorization()
+{
+ updateResourceRequest();
+
+ m_httpHeaderFields.remove("Authorization");
+
+ if (url().protocolInHTTPFamily())
+ m_platformRequestUpdated = false;
+}
+
void ResourceRequestBase::clearHTTPReferrer()
{
updateResourceRequest();
diff --git a/WebCore/platform/network/ResourceRequestBase.h b/WebCore/platform/network/ResourceRequestBase.h
index 33a184e..5cb7ee3 100644
--- a/WebCore/platform/network/ResourceRequestBase.h
+++ b/WebCore/platform/network/ResourceRequestBase.h
@@ -100,6 +100,8 @@ namespace WebCore {
void addHTTPHeaderField(const AtomicString& name, const String& value);
void addHTTPHeaderFields(const HTTPHeaderMap& headerFields);
+ void clearHTTPAuthorization();
+
String httpContentType() const { return httpHeaderField("Content-Type"); }
void setHTTPContentType(const String& httpContentType) { setHTTPHeaderField("Content-Type", httpContentType); }
diff --git a/WebCore/platform/network/cf/ResourceHandleCFNet.cpp b/WebCore/platform/network/cf/ResourceHandleCFNet.cpp
index e48bd2d..f0773d2 100644
--- a/WebCore/platform/network/cf/ResourceHandleCFNet.cpp
+++ b/WebCore/platform/network/cf/ResourceHandleCFNet.cpp
@@ -481,6 +481,8 @@ void ResourceHandle::willSendRequest(ResourceRequest& request, const ResourceRes
d->m_pass = url.pass();
d->m_lastHTTPMethod = request.httpMethod();
request.removeCredentials();
+ if (!protocolHostAndPortAreEqual(request.url(), redirectResponse.url()))
+ request.clearHTTPAuthorization();
client()->willSendRequest(this, request, redirectResponse);
}
diff --git a/WebCore/platform/network/mac/ResourceHandleMac.mm b/WebCore/platform/network/mac/ResourceHandleMac.mm
index daec366..caa33d7 100644
--- a/WebCore/platform/network/mac/ResourceHandleMac.mm
+++ b/WebCore/platform/network/mac/ResourceHandleMac.mm
@@ -552,6 +552,8 @@ void ResourceHandle::willSendRequest(ResourceRequest& request, const ResourceRes
d->m_pass = url.pass();
d->m_lastHTTPMethod = request.httpMethod();
request.removeCredentials();
+ if (!protocolHostAndPortAreEqual(request.url(), redirectResponse.url()))
+ request.clearHTTPAuthorization();
client()->willSendRequest(this, request, redirectResponse);
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list