[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-10851-g50815da

beidson at apple.com beidson at apple.com
Wed Dec 22 18:38:36 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit ec0fc940172de43a4d29eb3826f250a1bebeb4e7
Author: beidson at apple.com <beidson at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Dec 15 01:50:37 2010 +0000

    WebCore: <rdar://problem/8225016> and https://bugs.webkit.org/show_bug.cgi?id=40138
    Authorization header is sent from an HTTP Auth protected site on redirect
    Test: http/tests/misc/authentication-sent-to-redirect.html
    
    Reviewed by Alexey Proskuryakov.
    
    Add helper to clear the Auth headers from a resource request:
    * platform/network/ResourceRequestBase.cpp:
    (WebCore::ResourceRequestBase::clearHTTPAuthorization):
    * platform/network/ResourceRequestBase.h:
    
    Only Mac and Windows CFNetwork ports seem to have this problem, so plug it for them:
    * platform/network/cf/ResourceHandleCFNet.cpp:
    (WebCore::ResourceHandle::willSendRequest):
    * platform/network/mac/ResourceHandleMac.mm:
    (WebCore::ResourceHandle::willSendRequest):
    
    LayoutTests: <rdar://problem/8225016> and https://bugs.webkit.org/show_bug.cgi?id=40138
    Authorization header is sent from an HTTP Auth protected site on redirect
    
    Reviewed by Alexey Proskuryakov.
    
    * http/tests/misc/authentication-sent-to-redirect-expected.txt: Added.
    * http/tests/misc/authentication-sent-to-redirect.html: Added.
    * http/tests/misc/resources/auth-echo.php: Added.
    * http/tests/misc/resources/auth-then-redirect.php: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@74084 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index a265d75..d43047b 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-12-14  Brady Eidson  <beidson at apple.com>
+
+        Reviewed by Alexey Proskuryakov.
+
+        <rdar://problem/8225016> and https://bugs.webkit.org/show_bug.cgi?id=40138
+        Authorization header is sent from an HTTP Auth protected site on redirect
+
+        * http/tests/misc/authentication-sent-to-redirect-expected.txt: Added.
+        * http/tests/misc/authentication-sent-to-redirect.html: Added.
+        * http/tests/misc/resources/auth-echo.php: Added.
+        * http/tests/misc/resources/auth-then-redirect.php: Added.
+
 2010-12-14  Yael Aharon  <yael.aharon at nokia.com>
 
         Unreviewed .
diff --git a/LayoutTests/http/tests/misc/authentication-sent-to-redirect-expected.txt b/LayoutTests/http/tests/misc/authentication-sent-to-redirect-expected.txt
new file mode 100644
index 0000000..7ad19b7
--- /dev/null
+++ b/LayoutTests/http/tests/misc/authentication-sent-to-redirect-expected.txt
@@ -0,0 +1,26 @@
+<unknown> - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+https://bugs.webkit.org/show_bug.cgi?id=40138
+This test loads a php script which demands http authentication, then uses it to redirect to another script using that shows what authentication headers were sent with the final request.
+It does this once each for HTTP 301, 302, 303, and 307 redirects.
+If not running under DRT, enter any credentials when asked.
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+Resource loaded with HTTP authentication username '' and password ''
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+Resource loaded with HTTP authentication username '' and password ''
+
+--------
+Frame: '<!--framePath //<!--frame2-->-->'
+--------
+Resource loaded with HTTP authentication username '' and password ''
+
+--------
+Frame: '<!--framePath //<!--frame3-->-->'
+--------
+Resource loaded with HTTP authentication username '' and password ''
diff --git a/LayoutTests/http/tests/misc/authentication-sent-to-redirect.html b/LayoutTests/http/tests/misc/authentication-sent-to-redirect.html
new file mode 100644
index 0000000..2e481f8
--- /dev/null
+++ b/LayoutTests/http/tests/misc/authentication-sent-to-redirect.html
@@ -0,0 +1,46 @@
+<script>
+
+var framesLoaded = 0;
+var redirectCodes = new Array();
+redirectCodes[0] = "301";
+redirectCodes[1] = "302";
+redirectCodes[2] = "303";
+redirectCodes[3] = "307";
+
+function frameLoaded()
+{
+    if (++framesLoaded == 4) {
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+        return;
+    }
+    
+    appendFrame(redirectCodes[framesLoaded]);
+}
+
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+    layoutTestController.setHandlesAuthenticationChallenges(true);
+    layoutTestController.setAuthenticationUsername("testUser");
+    layoutTestController.setAuthenticationPassword("testPassword");
+}
+
+function appendFrame(code)
+{
+    i = document.createElement("iframe"); 
+    i.setAttribute("src", "http://localhost:8000/misc/resources/auth-then-redirect.php?redirect=" + code); 
+    i.setAttribute("onload", "frameLoaded()");
+    document.body.appendChild(i);
+}
+
+</script>
+
+<body onload="appendFrame('301');">
+https://bugs.webkit.org/show_bug.cgi?id=40138<br>
+This test loads a php script which demands http authentication, then uses it to redirect to another script using that shows what authentication headers were sent with the final request.<br>
+It does this once each for HTTP 301, 302, 303, and 307 redirects.<br>
+If not running under DRT, enter any credentials when asked.<br>
+</body>
+
diff --git a/LayoutTests/http/tests/misc/resources/auth-echo.php b/LayoutTests/http/tests/misc/resources/auth-echo.php
new file mode 100644
index 0000000..9590e7a
--- /dev/null
+++ b/LayoutTests/http/tests/misc/resources/auth-echo.php
@@ -0,0 +1,3 @@
+<?php
+echo "Resource loaded with HTTP authentication username '", $_SERVER["PHP_AUTH_USER"], "' and password '", $_SERVER["PHP_AUTH_PW"], "'\n";
+?>
diff --git a/LayoutTests/http/tests/misc/resources/auth-then-redirect.php b/LayoutTests/http/tests/misc/resources/auth-then-redirect.php
new file mode 100644
index 0000000..0c81648
--- /dev/null
+++ b/LayoutTests/http/tests/misc/resources/auth-then-redirect.php
@@ -0,0 +1,21 @@
+<?php
+
+// prompt for login if not already present
+if (!strlen($_SERVER["PHP_AUTH_USER"]) || !strlen($_SERVER["PHP_AUTH_PW"]))
+{
+    header("WWW-Authenticate: Basic realm=\"WebKit Bug Test\"");
+    header("HTTP/1.0 401 Unauthorized");
+    exit;
+}
+
+// do redirect if called for
+$redirect_codes=array("301", "302", "303", "307");
+if (in_array($_GET["redirect"], $redirect_codes))
+{
+    header("Location: http://127.0.0.1:8000/misc/resources/auth-echo.php", true, $_GET["redirect"]);
+    exit;
+}
+
+echo "Unknown redirect parameter sent";
+
+?>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index ad63713..4264e6e 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2010-12-14  Brady Eidson  <beidson at apple.com>
+
+        Reviewed by Alexey Proskuryakov.
+
+        <rdar://problem/8225016> and https://bugs.webkit.org/show_bug.cgi?id=40138
+        Authorization header is sent from an HTTP Auth protected site on redirect
+        Test: http/tests/misc/authentication-sent-to-redirect.html
+
+        Add helper to clear the Auth headers from a resource request:
+        * platform/network/ResourceRequestBase.cpp:
+        (WebCore::ResourceRequestBase::clearHTTPAuthorization):
+        * platform/network/ResourceRequestBase.h:
+
+        Only Mac and Windows CFNetwork ports seem to have this problem, so plug it for them:
+        * platform/network/cf/ResourceHandleCFNet.cpp:
+        (WebCore::ResourceHandle::willSendRequest):
+        * platform/network/mac/ResourceHandleMac.mm:
+        (WebCore::ResourceHandle::willSendRequest):
+
 2010-12-14  Simon Fraser  <simon.fraser at apple.com>
 
         Reviewed by Chris Marrin.
diff --git a/WebCore/platform/network/ResourceRequestBase.cpp b/WebCore/platform/network/ResourceRequestBase.cpp
index 5312007..ae8316a 100644
--- a/WebCore/platform/network/ResourceRequestBase.cpp
+++ b/WebCore/platform/network/ResourceRequestBase.cpp
@@ -234,6 +234,16 @@ void ResourceRequestBase::setHTTPHeaderField(const char* name, const String& val
     setHTTPHeaderField(AtomicString(name), value);
 }
 
+void ResourceRequestBase::clearHTTPAuthorization()
+{
+    updateResourceRequest(); 
+
+    m_httpHeaderFields.remove("Authorization");
+
+    if (url().protocolInHTTPFamily())
+        m_platformRequestUpdated = false;
+}
+
 void ResourceRequestBase::clearHTTPReferrer()
 {
     updateResourceRequest(); 
diff --git a/WebCore/platform/network/ResourceRequestBase.h b/WebCore/platform/network/ResourceRequestBase.h
index 33a184e..5cb7ee3 100644
--- a/WebCore/platform/network/ResourceRequestBase.h
+++ b/WebCore/platform/network/ResourceRequestBase.h
@@ -100,6 +100,8 @@ namespace WebCore {
         void addHTTPHeaderField(const AtomicString& name, const String& value);
         void addHTTPHeaderFields(const HTTPHeaderMap& headerFields);
         
+        void clearHTTPAuthorization();
+
         String httpContentType() const { return httpHeaderField("Content-Type");  }
         void setHTTPContentType(const String& httpContentType) { setHTTPHeaderField("Content-Type", httpContentType); }
         
diff --git a/WebCore/platform/network/cf/ResourceHandleCFNet.cpp b/WebCore/platform/network/cf/ResourceHandleCFNet.cpp
index e48bd2d..f0773d2 100644
--- a/WebCore/platform/network/cf/ResourceHandleCFNet.cpp
+++ b/WebCore/platform/network/cf/ResourceHandleCFNet.cpp
@@ -481,6 +481,8 @@ void ResourceHandle::willSendRequest(ResourceRequest& request, const ResourceRes
     d->m_pass = url.pass();
     d->m_lastHTTPMethod = request.httpMethod();
     request.removeCredentials();
+    if (!protocolHostAndPortAreEqual(request.url(), redirectResponse.url()))
+        request.clearHTTPAuthorization();
 
     client()->willSendRequest(this, request, redirectResponse);
 }
diff --git a/WebCore/platform/network/mac/ResourceHandleMac.mm b/WebCore/platform/network/mac/ResourceHandleMac.mm
index daec366..caa33d7 100644
--- a/WebCore/platform/network/mac/ResourceHandleMac.mm
+++ b/WebCore/platform/network/mac/ResourceHandleMac.mm
@@ -552,6 +552,8 @@ void ResourceHandle::willSendRequest(ResourceRequest& request, const ResourceRes
     d->m_pass = url.pass();
     d->m_lastHTTPMethod = request.httpMethod();
     request.removeCredentials();
+    if (!protocolHostAndPortAreEqual(request.url(), redirectResponse.url()))
+        request.clearHTTPAuthorization();
 
     client()->willSendRequest(this, request, redirectResponse);
 }

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list