[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.2.2-27-g91dab87
Gustavo Noronha Silva
gns at gnome.org
Thu Jul 15 21:13:24 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit b1d02fbff3eef490d7c98a2e6cc545d092f253b4
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sat Apr 3 04:20:26 2010 +0000
2010-04-02 Justin Schuh <jschuh at chromium.org>
Reviewed by Alexey Proskuryakov.
XHR allows arbitrary XSRF across domains
https://bugs.webkit.org/show_bug.cgi?id=36843
Added a one-line change to prevent bypassing the XDC check on
synchronous preflighted requests. Added layout tests to cover
variations of this problem.
* http/tests/xmlhttprequest/access-control-preflight-async-header-denied-expected.txt: Added.
* http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html: Added.
* http/tests/xmlhttprequest/access-control-preflight-async-method-denied-expected.txt: Added.
* http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html: Added.
* http/tests/xmlhttprequest/access-control-preflight-sync-header-denied-expected.txt: Added.
* http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html: Added.
* http/tests/xmlhttprequest/access-control-preflight-sync-method-denied-expected.txt: Added.
* http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html: Added.
* http/tests/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php: Added.
2010-04-02 Justin Schuh <jschuh at chromium.org>
Reviewed by Alexey Proskuryakov.
XHR allows arbitrary XSRF across domains
https://bugs.webkit.org/show_bug.cgi?id=36843
Added a one-line change to prevent bypassing the XDC check on
synchronous preflighted requests. Added layout tests to cover
variations of this problem.
Tests: http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html
http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html
http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html
http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::preflightFailure):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@57041 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index adc5c18..a854e28 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,24 @@
+2010-04-02 Justin Schuh <jschuh at chromium.org>
+
+ Reviewed by Alexey Proskuryakov.
+
+ XHR allows arbitrary XSRF across domains
+ https://bugs.webkit.org/show_bug.cgi?id=36843
+
+ Added a one-line change to prevent bypassing the XDC check on
+ synchronous preflighted requests. Added layout tests to cover
+ variations of this problem.
+
+ * http/tests/xmlhttprequest/access-control-preflight-async-header-denied-expected.txt: Added.
+ * http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html: Added.
+ * http/tests/xmlhttprequest/access-control-preflight-async-method-denied-expected.txt: Added.
+ * http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html: Added.
+ * http/tests/xmlhttprequest/access-control-preflight-sync-header-denied-expected.txt: Added.
+ * http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html: Added.
+ * http/tests/xmlhttprequest/access-control-preflight-sync-method-denied-expected.txt: Added.
+ * http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html: Added.
+ * http/tests/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php: Added.
+
2010-05-03 Abhishek Arya <inferno at chromium.org>
Reviewed by Adam Barth.
diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-header-denied-expected.txt b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-header-denied-expected.txt
new file mode 100644
index 0000000..cf4735f
--- /dev/null
+++ b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-header-denied-expected.txt
@@ -0,0 +1,3 @@
+PASS: Request successfully blocked.
+
+
diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html
new file mode 100644
index 0000000..1565ab9
--- /dev/null
+++ b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html
@@ -0,0 +1,63 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+ document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+}
+
+(function() {
+ var xhr = new XMLHttpRequest();
+
+ try {
+ xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
+ xhr.send("");
+ } catch(e) {
+ log("FAIL: Unable to reset server state: [" + e.message + "].");
+ return;
+ }
+
+ xhr = new XMLHttpRequest();
+
+ try {
+ xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php", false);
+ xhr.setRequestHeader("X-NON-STANDARD", "filler");
+ } catch(e) {
+ log("FAIL: Exception thrown. Cross-domain access is not allowed in first 'open'. [" + e.message + "].");
+ return;
+ }
+
+ xhr.onreadystatechange = function() {
+ xhr = new XMLHttpRequest();
+
+ try {
+ xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=complete", false);
+ try {
+ xhr.send("");
+ } catch(e) {
+ log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");
+ }
+ } catch(e) {
+ log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'open'. [" + e.message + "].");
+ }
+
+ log(xhr.responseText);
+ }
+
+ try {
+ xhr.send("");
+ log("FAIL: Cross-domain access allowed in first send without throwing an exception");
+ return;
+ } catch(e) {
+ // Eat the exception.
+ }
+
+})();
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-method-denied-expected.txt b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-method-denied-expected.txt
new file mode 100644
index 0000000..cf4735f
--- /dev/null
+++ b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-method-denied-expected.txt
@@ -0,0 +1,3 @@
+PASS: Request successfully blocked.
+
+
diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html
new file mode 100644
index 0000000..ed19752
--- /dev/null
+++ b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html
@@ -0,0 +1,62 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+ document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+}
+
+(function() {
+ var xhr = new XMLHttpRequest();
+
+ try {
+ xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
+ xhr.send("");
+ } catch(e) {
+ log("FAIL: Unable to reset server state: [" + e.message + "].");
+ return;
+ }
+
+ xhr = new XMLHttpRequest();
+
+ try {
+ xhr.open("DELETE", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php", false);
+ } catch(e) {
+ log("FAIL: Exception thrown. Cross-domain access is not allowed in first 'open'. [" + e.message + "].");
+ return;
+ }
+
+ xhr.onreadystatechange = function() {
+ xhr = new XMLHttpRequest();
+
+ try {
+ xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=complete", false);
+ try {
+ xhr.send("");
+ } catch(e) {
+ log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");
+ }
+ } catch(e) {
+ log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'open'. [" + e.message + "].");
+ }
+
+ log(xhr.responseText);
+ }
+
+ try {
+ xhr.send("");
+ log("FAIL: Cross-domain access allowed in first send without throwing an exception");
+ return;
+ } catch(e) {
+ // Eat the exception.
+ }
+
+})();
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-header-denied-expected.txt b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-header-denied-expected.txt
new file mode 100644
index 0000000..cf4735f
--- /dev/null
+++ b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-header-denied-expected.txt
@@ -0,0 +1,3 @@
+PASS: Request successfully blocked.
+
+
diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html
new file mode 100644
index 0000000..308cdc7
--- /dev/null
+++ b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html
@@ -0,0 +1,63 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+ document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+}
+
+(function() {
+ var xhr = new XMLHttpRequest();
+
+ try {
+ xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
+ xhr.send("");
+ } catch(e) {
+ log("FAIL: Unable to reset server state: [" + e.message + "].");
+ return;
+ }
+
+ xhr = new XMLHttpRequest();
+
+ try {
+ xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php", false);
+ xhr.setRequestHeader("X-NON-STANDARD", "filler");
+ } catch(e) {
+ log("FAIL: Exception thrown. Cross-domain access is not allowed in first 'open'. [" + e.message + "].");
+ return;
+ }
+
+ try {
+ xhr.send("");
+ log("FAIL: Cross-domain access allowed in first send without throwing an exception");
+ return;
+ } catch(e) {
+ // Eat the exception.
+ }
+
+ xhr = new XMLHttpRequest();
+
+ try {
+ xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=complete", false);
+ } catch(e) {
+ log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'open'. [" + e.message + "].");
+ return;
+ }
+
+ try {
+ xhr.send("");
+ } catch(e) {
+ log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");
+ return;
+ }
+
+ log(xhr.responseText);
+})();
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-method-denied-expected.txt b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-method-denied-expected.txt
new file mode 100644
index 0000000..cf4735f
--- /dev/null
+++ b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-method-denied-expected.txt
@@ -0,0 +1,3 @@
+PASS: Request successfully blocked.
+
+
diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html
new file mode 100644
index 0000000..d4594a0
--- /dev/null
+++ b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html
@@ -0,0 +1,62 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+function log(message)
+{
+ document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+}
+
+(function() {
+ var xhr = new XMLHttpRequest();
+
+ try {
+ xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=reset", false);
+ xhr.send("");
+ } catch(e) {
+ log("FAIL: Unable to reset server state: [" + e.message + "].");
+ return;
+ }
+
+ xhr = new XMLHttpRequest();
+
+ try {
+ xhr.open("DELETE", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php", false);
+ } catch(e) {
+ log("FAIL: Exception thrown. Cross-domain access is not allowed in first 'open'. [" + e.message + "].");
+ return;
+ }
+
+ try {
+ xhr.send("");
+ log("FAIL: Cross-domain access allowed in first send without throwing an exception");
+ return;
+ } catch(e) {
+ // Eat the exception.
+ }
+
+ xhr = new XMLHttpRequest();
+
+ try {
+ xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php?state=complete", false);
+ } catch(e) {
+ log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'open'. [" + e.message + "].");
+ return;
+ }
+
+ try {
+ xhr.send("");
+ } catch(e) {
+ log("FAIL: Exception thrown. Cross-domain access is not allowed in second 'send'. [" + e.message + "].");
+ return;
+ }
+
+ log(xhr.responseText);
+})();
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php b/LayoutTests/http/tests/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php
new file mode 100644
index 0000000..e52b077
--- /dev/null
+++ b/LayoutTests/http/tests/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php
@@ -0,0 +1,62 @@
+<?php
+require_once '../../resources/portabilityLayer.php';
+
+$tmpFile = sys_get_temp_dir() . "/xsrf.txt";
+
+function fail($state)
+{
+ header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+ header("Access-Control-Allow-Credentials: true");
+ header("Access-Control-Allow-Methods: GET");
+ header("Access-Control-Max-Age: 0");
+ echo "FAILED: Issued a " . $_SERVER['REQUEST_METHOD'] . " request during state '" . $state . "'\n";
+ exit();
+}
+
+function setState($newState, $file)
+{
+ file_put_contents($file, $newState);
+}
+
+function getState($file)
+{
+ $state = NULL;
+ if (file_exists($file))
+ $state = file_get_contents($file);
+ return $state ? $state : "Uninitialized";
+}
+
+$state = getState($tmpFile);
+
+if ($_SERVER['REQUEST_METHOD'] == "GET"
+ && $_GET['state'] == "reset") {
+ if (file_exists($tmpFile)) unlink($tmpFile);
+ header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+ header("Access-Control-Max-Age: 0");
+ echo "Server state reset.\n";
+} else if ($state == "Uninitialized") {
+ if ($_SERVER['REQUEST_METHOD'] == "OPTIONS") {
+ echo("Request Denied\n");
+ setState("Denied", $tmpFile);
+ } else {
+ fail($state);
+ }
+} else if ($state == "Denied") {
+ if ($_SERVER['REQUEST_METHOD'] == "GET"
+ && $_GET['state'] == "complete") {
+ unlink($tmpFile);
+ header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
+ header("Access-Control-Max-Age: 0");
+ echo "PASS: Request successfully blocked.\n";
+ } else {
+ setState("Deny Ignored", $tmpFile);
+ fail($state);
+ }
+} else if ($state == "Deny Ignored") {
+ unlink($tmpFile);
+ fail($state);
+} else {
+ if (file_exists($tmpFile)) unlink($tmpFile);
+ fail("Unknown");
+}
+?>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index dad9259..086447b 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2010-04-02 Justin Schuh <jschuh at chromium.org>
+
+ Reviewed by Alexey Proskuryakov.
+
+ XHR allows arbitrary XSRF across domains
+ https://bugs.webkit.org/show_bug.cgi?id=36843
+
+ Added a one-line change to prevent bypassing the XDC check on
+ synchronous preflighted requests. Added layout tests to cover
+ variations of this problem.
+
+ Tests: http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html
+ http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html
+ http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html
+ http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::preflightFailure):
+
2010-05-05 Alexey Proskuryakov <ap at apple.com>
Reviewed by Adele Peterson.
diff --git a/WebCore/loader/DocumentThreadableLoader.cpp b/WebCore/loader/DocumentThreadableLoader.cpp
index de0a0b0..d0f6c04 100644
--- a/WebCore/loader/DocumentThreadableLoader.cpp
+++ b/WebCore/loader/DocumentThreadableLoader.cpp
@@ -287,6 +287,7 @@ void DocumentThreadableLoader::preflightSuccess()
void DocumentThreadableLoader::preflightFailure()
{
+ m_actualRequest = 0; // Prevent didFinishLoading() from bypassing access check.
m_client->didFail(ResourceError());
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list