XML external entity resources should only be loaded from XML MIME types
authorddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 9 May 2020 23:20:29 +0000 (23:20 +0000)
committerddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 9 May 2020 23:20:29 +0000 (23:20 +0000)
commit7f330a981ae4cca82cfd5f4b764283bed7212f68
tree93883a9d2c29f87d4e4a4f8f6e2a5f2bcac6f3d1
parentbaf1434b43425d56bf23dfd084670de8b5b0675e
XML external entity resources should only be loaded from XML MIME types
<https://webkit.org/b/211488>
<rdar://problem/62869515>

Reviewed by Darin Adler.

Source/WebCore:

Tests: dom/xhtml/level3/core/entitygetinputencoding03.xhtml
       dom/xhtml/level3/core/entitygetinputencoding04.xhtml
       dom/xhtml/level3/core/entitygetxmlencoding02.xhtml
       dom/xhtml/level3/core/entitygetxmlencoding03.xhtml
       dom/xhtml/level3/core/entitygetxmlencoding04.xhtml
       dom/xhtml/level3/core/entitygetxmlversion03.xhtml
       dom/xhtml/level3/core/entitygetxmlversion04.xhtml
       dom/xhtml/level3/core/nodegetbaseuri16.xhtml
       dom/xhtml/level3/core/nodegetbaseuri19.xhtml
       dom/xhtml/level3/core/nodegetbaseuri20.xhtml
       fast/parser/external-entities-in-xslt.xml
       fast/xsl/dtd-in-source-document.xml
       fast/xsl/xslt-second-level-import.xml
       http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml
       http/tests/security/xss-DENIED-xsl-external-entity-redirect.xml

* html/HTMLBaseElement.cpp:
(WebCore::HTMLBaseElement::href const):
- Add comment about keeping code in sync with openFunc() in
  XMLDocumentParserLibxml2.cpp.
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::responseMIMEType const):
- Add comment about keeping code in sync with
  externalEntityMimeTypeAllowed() in
  XMLDocumentParserLibxml2.cpp.
* xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::externalEntityMimeTypeAllowed):
- Rename from externalEntityMimeTypeAllowedByNosniff().
- Change to only allow XML MIME types regardless of nosniff
  option.
- Add fallback path to determine MIME type for file:/// URLs to
  make layout tests work properly.  Logic taken from
  XMLHttpRequest::responseMIMEType().  Not sure if there was a
  good place to share it.
(WebCore::openFunc):
- Fix relative URLs by providing the document's URL as a base.
  Also provide an encoding if needed.  Logic taken from
  HTMLBaseElement::href().  (Not sure if there was a good place
  to share it.)  This was required to fix loading of external
  entity resources in the dom/xhtml/level3/core tests, which
  hadn't been loading these resources for a while.  Ultimately
  this didn't matter--except for new error messages being
  printed in test results--because the tests fail due to missing
  DOM features for XHTML documents).
- Change the fix for Bug 21963 into an empty URL check since
  setting FetchOptions.mode to Mode::SameOrigin prevents a
  redirect from loading a resource outside the document's
  origin.  The previous check worked, but the relaxed check in
  externalEntityMimeTypeAllowed() caused the XML MIME type
  warning to be output on redirects to non-same-origin URLs.  I
  didn't see a way to check for a cross-origin loading error.
- Add a console message for a cross-origin load failing.
- Update for function rename.
- Remove double negative from console message for an invalid
  MIME type.
(WebCore::externalEntityMimeTypeAllowedByNosniff):
- Rename to externalEntityMimeTypeAllowed().

LayoutTests:

To fix these layout tests, the following changes were made:
- Rename *.ent files to *.ent.xml so that an XML MIME type would
  be given to the resources when loading from a file:/// URL.
- Similarly, rename *.dtd files to *.dtd.xml.
- Update tests to refer to new entity/dtd file names.
- There are more *.dtd and *.ent files that weren't renamed.  I
  will fix those in a follow-up patch.  They weren't needed to
  fix any tests, so may be unused.

* dom/xhtml/level3/core/entitygetinputencoding03.xhtml:
* dom/xhtml/level3/core/entitygetinputencoding04.xhtml:
* dom/xhtml/level3/core/entitygetxmlencoding02.xhtml:
* dom/xhtml/level3/core/entitygetxmlencoding03.xhtml:
* dom/xhtml/level3/core/entitygetxmlencoding04.xhtml:
* dom/xhtml/level3/core/entitygetxmlversion03.xhtml:
* dom/xhtml/level3/core/entitygetxmlversion04.xhtml:
* dom/xhtml/level3/core/resources/external_foo.ent.xml: Rename from LayoutTests/dom/xhtml/level3/core/external_foo.ent.xml.
* dom/xhtml/level3/core/resources/external_foobr.ent.xml: Rename from LayoutTests/dom/xhtml/level3/core/external_foobr.ent.xml.
* dom/xhtml/level3/core/resources/external_widget.ent.xml: Rename from LayoutTests/dom/xhtml/level3/core/external_widget.ent.xml.
* dom/xhtml/level3/core/nodegetbaseuri16.xhtml:
* dom/xhtml/level3/core/nodegetbaseuri19.xhtml:
* dom/xhtml/level3/core/nodegetbaseuri20.xhtml:
* fast/parser/external-entities.xml:
* fast/parser/resources/external-entities.dtd.xml: Rename from LayoutTests/fast/parser/resources/external-entities.dtd.
* fast/parser/resources/external-entities.xsl:
* fast/xsl/dtd-in-source-document.xml:
* fast/xsl/resources/dtd-in-source-document.dtd.xml: Rename from LayoutTests/fast/xsl/resources/dtd-in-source-document.dtd.
* fast/xsl/resources/xslt-second-level-import.xsl:
* fast/xsl/resources/xslt-second-level-import.xsl.dtd.xml: Rename from LayoutTests/fast/xsl/resources/xslt-second-level-import.xsl.dtd.

* http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt:
* http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml:
- Add test cases without "X-Content-Type-Options: nosniff"
  header.

* http/tests/security/xss-DENIED-xsl-external-entity-redirect-expected.txt:
- Add newly expected console error messages about cross-origin
  resource load failures.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@261443 268f45cc-cd09-0410-ab3c-d52691b4dbfc
28 files changed:
LayoutTests/ChangeLog
LayoutTests/dom/xhtml/level3/core/entitygetinputencoding03.xhtml
LayoutTests/dom/xhtml/level3/core/entitygetinputencoding04.xhtml
LayoutTests/dom/xhtml/level3/core/entitygetxmlencoding02.xhtml
LayoutTests/dom/xhtml/level3/core/entitygetxmlencoding03.xhtml
LayoutTests/dom/xhtml/level3/core/entitygetxmlencoding04.xhtml
LayoutTests/dom/xhtml/level3/core/entitygetxmlversion03.xhtml
LayoutTests/dom/xhtml/level3/core/entitygetxmlversion04.xhtml
LayoutTests/dom/xhtml/level3/core/nodegetbaseuri16.xhtml
LayoutTests/dom/xhtml/level3/core/nodegetbaseuri19.xhtml
LayoutTests/dom/xhtml/level3/core/nodegetbaseuri20.xhtml
LayoutTests/dom/xhtml/level3/core/resources/external_foo.ent.xml [moved from LayoutTests/dom/xhtml/level3/core/external_foo.ent with 100% similarity]
LayoutTests/dom/xhtml/level3/core/resources/external_foobr.ent.xml [moved from LayoutTests/dom/xhtml/level3/core/external_foobr.ent with 100% similarity]
LayoutTests/dom/xhtml/level3/core/resources/external_widget.ent.xml [moved from LayoutTests/dom/xhtml/level3/core/external_widget.ent with 100% similarity]
LayoutTests/fast/parser/external-entities.xml
LayoutTests/fast/parser/resources/external-entities.dtd.xml [moved from LayoutTests/fast/parser/resources/external-entities.dtd with 100% similarity]
LayoutTests/fast/parser/resources/external-entities.xsl
LayoutTests/fast/xsl/dtd-in-source-document.xml
LayoutTests/fast/xsl/resources/dtd-in-source-document.dtd.xml [moved from LayoutTests/fast/xsl/resources/dtd-in-source-document.dtd with 100% similarity]
LayoutTests/fast/xsl/resources/xslt-second-level-import.xsl
LayoutTests/fast/xsl/resources/xslt-second-level-import.xsl.dtd.xml [moved from LayoutTests/fast/xsl/resources/xslt-second-level-import.xsl.dtd with 100% similarity]
LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt
LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml
LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-redirect-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/html/HTMLBaseElement.cpp
Source/WebCore/xml/XMLHttpRequest.cpp
Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp