[GTK] Login & password shown in browsers' URL entry after successful HTTP authentication
authormrobinson@webkit.org <mrobinson@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Jan 2013 16:45:55 +0000 (16:45 +0000)
committermrobinson@webkit.org <mrobinson@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Jan 2013 16:45:55 +0000 (16:45 +0000)
https://bugs.webkit.org/show_bug.cgi?id=105190

Reviewed by Carlos Garcia Campos.

Source/WebCore:

Test: http/tests/misc/authentication-redirect-4/authentication-sent-to-redirect-same-origin-url.html

* platform/network/soup/ResourceHandleSoup.cpp:
(WebCore::restartedCallback): After sending a redirect with credentials to libsoup, strip
the credentials from the request. This ensures that the credentials do not show up in
the user agent or in document.location.

LayoutTests:

Add a new test that checks that the URL of a page that redirects and uses
authentication. This verifies correct behavior for ports that communicates
a request's credentials to the platform networking layer by setting them in the URL.
The credentials should not remain in the URL string itself.

* http/tests/misc/authentication-redirect-4/authentication-sent-to-redirect-same-origin-url-expected.txt: Added.
* http/tests/misc/authentication-redirect-4/authentication-sent-to-redirect-same-origin-url.html: Added.
* http/tests/misc/authentication-redirect-4/resources/auth-echo.php: Added.
* http/tests/misc/authentication-redirect-4/resources/auth-then-redirect.php: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@139062 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/misc/authentication-redirect-4/authentication-sent-to-redirect-same-origin-url-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/misc/authentication-redirect-4/authentication-sent-to-redirect-same-origin-url.html [new file with mode: 0644]
LayoutTests/http/tests/misc/authentication-redirect-4/resources/auth-echo.php [new file with mode: 0644]
LayoutTests/http/tests/misc/authentication-redirect-4/resources/auth-then-redirect.php [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp

index 5891815..580a913 100644 (file)
@@ -1,3 +1,20 @@
+2013-01-08  Martin Robinson  <mrobinson@igalia.com>
+
+        [GTK] Login & password shown in browsers' URL entry after successful HTTP authentication
+        https://bugs.webkit.org/show_bug.cgi?id=105190
+
+        Reviewed by Carlos Garcia Campos.
+
+        Add a new test that checks that the URL of a page that redirects and uses
+        authentication. This verifies correct behavior for ports that communicates
+        a request's credentials to the platform networking layer by setting them in the URL.
+        The credentials should not remain in the URL string itself.
+
+        * http/tests/misc/authentication-redirect-4/authentication-sent-to-redirect-same-origin-url-expected.txt: Added.
+        * http/tests/misc/authentication-redirect-4/authentication-sent-to-redirect-same-origin-url.html: Added.
+        * http/tests/misc/authentication-redirect-4/resources/auth-echo.php: Added.
+        * http/tests/misc/authentication-redirect-4/resources/auth-then-redirect.php: Added.
+
 2013-01-08  Zan Dobersek  <zandobersek@gmail.com>
 
         Unreviwed gardening.
diff --git a/LayoutTests/http/tests/misc/authentication-redirect-4/authentication-sent-to-redirect-same-origin-url-expected.txt b/LayoutTests/http/tests/misc/authentication-redirect-4/authentication-sent-to-redirect-same-origin-url-expected.txt
new file mode 100644 (file)
index 0000000..12fb7e8
--- /dev/null
@@ -0,0 +1,11 @@
+<unknown> - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+https://bugs.webkit.org/show_bug.cgi?id=105190
+You should load this page at 127.0.0.1:8000 because the test relies on redirects within the 127.0.0.1:8000 security origin.
+This test loads a php script which demands http authentication, then uses it to redirect via 301 to another script in the same origin that shows what authentication headers were sent with the final request. It verifies that the credentials are not placed in the final URL.
+If not running under DRT, enter any credentials when asked.
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+http://127.0.0.1:8000/misc/authentication-redirect-4/resources/auth-echo.php loaded with HTTP authentication username 'testUser' and password 'testPassword'
diff --git a/LayoutTests/http/tests/misc/authentication-redirect-4/authentication-sent-to-redirect-same-origin-url.html b/LayoutTests/http/tests/misc/authentication-redirect-4/authentication-sent-to-redirect-same-origin-url.html
new file mode 100644 (file)
index 0000000..a905498
--- /dev/null
@@ -0,0 +1,27 @@
+<script>
+
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.setHandlesAuthenticationChallenges(true);
+    testRunner.setAuthenticationUsername("testUser");
+    testRunner.setAuthenticationPassword("testPassword");
+}
+
+function appendFrame()
+{
+    i = document.createElement("iframe");
+    i.setAttribute("src", "http://127.0.0.1:8000/misc/authentication-redirect-4/resources/auth-then-redirect.php?redirect");
+    document.body.appendChild(i);
+}
+
+</script>
+
+<body onload="appendFrame();">
+https://bugs.webkit.org/show_bug.cgi?id=105190<br>
+You should load this page at 127.0.0.1:8000 because the test relies on redirects within the 127.0.0.1:8000 security origin.<br>
+This test loads a php script which demands http authentication, then uses it to redirect via 301 to another script in the same origin that shows what authentication headers were sent with the final request. It verifies that the credentials are not placed in the final URL.<br>
+If not running under DRT, enter any credentials when asked.<br>
+</body>
+
diff --git a/LayoutTests/http/tests/misc/authentication-redirect-4/resources/auth-echo.php b/LayoutTests/http/tests/misc/authentication-redirect-4/resources/auth-echo.php
new file mode 100644 (file)
index 0000000..164a00f
--- /dev/null
@@ -0,0 +1,6 @@
+<script>
+    document.write(document.location);
+    document.write(" loaded with HTTP authentication username '<? echo $_SERVER["PHP_AUTH_USER"] ?>' and password '<? echo $_SERVER["PHP_AUTH_PW"] ?>'");
+    if (window.testRunner)
+        window.testRunner.notifyDone();
+</script>
diff --git a/LayoutTests/http/tests/misc/authentication-redirect-4/resources/auth-then-redirect.php b/LayoutTests/http/tests/misc/authentication-redirect-4/resources/auth-then-redirect.php
new file mode 100644 (file)
index 0000000..aa8775c
--- /dev/null
@@ -0,0 +1,13 @@
+<?php
+
+if (!strlen($_SERVER["PHP_AUTH_USER"]) || !strlen($_SERVER["PHP_AUTH_PW"]))
+{
+    header("WWW-Authenticate: Basic realm=\"WebKit Bug Test\"");
+    header("HTTP/1.0 401 Unauthorized");
+    exit;
+}
+
+header("Location: http://127.0.0.1:8000/misc/authentication-redirect-4/resources/auth-echo.php", true, 301);
+exit;
+
+?>
index ea7723f..66c008f 100644 (file)
@@ -1,3 +1,17 @@
+2013-01-08  Martin Robinson  <mrobinson@igalia.com>
+
+        [GTK] Login & password shown in browsers' URL entry after successful HTTP authentication
+        https://bugs.webkit.org/show_bug.cgi?id=105190
+
+        Reviewed by Carlos Garcia Campos.
+
+        Test: http/tests/misc/authentication-redirect-4/authentication-sent-to-redirect-same-origin-url.html
+
+        * platform/network/soup/ResourceHandleSoup.cpp:
+        (WebCore::restartedCallback): After sending a redirect with credentials to libsoup, strip
+        the credentials from the request. This ensures that the credentials do not show up in
+        the user agent or in document.location.
+
 2013-01-08  Keishi Hattori  <keishi@webkit.org>
 
         [Chromium] Don't confine page popups to root view on Mac
index 0304720..5f0aa12 100644 (file)
@@ -426,6 +426,10 @@ static void restartedCallback(SoupMessage* message, gpointer data)
     GOwnPtr<SoupURI> newSoupURI(request.soupURI());
     soup_message_set_uri(message, newSoupURI.get());
 
+    // If we sent credentials with this request's URL, we don't want the response to carry them to
+    // the WebKit layer. They were only placed in the URL for the benefit of libsoup.
+    request.removeCredentials();
+
     if (d->client())
         d->client()->willSendRequest(handle, request, redirectResponse);