2010-04-16 Fumitoshi Ukai <ukai@chromium.org>
authorukai@chromium.org <ukai@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 16 Apr 2010 23:13:30 +0000 (23:13 +0000)
committerukai@chromium.org <ukai@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 16 Apr 2010 23:13:30 +0000 (23:13 +0000)
        Reviewed by Alexey Proskuryakov.

        WebSocket crash when it receives bad header.
        https://bugs.webkit.org/show_bug.cgi?id=37682

        * websocket/tests/bad-handshake-crash-expected.txt: Added.
        * websocket/tests/bad-handshake-crash.html: Added.
        * websocket/tests/bad-handshake-crash_wsh.py: Added.
        * websocket/tests/script-tests/bad-handshake-crash.js: Added.
2010-04-16  Fumitoshi Ukai  <ukai@chromium.org>

        Reviewed by Alexey Proskuryakov.

        WebSocket crash when it receives bad header.
        https://bugs.webkit.org/show_bug.cgi?id=37682

        If name or value is not valid UTF-8, nameStr or valueStr would be
        null string, so crashed in headers->add(nameStr, valueStr).
        Check both nameStr and valueStr are not null string.
        Otherwise handshake will fail.

        Test: websocket/tests/bad-handshake-crash.html

        * websockets/WebSocketHandshake.cpp:
        (WebCore::WebSocketHandshake::readHTTPHeaders): check nameStr and valueStr are not null string.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@57760 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/websocket/tests/bad-handshake-crash-expected.txt [new file with mode: 0644]
LayoutTests/websocket/tests/bad-handshake-crash.html [new file with mode: 0644]
LayoutTests/websocket/tests/bad-handshake-crash_wsh.py [new file with mode: 0644]
LayoutTests/websocket/tests/script-tests/bad-handshake-crash.js [new file with mode: 0644]
WebCore/ChangeLog
WebCore/websockets/WebSocketHandshake.cpp

index 0a3bbbf..b0bb0c2 100644 (file)
@@ -1,3 +1,15 @@
+2010-04-16  Fumitoshi Ukai  <ukai@chromium.org>
+
+        Reviewed by Alexey Proskuryakov.
+
+        WebSocket crash when it receives bad header.
+        https://bugs.webkit.org/show_bug.cgi?id=37682
+
+        * websocket/tests/bad-handshake-crash-expected.txt: Added.
+        * websocket/tests/bad-handshake-crash.html: Added.
+        * websocket/tests/bad-handshake-crash_wsh.py: Added.
+        * websocket/tests/script-tests/bad-handshake-crash.js: Added.
+
 2010-04-16  Dan Bernstein  <mitz@apple.com>
 
         Reviewed by Simon Fraser.
diff --git a/LayoutTests/websocket/tests/bad-handshake-crash-expected.txt b/LayoutTests/websocket/tests/bad-handshake-crash-expected.txt
new file mode 100644 (file)
index 0000000..3e7a886
--- /dev/null
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 0: invalid UTF-8 sequence in header name
+Make sure WebSocket doesn't crash with bad handshake message.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+WebSocket is closed
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/websocket/tests/bad-handshake-crash.html b/LayoutTests/websocket/tests/bad-handshake-crash.html
new file mode 100644 (file)
index 0000000..da3a11e
--- /dev/null
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="../../fast/js/resources/js-test-style.css">
+<script src="../../fast/js/resources/js-test-pre.js"></script>
+<script src="../../fast/js/resources/js-test-post-function.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+<script src="script-tests/bad-handshake-crash.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/websocket/tests/bad-handshake-crash_wsh.py b/LayoutTests/websocket/tests/bad-handshake-crash_wsh.py
new file mode 100644 (file)
index 0000000..01c4831
--- /dev/null
@@ -0,0 +1,11 @@
+def web_socket_do_extra_handshake(request):
+  msg = "HTTP/1.1 101 Web Socket Protocol Handshake\r\n"
+  msg += "Upgrade: WebSocket\r\n"
+  msg += "Connection: Upgrade\r\n"
+  msg += "\xa5:\r\n"
+  msg += "\r\n"
+  request.connection.write(msg)
+  print msg
+
+def web_socket_transfer_data(request):
+  pass
diff --git a/LayoutTests/websocket/tests/script-tests/bad-handshake-crash.js b/LayoutTests/websocket/tests/script-tests/bad-handshake-crash.js
new file mode 100644 (file)
index 0000000..0f0cc6b
--- /dev/null
@@ -0,0 +1,20 @@
+description("Make sure WebSocket doesn't crash with bad handshake message.");
+if (window.layoutTestController)
+    layoutTestController.waitUntilDone();
+
+function finish() {
+    isSuccessfullyParsed();
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+var ws = new WebSocket("ws://127.0.0.1:8880/websocket/tests/bad-handshake-crash");
+ws.onopen = function () {
+    debug("WebSocket is open");
+};
+ws.onclose = function () {
+    debug("WebSocket is closed");
+    finish();
+};
+
+var successfullyParsed = true;
index ac6998a..03962e9 100644 (file)
@@ -1,3 +1,20 @@
+2010-04-16  Fumitoshi Ukai  <ukai@chromium.org>
+
+        Reviewed by Alexey Proskuryakov.
+
+        WebSocket crash when it receives bad header.
+        https://bugs.webkit.org/show_bug.cgi?id=37682
+
+        If name or value is not valid UTF-8, nameStr or valueStr would be
+        null string, so crashed in headers->add(nameStr, valueStr).
+        Check both nameStr and valueStr are not null string.
+        Otherwise handshake will fail.
+
+        Test: websocket/tests/bad-handshake-crash.html
+
+        * websockets/WebSocketHandshake.cpp:
+        (WebCore::WebSocketHandshake::readHTTPHeaders): check nameStr and valueStr are not null string.
+
 2010-04-16  Dan Bernstein  <mitz@apple.com>
 
         Reviewed by Simon Fraser.
index 0ba6b11..1449c89 100644 (file)
@@ -445,6 +445,14 @@ const char* WebSocketHandshake::readHTTPHeaders(const char* start, const char* e
         }
         AtomicString nameStr(String::fromUTF8(name.data(), name.size()));
         String valueStr = String::fromUTF8(value.data(), value.size());
+        if (nameStr.isNull()) {
+            m_context->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, "invalid UTF-8 sequence in header name", 0, clientOrigin());
+            return 0;
+        }
+        if (valueStr.isNull()) {
+            m_context->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, "invalid UTF-8 sequence in header value", 0, clientOrigin());
+            return 0;
+        }
         LOG(Network, "name=%s value=%s", nameStr.string().utf8().data(), valueStr.utf8().data());
         headers->add(nameStr, valueStr);
     }