Forbid < and > in URL hosts
authorachristensen@apple.com <achristensen@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 5 Jan 2018 23:38:26 +0000 (23:38 +0000)
committerachristensen@apple.com <achristensen@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 5 Jan 2018 23:38:26 +0000 (23:38 +0000)
https://bugs.webkit.org/show_bug.cgi?id=181308
<rdar://problem/36012757>

Reviewed by Tim Horton.

LayoutTests/imported/w3c:

* web-platform-tests/url/a-element-expected.txt:
* web-platform-tests/url/a-element-origin-expected.txt:
* web-platform-tests/url/a-element-origin-xhtml-expected.txt:
* web-platform-tests/url/a-element-xhtml-expected.txt:
* web-platform-tests/url/url-constructor-expected.txt:
* web-platform-tests/url/url-origin-expected.txt:

Source/WebCore:

https://url.spec.whatwg.org/#forbidden-host-code-point does not include these characters yet, but I think it should.
Firefox fails to parse URLs with < or > in the host.  Chrome percent encodes them.  Safari needs to do something.
The web platform tests are unclear on this case, and they will need to be updated with the specification.
They do show a change in behavior, though.

* platform/URLParser.cpp:
Add < and > to the list of forbidden host code points.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226469 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/url/a-element-expected.txt
LayoutTests/imported/w3c/web-platform-tests/url/a-element-origin-expected.txt
LayoutTests/imported/w3c/web-platform-tests/url/a-element-origin-xhtml-expected.txt
LayoutTests/imported/w3c/web-platform-tests/url/a-element-xhtml-expected.txt
LayoutTests/imported/w3c/web-platform-tests/url/url-constructor-expected.txt
LayoutTests/imported/w3c/web-platform-tests/url/url-origin-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/platform/URLParser.cpp

index 2668ef6..f8d9bc4 100644 (file)
@@ -1,3 +1,18 @@
+2018-01-05  Alex Christensen  <achristensen@webkit.org>
+
+        Forbid < and > in URL hosts
+        https://bugs.webkit.org/show_bug.cgi?id=181308
+        <rdar://problem/36012757>
+
+        Reviewed by Tim Horton.
+
+        * web-platform-tests/url/a-element-expected.txt:
+        * web-platform-tests/url/a-element-origin-expected.txt:
+        * web-platform-tests/url/a-element-origin-xhtml-expected.txt:
+        * web-platform-tests/url/a-element-xhtml-expected.txt:
+        * web-platform-tests/url/url-constructor-expected.txt:
+        * web-platform-tests/url/url-origin-expected.txt:
+
 2018-01-05  Youenn Fablet  <youenn@apple.com>
 
         Skip LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/claim-shared-worker-fetch.https.html
index 2aa7e60..3461817 100644 (file)
@@ -340,7 +340,7 @@ PASS Parsing: <data:/../> against <about:blank>
 PASS Parsing: <javascript:/../> against <about:blank> 
 PASS Parsing: <mailto:/../> against <about:blank> 
 PASS Parsing: <sc://ñ.test/> against <about:blank> 
-PASS Parsing: <sc://\1f!"$&'()*+,-.;<=>^_`{|}~/> against <about:blank> 
+FAIL Parsing: <sc://\1f!"$&'()*+,-.;<=>^_`{|}~/> against <about:blank> assert_equals: href expected "sc://%1F!\"$&'()*+,-.;<=>^_`{|}~/" but got "sc://\x1f!\"$&'()*+,-.;<=>^_`{|}~/"
 PASS Parsing: <sc://\0/> against <about:blank> 
 PASS Parsing: <sc:// /> against <about:blank> 
 PASS Parsing: <sc://%/> against <about:blank> 
index be3624c..8397936 100644 (file)
@@ -252,7 +252,7 @@ PASS Parsing origin: <data:/../> against <about:blank>
 PASS Parsing origin: <javascript:/../> against <about:blank> 
 FAIL Parsing origin: <mailto:/../> against <about:blank> assert_equals: origin expected "null" but got "mailto://"
 FAIL Parsing origin: <sc://ñ.test/> against <about:blank> assert_equals: origin expected "null" but got "sc://%c3%b1.test"
-FAIL Parsing origin: <sc://\1f!"$&'()*+,-.;<=>^_`{|}~/> against <about:blank> assert_equals: origin expected "null" but got "sc://%1f!\"$&'()*+,-.;<=>^_`{|}~"
+PASS Parsing origin: <sc://\1f!"$&'()*+,-.;<=>^_`{|}~/> against <about:blank> 
 FAIL Parsing origin: <x> against <sc://ñ> assert_equals: origin expected "null" but got "sc://%c3%b1"
 FAIL Parsing origin: <sc:\../> against <about:blank> assert_equals: origin expected "null" but got "sc://"
 FAIL Parsing origin: <sc::a@example.net> against <about:blank> assert_equals: origin expected "null" but got "sc://"
index be3624c..8397936 100644 (file)
@@ -252,7 +252,7 @@ PASS Parsing origin: <data:/../> against <about:blank>
 PASS Parsing origin: <javascript:/../> against <about:blank> 
 FAIL Parsing origin: <mailto:/../> against <about:blank> assert_equals: origin expected "null" but got "mailto://"
 FAIL Parsing origin: <sc://ñ.test/> against <about:blank> assert_equals: origin expected "null" but got "sc://%c3%b1.test"
-FAIL Parsing origin: <sc://\1f!"$&'()*+,-.;<=>^_`{|}~/> against <about:blank> assert_equals: origin expected "null" but got "sc://%1f!\"$&'()*+,-.;<=>^_`{|}~"
+PASS Parsing origin: <sc://\1f!"$&'()*+,-.;<=>^_`{|}~/> against <about:blank> 
 FAIL Parsing origin: <x> against <sc://ñ> assert_equals: origin expected "null" but got "sc://%c3%b1"
 FAIL Parsing origin: <sc:\../> against <about:blank> assert_equals: origin expected "null" but got "sc://"
 FAIL Parsing origin: <sc::a@example.net> against <about:blank> assert_equals: origin expected "null" but got "sc://"
index 2aa7e60..3461817 100644 (file)
@@ -340,7 +340,7 @@ PASS Parsing: <data:/../> against <about:blank>
 PASS Parsing: <javascript:/../> against <about:blank> 
 PASS Parsing: <mailto:/../> against <about:blank> 
 PASS Parsing: <sc://ñ.test/> against <about:blank> 
-PASS Parsing: <sc://\1f!"$&'()*+,-.;<=>^_`{|}~/> against <about:blank> 
+FAIL Parsing: <sc://\1f!"$&'()*+,-.;<=>^_`{|}~/> against <about:blank> assert_equals: href expected "sc://%1F!\"$&'()*+,-.;<=>^_`{|}~/" but got "sc://\x1f!\"$&'()*+,-.;<=>^_`{|}~/"
 PASS Parsing: <sc://\0/> against <about:blank> 
 PASS Parsing: <sc:// /> against <about:blank> 
 PASS Parsing: <sc://%/> against <about:blank> 
index c7cb614..b76e027 100644 (file)
@@ -346,7 +346,7 @@ PASS Parsing: <data:/../> against <about:blank>
 PASS Parsing: <javascript:/../> against <about:blank> 
 PASS Parsing: <mailto:/../> against <about:blank> 
 PASS Parsing: <sc://ñ.test/> against <about:blank> 
-PASS Parsing: <sc://\1f!"$&'()*+,-.;<=>^_`{|}~/> against <about:blank> 
+FAIL Parsing: <sc://\1f!"$&'()*+,-.;<=>^_`{|}~/> against <about:blank> Type error
 PASS Parsing: <sc://\0/> against <about:blank> 
 PASS Parsing: <sc:// /> against <about:blank> 
 PASS Parsing: <sc://%/> against <about:blank> 
index c57043b..55a6666 100644 (file)
@@ -252,7 +252,7 @@ PASS Origin parsing: <data:/../> against <about:blank>
 PASS Origin parsing: <javascript:/../> against <about:blank> 
 FAIL Origin parsing: <mailto:/../> against <about:blank> assert_equals: origin expected "null" but got "mailto://"
 FAIL Origin parsing: <sc://ñ.test/> against <about:blank> assert_equals: origin expected "null" but got "sc://%c3%b1.test"
-FAIL Origin parsing: <sc://\1f!"$&'()*+,-.;<=>^_`{|}~/> against <about:blank> assert_equals: origin expected "null" but got "sc://%1f!\"$&'()*+,-.;<=>^_`{|}~"
+FAIL Origin parsing: <sc://\1f!"$&'()*+,-.;<=>^_`{|}~/> against <about:blank> Type error
 FAIL Origin parsing: <x> against <sc://ñ> assert_equals: origin expected "null" but got "sc://%c3%b1"
 FAIL Origin parsing: <sc:\../> against <about:blank> assert_equals: origin expected "null" but got "sc://"
 FAIL Origin parsing: <sc::a@example.net> against <about:blank> assert_equals: origin expected "null" but got "sc://"
index dbd5b09..5ca6e54 100644 (file)
@@ -1,3 +1,19 @@
+2018-01-05  Alex Christensen  <achristensen@webkit.org>
+
+        Forbid < and > in URL hosts
+        https://bugs.webkit.org/show_bug.cgi?id=181308
+        <rdar://problem/36012757>
+
+        Reviewed by Tim Horton.
+
+        https://url.spec.whatwg.org/#forbidden-host-code-point does not include these characters yet, but I think it should.
+        Firefox fails to parse URLs with < or > in the host.  Chrome percent encodes them.  Safari needs to do something.
+        The web platform tests are unclear on this case, and they will need to be updated with the specification.
+        They do show a change in behavior, though.
+
+        * platform/URLParser.cpp:
+        Add < and > to the list of forbidden host code points.
+
 2018-01-05  Eric Carlson  <eric.carlson@apple.com>
 
         [MediaStream] Add Mac screen capture source
index d93c03f..44d82b9 100644 (file)
@@ -191,7 +191,7 @@ static const uint8_t characterClassTable[256] = {
     0, // '$'
     ForbiddenHost, // '%'
     0, // '&'
-    0, // '''
+    0, // '\''
     0, // '('
     0, // ')'
     0, // '*'
@@ -212,9 +212,9 @@ static const uint8_t characterClassTable[256] = {
     ValidScheme, // '9'
     UserInfo | ForbiddenHost, // ':'
     UserInfo, // ';'
-    UserInfo | Default | QueryPercent, // '<'
+    UserInfo | Default | QueryPercent | ForbiddenHost, // '<'
     UserInfo, // '='
-    UserInfo | Default | QueryPercent, // '>'
+    UserInfo | Default | QueryPercent | ForbiddenHost, // '>'
     UserInfo | Default | SlashQuestionOrHash | ForbiddenHost, // '?'
     UserInfo | ForbiddenHost, // '@'
     ValidScheme, // 'A'