2007-11-22 Julien Chaffraix <julien.chaffraix@gmail.com>
authorap@webkit.org <ap@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Nov 2007 11:03:32 +0000 (11:03 +0000)
committerap@webkit.org <ap@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Nov 2007 11:03:32 +0000 (11:03 +0000)
        Reviewed by Alexey.

        Bug 15530: XMLHttpRequest should not support certain methods

        Test: http/tests/xmlhttprequest/xmlhttprequest-forbidden-methods-exception.html

        * xml/XMLHttpRequest.cpp:
        (WebCore::XMLHttpRequest::open):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@27970 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-forbidden-methods-exception-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-forbidden-methods-exception.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/xml/XMLHttpRequest.cpp

index b882ce3358285ebb6ecaa79139b69010be1ff566..d49ae17b5e699f2279ae4f7da51fb50d1f3dd970 100644 (file)
@@ -1,3 +1,12 @@
+2007-11-22  Julien Chaffraix  <julien.chaffraix@gmail.com>
+
+        Reviewed by Alexey.
+
+        Bug 15530: XMLHttpRequest should not support certain methods
+
+        * http/tests/xmlhttprequest/xmlhttprequest-forbidden-methods-exception-expected.txt: Added.
+        * http/tests/xmlhttprequest/xmlhttprequest-forbidden-methods-exception.html: Added.
+
 2007-11-21  Dan Bernstein  <mitz@apple.com>
 
         Reviewed by Eric Seidel.
diff --git a/LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-forbidden-methods-exception-expected.txt b/LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-forbidden-methods-exception-expected.txt
new file mode 100644 (file)
index 0000000..7d27347
--- /dev/null
@@ -0,0 +1,8 @@
+Test bug 15530: XMLHttpRequest should not support certain methods
+
+Should see a test for the TRACE, TRACK and CONNECT methods :
+
+TRACE : PASS
+TRACK : PASS
+CONNECT : PASS
+
diff --git a/LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-forbidden-methods-exception.html b/LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-forbidden-methods-exception.html
new file mode 100644 (file)
index 0000000..fc9c5d4
--- /dev/null
@@ -0,0 +1,60 @@
+<html><head></head><body>
+
+<p>Test bug 15530: XMLHttpRequest should not support certain methods</p>
+<p>Should see a test for the TRACE, TRACK and CONNECT methods :</p>
+<div id="ans"></div>
+
+<script type="text/javascript">
+function log(message)
+{
+    document.getElementById("ans").appendChild(document.createTextNode(message));
+}
+
+function insertNewLine()
+{
+    document.getElementById("ans").appendChild(document.createElement("br"));
+}
+
+function testException(method)
+{
+    try {
+        xhr.open(method, "resources/1251.html", false);
+        log("FAILED");
+    } catch (e) {
+        log("PASS");
+    }
+}
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+var xhr;
+
+if (window.XMLHttpRequest) {
+    xhr = new XMLHttpRequest();
+} else {
+    try {
+        xhr = new ActiveXObject("Msxml2.XMLHTTP");
+    } catch (ex) {
+        xhr = new ActiveXObject("Microsoft.XMLHTTP");
+    }
+}
+
+log("TRACE : ");
+testException("TRACE");
+insertNewLine();
+
+log("TRACK : ");
+testException("TRACK");
+insertNewLine();
+
+log("CONNECT : ");
+testException("CONNECT");
+insertNewLine();
+
+if (window.layoutTestController)
+    layoutTestController.notifyDone();
+
+</script>
+
+</body></html>
index f627ab3cefdf6c163df0ca7415a486a5a7295709..1eccda0364e84a2e608040a0b5d06d80beaf02c2 100644 (file)
@@ -1,3 +1,14 @@
+2007-11-22  Julien Chaffraix  <julien.chaffraix@gmail.com>
+
+        Reviewed by Alexey.
+
+        Bug 15530: XMLHttpRequest should not support certain methods
+
+        Test: http/tests/xmlhttprequest/xmlhttprequest-forbidden-methods-exception.html
+
+        * xml/XMLHttpRequest.cpp:
+        (WebCore::XMLHttpRequest::open):
+
 2007-11-22  Simon Hausmann  <hausmann@kde.org>
 
         Reviewed by George.
index 162eb4df0cfb2be21f679269a4d640d40bdb73c2..9e5172481c635aa4f2b07ed3aaef79d6c56eaaa2 100644 (file)
@@ -2,6 +2,7 @@
  *  This file is part of the KDE libraries
  *  Copyright (C) 2004, 2006 Apple Computer, Inc.
  *  Copyright (C) 2005-2007 Alexey Proskuryakov <ap@webkit.org>
+ *  Copyright (C) 2007 Julien Chaffraix <julien.chaffraix@gmail.com>
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
@@ -351,14 +352,20 @@ void XMLHttpRequest::open(const String& method, const KURL& url, bool async, Exc
         return;
     }
     
-    m_url = url;
-
     // Method names are case sensitive. But since Firefox uppercases method names it knows, we'll do the same.
     String methodUpper(method.upper());
-    if (methodUpper == "CONNECT" || methodUpper == "COPY" || methodUpper == "DELETE" || methodUpper == "GET" || methodUpper == "HEAD"
-        || methodUpper == "INDEX" || methodUpper == "LOCK" || methodUpper == "M-POST" || methodUpper == "MKCOL" || methodUpper == "MOVE" 
+    
+    if (methodUpper == "TRACE" || methodUpper == "TRACK" || methodUpper == "CONNECT") {
+        ec = PERMISSION_DENIED;
+        return;
+    }
+
+    m_url = url;
+
+    if (methodUpper == "COPY" || methodUpper == "DELETE" || methodUpper == "GET" || methodUpper == "HEAD"
+        || methodUpper == "INDEX" || methodUpper == "LOCK" || methodUpper == "M-POST" || methodUpper == "MKCOL" || methodUpper == "MOVE"
         || methodUpper == "OPTIONS" || methodUpper == "POST" || methodUpper == "PROPFIND" || methodUpper == "PROPPATCH" || methodUpper == "PUT" 
-        || methodUpper == "TRACE" || methodUpper == "UNLOCK")
+        || methodUpper == "UNLOCK")
         m_method = methodUpper.deprecatedString();
     else
         m_method = method.deprecatedString();