2011-03-28 Maciej Stachowiak <mjs@apple.com>
authormjs@apple.com <mjs@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 28 Mar 2011 20:53:20 +0000 (20:53 +0000)
committermjs@apple.com <mjs@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 28 Mar 2011 20:53:20 +0000 (20:53 +0000)
        Reviewed by Darin Adler' .

        URLSs with non-empty username but empty hostname treat first path segment as hostname, potentially enabling XSS
        https://bugs.webkit.org/show_bug.cgi?id=57220

        Test: http/tests/uri/username-with-no-hostname.html

        * platform/KURL.cpp:
        (WebCore::hostPortIsEmptyButUserPassIsNot):
        (WebCore::KURL::parse):
2011-03-28  Maciej Stachowiak  <mjs@apple.com>

        Reviewed by Darin Adler' .

        URLSs with non-empty username but empty hostname are allowed to load
        https://bugs.webkit.org/show_bug.cgi?id=57220

        * http/tests/uri/username-with-no-hostname-expected.txt: Added.
        * http/tests/uri/username-with-no-hostname.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@82152 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/uri/username-with-no-hostname-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/uri/username-with-no-hostname.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/KURL.cpp

index 2246ff39790c203d8d676f506eb20ba048d9a941..0b6f2b55d6f1610bdc4ed92dab12b7dcf2fe695b 100644 (file)
@@ -1,3 +1,13 @@
+2011-03-28  Maciej Stachowiak  <mjs@apple.com>
+
+        Reviewed by Darin Adler' .
+
+        URLSs with non-empty username but empty hostname are allowed to load
+        https://bugs.webkit.org/show_bug.cgi?id=57220
+
+        * http/tests/uri/username-with-no-hostname-expected.txt: Added.
+        * http/tests/uri/username-with-no-hostname.html: Added.
+
 2011-03-28  Adam Barth  <abarth@webkit.org>
 
         Reviewed by Eric Seidel.
diff --git a/LayoutTests/http/tests/uri/username-with-no-hostname-expected.txt b/LayoutTests/http/tests/uri/username-with-no-hostname-expected.txt
new file mode 100644 (file)
index 0000000..655bd25
--- /dev/null
@@ -0,0 +1,3 @@
+This test checks that URLs with a username but no hostname do not mistakenly get loaded. If it fails in the browser, you will also see an image.
+PASS document.getElementsByTagName("img")[0].width is 0
+
diff --git a/LayoutTests/http/tests/uri/username-with-no-hostname.html b/LayoutTests/http/tests/uri/username-with-no-hostname.html
new file mode 100644 (file)
index 0000000..30c8861
--- /dev/null
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <link rel="stylesheet" href="/js-test-resources/js-test-style.css">
+  <script src="/js-test-resources/js-test-pre.js"></script>
+</head>
+<body onload="load()">
+
+This test checks that URLs with a username but no hostname do not
+mistakenly get loaded. If it fails in the browser, you will also see
+an image.
+
+<p id="description"></p>
+<div id="console"></div>
+
+<img src="http://user@/localhost:8000/misc/resources/compass.jpg">
+<script>
+function load() {
+    shouldBe('document.getElementsByTagName("img")[0].width', "0");
+}
+</script>       
+
+</body>
index a42664579cc41c0b5f9a322f8f254fc40580a2f7..e2ba947560dc2c28fb607516c5e07cdd7f20326a 100644 (file)
@@ -1,3 +1,16 @@
+2011-03-28  Maciej Stachowiak  <mjs@apple.com>
+
+        Reviewed by Darin Adler' .
+
+        URLSs with non-empty username but empty hostname treat first path segment as hostname, potentially enabling XSS
+        https://bugs.webkit.org/show_bug.cgi?id=57220
+
+        Test: http/tests/uri/username-with-no-hostname.html
+
+        * platform/KURL.cpp:
+        (WebCore::hostPortIsEmptyButUserPassIsNot):
+        (WebCore::KURL::parse):
+
 2011-03-28  Adam Barth  <abarth@webkit.org>
 
         Reviewed by Eric Seidel.
index 8c8646e9861c4671dfcb7d48c80bfb1e3010a1d3..4a93502eb6758a133e3b91e28d1afa23128da7bd 100644 (file)
@@ -1132,6 +1132,11 @@ static inline bool isDefaultPortForScheme(const char* port, size_t portLength, c
     return false;
 }
 
+static inline bool hostPortIsEmptyButCredentialsArePresent(int hostStart, int portEnd, char userEndChar)
+{
+    return userEndChar == '@' && hostStart == portEnd;
+}
+
 void KURL::parse(const char* url, const String* originalString)
 {
     if (!url || url[0] == '\0') {
@@ -1257,6 +1262,12 @@ void KURL::parse(const char* url, const String* originalString)
             return;
         }
 
+        if (hostPortIsEmptyButCredentialsArePresent(hostStart, portEnd, url[userEnd])) {
+            m_string = originalString ? *originalString : url;
+            invalidate();
+            return;
+        }
+
         if (userStart == portEnd && !m_protocolInHTTPFamily && !isFile) {
             // No authority found, which means that this is not a net_path, but rather an abs_path whose first two
             // path segments are empty. For file, http and https only, an empty authority is allowed.