Diff
Modified: trunk/LayoutTests/ChangeLog (212971 => 212972)
--- trunk/LayoutTests/ChangeLog 2017-02-24 23:16:10 UTC (rev 212971)
+++ trunk/LayoutTests/ChangeLog 2017-02-25 00:02:24 UTC (rev 212972)
@@ -1,3 +1,24 @@
+2017-02-24 Chris Dumez <cdu...@apple.com>
+
+ Download attribute should be sanitized before being used as suggested filename
+ https://bugs.webkit.org/show_bug.cgi?id=168839
+ <rdar://problem/30683109>
+
+ Reviewed by Darin Adler.
+
+ Add layout test coverage.
+
+ * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-doublequote-expected.txt: Added.
+ * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-doublequote.html: Added.
+ * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-slashes-expected.txt: Added.
+ * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-slashes.html: Added.
+ * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-unicode-expected.txt: Added.
+ * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-unicode.html: Added.
+ * platform/ios-simulator-wk1/TestExpectations:
+ * platform/ios-simulator-wk2/TestExpectations:
+ * platform/mac-wk1/TestExpectations:
+ * platform/win/TestExpectations:
+
2017-02-24 Antti Koivisto <an...@apple.com>
Remove leftover html files.
Added: trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-doublequote-expected.txt (0 => 212972)
--- trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-doublequote-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-doublequote-expected.txt 2017-02-25 00:02:24 UTC (rev 212972)
@@ -0,0 +1,6 @@
+Download started.
+Downloading URL with suggested filename "test"abe.png"
+Download completed.
+The suggested filename above should be 'test"abe.png' and the download should succeed.
+
+File backed blob URL
Added: trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-doublequote.html (0 => 212972)
--- trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-doublequote.html (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-doublequote.html 2017-02-25 00:02:24 UTC (rev 212972)
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script type='text/_javascript_'>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>The suggested filename above should be 'test"abe.png' and the download should succeed.</p>
+<a id="blob-url" download='test"abe.png'>File backed blob URL</a>
+<script>
+function click(elmt)
+{
+ if (!window.eventSender) {
+ alert('Click the link to run the test.');
+ return;
+ }
+ eventSender.mouseMoveTo(elmt.offsetLeft + 5, elmt.offsetTop + 5);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+}
+
+function runTest()
+{
+ file = internals.createFile("../resources/abe.png");
+ var link = document.getElementById("blob-url");
+ link.href = ""
+ click(link);
+}
+runTest();
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-slashes-expected.txt (0 => 212972)
--- trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-slashes-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-slashes-expected.txt 2017-02-25 00:02:24 UTC (rev 212972)
@@ -0,0 +1,6 @@
+Download started.
+Downloading URL with suggested filename "test1_test2abe.png"
+Download completed.
+The suggested filename above should NOT include slashes or backslashes and the download should succeed.
+
+File backed blob URL
Added: trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-slashes.html (0 => 212972)
--- trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-slashes.html (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-slashes.html 2017-02-25 00:02:24 UTC (rev 212972)
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script type='text/_javascript_'>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>The suggested filename above should NOT include slashes or backslashes and the download should succeed.</p>
+<a id="blob-url" download="test1/test2\\abe.png">File backed blob URL</a>
+<script>
+function click(elmt)
+{
+ if (!window.eventSender) {
+ alert('Click the link to run the test.');
+ return;
+ }
+ eventSender.mouseMoveTo(elmt.offsetLeft + 5, elmt.offsetTop + 5);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+}
+
+function runTest()
+{
+ file = internals.createFile("../resources/abe.png");
+ var link = document.getElementById("blob-url");
+ link.href = ""
+ click(link);
+}
+runTest();
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-unicode-expected.txt (0 => 212972)
--- trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-unicode-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-unicode-expected.txt 2017-02-25 00:02:24 UTC (rev 212972)
@@ -0,0 +1,6 @@
+Download started.
+Downloading URL with suggested filename "你好.png"
+Download completed.
+The suggested filename above should be "你好.png" and the download should succeed.
+
+File backed blob URL
Added: trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-unicode.html (0 => 212972)
--- trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-unicode.html (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-unicode.html 2017-02-25 00:02:24 UTC (rev 212972)
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<script type='text/_javascript_'>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>The suggested filename above should be "你好.png" and the download should succeed.</p>
+<a id="blob-url" download='你好.png'>File backed blob URL</a>
+<script>
+function click(elmt)
+{
+ if (!window.eventSender) {
+ alert('Click the link to run the test.');
+ return;
+ }
+ eventSender.mouseMoveTo(elmt.offsetLeft + 5, elmt.offsetTop + 5);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+}
+
+function runTest()
+{
+ file = internals.createFile("../resources/abe.png");
+ var link = document.getElementById("blob-url");
+ link.href = ""
+ click(link);
+}
+runTest();
+</script>
+</body>
+</html>
Modified: trunk/LayoutTests/platform/ios-simulator-wk1/TestExpectations (212971 => 212972)
--- trunk/LayoutTests/platform/ios-simulator-wk1/TestExpectations 2017-02-24 23:16:10 UTC (rev 212971)
+++ trunk/LayoutTests/platform/ios-simulator-wk1/TestExpectations 2017-02-25 00:02:24 UTC (rev 212972)
@@ -1327,6 +1327,9 @@
webkit.org/b/156069 fast/dom/HTMLAnchorElement/anchor-download-synthetic-click.html [ Skip ]
webkit.org/b/156069 fast/dom/HTMLAnchorElement/anchor-download-user-triggered-synthetic-click.html [ Skip ]
webkit.org/b/156069 fast/dom/HTMLAnchorElement/anchor-file-blob-download.html [ Skip ]
+webkit.org/b/156069 fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-doublequote.html [ Skip ]
+webkit.org/b/156069 fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-slashes.html [ Skip ]
+webkit.org/b/156069 fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-unicode.html [ Skip ]
webkit.org/b/156069 http/tests/download/area-download.html [ Skip ]
webkit.org/b/156069 http/tests/security/anchor-download-allow-blob.html [ Skip ]
webkit.org/b/156069 http/tests/security/anchor-download-allow-data.html [ Skip ]
Modified: trunk/LayoutTests/platform/ios-simulator-wk2/TestExpectations (212971 => 212972)
--- trunk/LayoutTests/platform/ios-simulator-wk2/TestExpectations 2017-02-24 23:16:10 UTC (rev 212971)
+++ trunk/LayoutTests/platform/ios-simulator-wk2/TestExpectations 2017-02-25 00:02:24 UTC (rev 212972)
@@ -1815,6 +1815,9 @@
webkit.org/b/156067 fast/dom/HTMLAnchorElement/anchor-download.html [ Skip ]
webkit.org/b/156067 fast/dom/HTMLAnchorElement/anchor-file-blob-convert-to-download.html [ Skip ]
webkit.org/b/156067 fast/dom/HTMLAnchorElement/anchor-file-blob-download.html [ Skip ]
+webkit.org/b/156067 fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-doublequote.html [ Skip ]
+webkit.org/b/156067 fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-slashes.html [ Skip ]
+webkit.org/b/156067 fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-unicode.html [ Skip ]
webkit.org/b/156067 fast/dom/HTMLAnchorElement/anchor-file-blob-download-no-extension.html [ Skip ]
webkit.org/b/156067 fast/dom/HTMLAnchorElement/anchor-nodownload-set.html [ Skip ]
webkit.org/b/156067 fast/dom/HTMLAnchorElement/anchor-nodownload.html [ Skip ]
Modified: trunk/LayoutTests/platform/mac-wk1/TestExpectations (212971 => 212972)
--- trunk/LayoutTests/platform/mac-wk1/TestExpectations 2017-02-24 23:16:10 UTC (rev 212971)
+++ trunk/LayoutTests/platform/mac-wk1/TestExpectations 2017-02-25 00:02:24 UTC (rev 212972)
@@ -214,6 +214,9 @@
webkit.org/b/156069 fast/dom/HTMLAnchorElement/anchor-download-synthetic-click.html [ Skip ]
webkit.org/b/156069 fast/dom/HTMLAnchorElement/anchor-download-user-triggered-synthetic-click.html [ Skip ]
webkit.org/b/156069 fast/dom/HTMLAnchorElement/anchor-file-blob-download.html [ Skip ]
+webkit.org/b/156069 fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-doublequote.html [ Skip ]
+webkit.org/b/156069 fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-slashes.html [ Skip ]
+webkit.org/b/156069 fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-unicode.html [ Skip ]
webkit.org/b/156069 fast/dom/HTMLAnchorElement/anchor-file-blob-download-no-extension.html [ Skip ]
webkit.org/b/156069 http/tests/download/anchor-download-no-extension.html [ Skip ]
webkit.org/b/156069 http/tests/download/area-download.html [ Skip ]
Modified: trunk/LayoutTests/platform/win/TestExpectations (212971 => 212972)
--- trunk/LayoutTests/platform/win/TestExpectations 2017-02-24 23:16:10 UTC (rev 212971)
+++ trunk/LayoutTests/platform/win/TestExpectations 2017-02-25 00:02:24 UTC (rev 212972)
@@ -445,6 +445,9 @@
fast/dom/HTMLAnchorElement/anchor-download-synthetic-click.html [ Skip ]
fast/dom/HTMLAnchorElement/anchor-download-user-triggered-synthetic-click.html [ Skip ]
fast/dom/HTMLAnchorElement/anchor-file-blob-download.html [ Skip ]
+fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-doublequote.html [ Skip ]
+fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-slashes.html [ Skip ]
+fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-unicode.html [ Skip ]
fast/dom/HTMLAnchorElement/anchor-file-blob-download-no-extension.html [ Skip ]
http/tests/download/anchor-download-no-extension.html [ Skip ]
http/tests/download/area-download.html [ Skip ]
Modified: trunk/Source/WebCore/ChangeLog (212971 => 212972)
--- trunk/Source/WebCore/ChangeLog 2017-02-24 23:16:10 UTC (rev 212971)
+++ trunk/Source/WebCore/ChangeLog 2017-02-25 00:02:24 UTC (rev 212972)
@@ -1,3 +1,25 @@
+2017-02-24 Chris Dumez <cdu...@apple.com>
+
+ Download attribute should be sanitized before being used as suggested filename
+ https://bugs.webkit.org/show_bug.cgi?id=168839
+ <rdar://problem/30683109>
+
+ Reviewed by Darin Adler.
+
+ Sanitize Download attribute before using it as a suggested filename for the download.
+ We rely on ResourceResponse's sanitizing of the suggested filename to do so, which has
+ the benefit of being consistent with downloads without the download attribute.
+
+ Tests: fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-doublequote.html
+ fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-slashes.html
+ fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-unicode.html
+
+ * html/HTMLAnchorElement.cpp:
+ (WebCore::HTMLAnchorElement::handleClick):
+ * platform/network/ResourceResponseBase.cpp:
+ (WebCore::ResourceResponseBase::sanitizeSuggestedFilename):
+ * platform/network/ResourceResponseBase.h:
+
2017-02-24 Miguel Gomez <mago...@igalia.com>
[GTK] WebkitWebProcess crashes on exit on nvidia if threaded compositing is enabled
Modified: trunk/Source/WebCore/html/HTMLAnchorElement.cpp (212971 => 212972)
--- trunk/Source/WebCore/html/HTMLAnchorElement.cpp 2017-02-24 23:16:10 UTC (rev 212971)
+++ trunk/Source/WebCore/html/HTMLAnchorElement.cpp 2017-02-25 00:02:24 UTC (rev 212972)
@@ -375,13 +375,13 @@
appendServerMapMousePosition(url, event);
URL completedURL = document().completeURL(url.toString());
- auto downloadAttribute = nullAtom;
+ String downloadAttribute;
#if ENABLE(DOWNLOAD_ATTRIBUTE)
if (RuntimeEnabledFeatures::sharedFeatures().downloadAttributeEnabled()) {
// Ignore the download attribute completely if the href URL is cross origin.
bool isSameOrigin = completedURL.protocolIsData() || document().securityOrigin().canRequest(completedURL);
if (isSameOrigin)
- downloadAttribute = attributeWithoutSynchronization(downloadAttr);
+ downloadAttribute = ResourceResponse::sanitizeSuggestedFilename(attributeWithoutSynchronization(downloadAttr));
else if (hasAttributeWithoutSynchronization(downloadAttr))
document().addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "The download attribute on anchor was ignored because its href URL has a different security origin.");
}
Modified: trunk/Source/WebCore/platform/network/ResourceResponseBase.cpp (212971 => 212972)
--- trunk/Source/WebCore/platform/network/ResourceResponseBase.cpp 2017-02-24 23:16:10 UTC (rev 212971)
+++ trunk/Source/WebCore/platform/network/ResourceResponseBase.cpp 2017-02-25 00:02:24 UTC (rev 212972)
@@ -224,6 +224,19 @@
return static_cast<const ResourceResponse*>(this)->platformSuggestedFilename();
}
+String ResourceResponseBase::sanitizeSuggestedFilename(const String& suggestedFilename)
+{
+ if (suggestedFilename.isEmpty())
+ return suggestedFilename;
+
+ ResourceResponse response(URL(ParsedURLString, "http://example.com"), String(), -1, String());
+ response.setHTTPStatusCode(200);
+ String escapedSuggestedFilename = String(suggestedFilename).replace('\"', "\\\"");
+ String value = makeString("attachment; filename=\"", escapedSuggestedFilename, '"');
+ response.setHTTPHeaderField(HTTPHeaderName::ContentDisposition, value);
+ return response.suggestedFilename();
+}
+
bool ResourceResponseBase::isSuccessful() const
{
int code = httpStatusCode();
Modified: trunk/Source/WebCore/platform/network/ResourceResponseBase.h (212971 => 212972)
--- trunk/Source/WebCore/platform/network/ResourceResponseBase.h 2017-02-24 23:16:10 UTC (rev 212971)
+++ trunk/Source/WebCore/platform/network/ResourceResponseBase.h 2017-02-25 00:02:24 UTC (rev 212972)
@@ -114,6 +114,7 @@
WEBCORE_EXPORT bool isAttachment() const;
WEBCORE_EXPORT String suggestedFilename() const;
+ WEBCORE_EXPORT static String sanitizeSuggestedFilename(const String&);
WEBCORE_EXPORT void includeCertificateInfo() const;
const std::optional<CertificateInfo>& certificateInfo() const { return m_certificateInfo; };
