Title: [97918] trunk/Source/WebCore
- Revision
- 97918
- Author
- [email protected]
- Date
- 2011-10-19 19:12:28 -0700 (Wed, 19 Oct 2011)
Log Message
Reject invalid MIME type strings for a file selection dialog parameter
https://bugs.webkit.org/show_bug.cgi?id=70095
Reviewed by Darin Fisher and Darin Adler.
No new tests. This affect only a value passed to WebKit layer.
* html/HTMLInputElement.cpp:
(WebCore::isRFC2616TokenCharacter): Added.
(WebCore::HTMLInputElement::acceptMIMETypes):
Validate a MIME type string, and don't add invalid strings to the output Vector.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (97917 => 97918)
--- trunk/Source/WebCore/ChangeLog 2011-10-20 02:08:10 UTC (rev 97917)
+++ trunk/Source/WebCore/ChangeLog 2011-10-20 02:12:28 UTC (rev 97918)
@@ -1,3 +1,17 @@
+2011-10-19 Kent Tamura <[email protected]>
+
+ Reject invalid MIME type strings for a file selection dialog parameter
+ https://bugs.webkit.org/show_bug.cgi?id=70095
+
+ Reviewed by Darin Fisher and Darin Adler.
+
+ No new tests. This affect only a value passed to WebKit layer.
+
+ * html/HTMLInputElement.cpp:
+ (WebCore::isRFC2616TokenCharacter): Added.
+ (WebCore::HTMLInputElement::acceptMIMETypes):
+ Validate a MIME type string, and don't add invalid strings to the output Vector.
+
2011-10-19 Darin Adler <[email protected]>
Remove OptionElement (first half)
Modified: trunk/Source/WebCore/html/HTMLInputElement.cpp (97917 => 97918)
--- trunk/Source/WebCore/html/HTMLInputElement.cpp 2011-10-20 02:08:10 UTC (rev 97917)
+++ trunk/Source/WebCore/html/HTMLInputElement.cpp 2011-10-20 02:12:28 UTC (rev 97918)
@@ -1307,6 +1307,23 @@
m_name = name;
}
+static inline bool isRFC2616TokenCharacter(UChar ch)
+{
+ return isASCII(ch) && ch > ' ' && ch != '"' && ch != '(' && ch != ')' && ch != ',' && ch != '/' && (ch < ':' || ch > '@') && (ch < '[' || ch > ']') && ch != '{' && ch != '}' && ch != 0x7f;
+}
+
+static inline bool isValidMIMEType(const String& type)
+{
+ size_t slashPosition = type.find('/');
+ if (slashPosition == notFound || !slashPosition || slashPosition == type.length() - 1)
+ return false;
+ for (size_t i = 0; i < type.length(); ++i) {
+ if (!isRFC2616TokenCharacter(type[i]) && i != slashPosition)
+ return false;
+ }
+ return true;
+}
+
Vector<String> HTMLInputElement::acceptMIMETypes()
{
Vector<String> mimeTypes;
@@ -1319,8 +1336,11 @@
acceptString.split(',', false, splitTypes);
for (size_t i = 0; i < splitTypes.size(); ++i) {
String trimmedMimeType = stripLeadingAndTrailingHTMLSpaces(splitTypes[i]);
- if (!trimmedMimeType.isEmpty())
- mimeTypes.append(trimmedMimeType);
+ if (trimmedMimeType.isEmpty())
+ continue;
+ if (!isValidMIMEType(trimmedMimeType))
+ continue;
+ mimeTypes.append(trimmedMimeType.lower());
}
return mimeTypes;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
