Title: [203288] trunk
- Revision
- 203288
- Author
- [email protected]
- Date
- 2016-07-15 11:39:27 -0700 (Fri, 15 Jul 2016)
Log Message
WebKit should prevent push/replace state with username in URL.
<rdar://problem/27361737> and https://bugs.webkit.org/show_bug.cgi?id=159818
Reviewed by Brent Fulgham.
Source/WebCore:
Test: http/tests/security/history-username-password.html
* page/History.cpp:
(WebCore::History::stateObjectAdded): Don't allow URLs with usernames/passwords.
LayoutTests:
* http/tests/security/history-username-password-expected.txt: Added.
* http/tests/security/history-username-password.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (203287 => 203288)
--- trunk/LayoutTests/ChangeLog 2016-07-15 18:33:32 UTC (rev 203287)
+++ trunk/LayoutTests/ChangeLog 2016-07-15 18:39:27 UTC (rev 203288)
@@ -1,3 +1,13 @@
+2016-07-15 Brady Eidson <[email protected]>
+
+ WebKit should prevent push/replace state with username in URL.
+ <rdar://problem/27361737> and https://bugs.webkit.org/show_bug.cgi?id=159818
+
+ Reviewed by Brent Fulgham.
+
+ * http/tests/security/history-username-password-expected.txt: Added.
+ * http/tests/security/history-username-password.html: Added.
+
2016-07-15 Ryan Haddad <[email protected]>
Unreviewed, rolling out r203266.
Added: trunk/LayoutTests/http/tests/security/history-username-password-expected.txt (0 => 203288)
--- trunk/LayoutTests/http/tests/security/history-username-password-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/history-username-password-expected.txt 2016-07-15 18:39:27 UTC (rev 203288)
@@ -0,0 +1,14 @@
+Click to test in new window
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+
Added: trunk/LayoutTests/http/tests/security/history-username-password.html (0 => 203288)
--- trunk/LayoutTests/http/tests/security/history-username-password.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/history-username-password.html 2016-07-15 18:39:27 UTC (rev 203288)
@@ -0,0 +1,82 @@
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.waitUntilDone();
+}
+
+function log(msg)
+{
+ document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+function testHistoryObject(historyToTest)
+{
+ try {
+ historyToTest.replaceState(null, "Phishy Title", location.protocol + "//www.webkit.org" + "@" + location.host);
+ log("replaceState with username worked, shouldn't have.");
+ } catch(e) {
+ log(e);
+ }
+
+ try {
+ historyToTest.replaceState(null, "Phishy Title", location.protocol + "//:www.webkit.org" + "@" + location.host);
+ log("replaceState with password worked, shouldn't have.");
+ } catch(e) {
+ log(e);
+ }
+
+ try {
+ historyToTest.replaceState(null, "Phishy Title", location.protocol + "//www.webkit:org" + "@" + location.host);
+ log("replaceState with username and password worked, shouldn't have.");
+ } catch(e) {
+ log(e);
+ }
+
+ try {
+ historyToTest.pushState(null, "Phishy Title", location.protocol + "//www.webkit.org" + "@" + location.host);
+ log("pushState with username worked, shouldn't have.");
+ } catch(e) {
+ log(e);
+ }
+
+ try {
+ historyToTest.pushState(null, "Phishy Title", location.protocol + "//:www.webkit.org" + "@" + location.host);
+ log("pushState with password worked, shouldn't have.");
+ } catch(e) {
+ log(e);
+ }
+
+ try {
+ historyToTest.pushState(null, "Phishy Title", location.protocol + "//www.webkit:org" + "@" + location.host);
+ log("pushState with username and password worked, shouldn't have.");
+ } catch(e) {
+ log(e);
+ }
+}
+
+function clicked()
+{
+ newWindow = window.open('','newWindow');
+ testHistoryObject(newWindow.history);
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function loaded()
+{
+ testHistoryObject(window.history);
+
+ if (window.eventSender) {
+ var button = document.getElementById("theButton");
+ eventSender.mouseMoveTo(button.offsetLeft + 5, button.offsetTop + 5);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ }
+}
+
+</script>
+<body _onload_="loaded();">
+<button id="theButton" _onclick_="clicked();">Click to test in new window</button>
+<div id="logger"></div>
+</body>
Modified: trunk/Source/WebCore/ChangeLog (203287 => 203288)
--- trunk/Source/WebCore/ChangeLog 2016-07-15 18:33:32 UTC (rev 203287)
+++ trunk/Source/WebCore/ChangeLog 2016-07-15 18:39:27 UTC (rev 203288)
@@ -1,3 +1,15 @@
+2016-07-15 Brady Eidson <[email protected]>
+
+ WebKit should prevent push/replace state with username in URL.
+ <rdar://problem/27361737> and https://bugs.webkit.org/show_bug.cgi?id=159818
+
+ Reviewed by Brent Fulgham.
+
+ Test: http/tests/security/history-username-password.html
+
+ * page/History.cpp:
+ (WebCore::History::stateObjectAdded): Don't allow URLs with usernames/passwords.
+
2016-07-15 Ryan Haddad <[email protected]>
Unreviewed, rolling out r203266.
Modified: trunk/Source/WebCore/page/History.cpp (203287 => 203288)
--- trunk/Source/WebCore/page/History.cpp 2016-07-15 18:33:32 UTC (rev 203287)
+++ trunk/Source/WebCore/page/History.cpp 2016-07-15 18:39:27 UTC (rev 203288)
@@ -152,6 +152,15 @@
return;
}
+ if (fullURL.hasUsername() || fullURL.hasPassword()) {
+ ec.code = SECURITY_ERR;
+ if (stateObjectType == StateObjectType::Replace)
+ ec.message = makeString("Attempt to use history.replaceState() to change session history URL to ", fullURL.string(), " is insecure; Username/passwords aren't allowed in state object URLs");
+ else
+ ec.message = makeString("Attempt to use history.pushState() to add URL ", fullURL.string(), " to session history is insecure; Username/passwords aren't allowed in state object URLs");
+ return;
+ }
+
Document* mainDocument = m_frame->page()->mainFrame().document();
History* mainHistory = nullptr;
if (mainDocument) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
