[webkit-changes] [204797] releases/WebKitGTK/webkit-2.12

Tue, 23 Aug 2016 03:41:36 -0700

Title: [204797] releases/WebKitGTK/webkit-2.12
Revision
204797
Author
[email protected]
Date
2016-08-23 03:41:07 -0700 (Tue, 23 Aug 2016)

Log Message

Merge r203288 - WebKit should prevent push/replace state with username in URL.
<rdar://problem/27361737> and https://bugs.webkit.org/show_bug.cgi?id=159818

Reviewed by Brent Fulgham.

Source/WebCore:

Test: http/tests/security/history-username-password.html

* page/History.cpp:
(WebCore::History::stateObjectAdded): Don't allow URLs with usernames/passwords.

LayoutTests:

* http/tests/security/history-username-password-expected.txt: Added.
* http/tests/security/history-username-password.html: Added.

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (204796 => 204797)


--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog	2016-08-23 10:39:11 UTC (rev 204796)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog	2016-08-23 10:41:07 UTC (rev 204797)
@@ -1,3 +1,13 @@
+2016-07-15  Brady Eidson  <[email protected]>
+
+        WebKit should prevent push/replace state with username in URL.
+        <rdar://problem/27361737> and https://bugs.webkit.org/show_bug.cgi?id=159818
+
+        Reviewed by Brent Fulgham.
+
+        * http/tests/security/history-username-password-expected.txt: Added.
+        * http/tests/security/history-username-password.html: Added.
+
 2016-07-14  John Wilander  <[email protected]>
 
         Remove credentials in URL when accessed through location.href

Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/history-username-password-expected.txt (0 => 204797)


--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/history-username-password-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/history-username-password-expected.txt	2016-08-23 10:41:07 UTC (rev 204797)
@@ -0,0 +1,14 @@
+Click to test in new window
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+Error: SecurityError: DOM Exception 18
+

Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/history-username-password.html (0 => 204797)


--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/history-username-password.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/history-username-password.html	2016-08-23 10:41:07 UTC (rev 204797)
@@ -0,0 +1,82 @@
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.setCanOpenWindows();
+    testRunner.waitUntilDone();
+}
+
+function log(msg)
+{
+    document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+function testHistoryObject(historyToTest)
+{
+    try {
+        historyToTest.replaceState(null, "Phishy Title", location.protocol + "//www.webkit.org" + "@" + location.host);
+        log("replaceState with username worked, shouldn't have.");
+    } catch(e) {
+        log(e);
+    }
+
+    try {
+        historyToTest.replaceState(null, "Phishy Title", location.protocol + "//:www.webkit.org" + "@" + location.host);
+        log("replaceState with password worked, shouldn't have.");
+    } catch(e) {
+        log(e);
+    }
+
+    try {
+        historyToTest.replaceState(null, "Phishy Title", location.protocol + "//www.webkit:org" + "@" + location.host);
+        log("replaceState with username and password worked, shouldn't have.");
+    } catch(e) {
+        log(e);
+    }
+
+    try {
+        historyToTest.pushState(null, "Phishy Title", location.protocol + "//www.webkit.org" + "@" + location.host);
+        log("pushState with username worked, shouldn't have.");
+    } catch(e) {
+        log(e);
+    }
+
+    try {
+        historyToTest.pushState(null, "Phishy Title", location.protocol + "//:www.webkit.org" + "@" + location.host);
+        log("pushState with password worked, shouldn't have.");
+    } catch(e) {
+        log(e);
+    }
+
+    try {
+        historyToTest.pushState(null, "Phishy Title", location.protocol + "//www.webkit:org" + "@" + location.host);
+        log("pushState with username and password worked, shouldn't have.");
+    } catch(e) {
+        log(e);
+    }
+}
+
+function clicked()
+{
+    newWindow = window.open('','newWindow');
+    testHistoryObject(newWindow.history);
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+function loaded()
+{
+    testHistoryObject(window.history);
+
+    if (window.eventSender) {
+        var button = document.getElementById("theButton");
+        eventSender.mouseMoveTo(button.offsetLeft + 5, button.offsetTop + 5);
+        eventSender.mouseDown();
+        eventSender.mouseUp();
+    }
+}
+
+</script>
+<body _onload_="loaded();">
+<button id="theButton" _onclick_="clicked();">Click to test in new window</button>
+<div id="logger"></div>
+</body>

Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (204796 => 204797)


--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog	2016-08-23 10:39:11 UTC (rev 204796)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog	2016-08-23 10:41:07 UTC (rev 204797)
@@ -1,3 +1,15 @@
+2016-07-15  Brady Eidson  <[email protected]>
+
+        WebKit should prevent push/replace state with username in URL.
+        <rdar://problem/27361737> and https://bugs.webkit.org/show_bug.cgi?id=159818
+
+        Reviewed by Brent Fulgham.
+
+        Test: http/tests/security/history-username-password.html
+
+        * page/History.cpp:
+        (WebCore::History::stateObjectAdded): Don't allow URLs with usernames/passwords.
+
 2016-07-14  John Wilander  <[email protected]>
 
         Remove credentials in URL when accessed through location.href

Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/page/History.cpp (204796 => 204797)


--- releases/WebKitGTK/webkit-2.12/Source/WebCore/page/History.cpp	2016-08-23 10:39:11 UTC (rev 204796)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/page/History.cpp	2016-08-23 10:41:07 UTC (rev 204797)
@@ -154,6 +154,15 @@
         return;
     }
 
+    if (fullURL.hasUsername() || fullURL.hasPassword()) {
+        ec.code = SECURITY_ERR;
+        if (stateObjectType == StateObjectType::Replace)
+            ec.message = makeString("Attempt to use history.replaceState() to change session history URL to ", fullURL.string(), " is insecure; Username/passwords aren't allowed in state object URLs");
+        else
+            ec.message = makeString("Attempt to use history.pushState() to add URL ", fullURL.string(), " to session history is insecure; Username/passwords aren't allowed in state object URLs");
+        return;
+    }
+
     Document* mainDocument = m_frame->page()->mainFrame().document();
     History* mainHistory = nullptr;
     if (mainDocument) {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to