- Revision
- 222815
- Author
- [email protected]
- Date
- 2017-10-03 15:40:35 -0700 (Tue, 03 Oct 2017)
Log Message
Share code to determine a forbidden method
https://bugs.webkit.org/show_bug.cgi?id=177833
Reviewed by Andy Estes.
Currently we duplicate code in XMLHttpRequest and FetchRequest to determine if a method is
forbidden. We should add a common helper function and update both classes to make use of it.
No functionality changed. So, no new tests.
* Modules/fetch/FetchRequest.cpp:
(WebCore::setMethod): Modified to use WebCore::isForbiddenMethod().
* platform/network/HTTPParsers.cpp:
(WebCore::isForbiddenMethod): Added.
* platform/network/HTTPParsers.h:
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::open): Modified to use WebCore::isForbiddenMethod().
(WebCore::XMLHttpRequest::isAllowedHTTPMethod): Deleted.
* xml/XMLHttpRequest.h:
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (222814 => 222815)
--- trunk/Source/WebCore/ChangeLog 2017-10-03 22:39:49 UTC (rev 222814)
+++ trunk/Source/WebCore/ChangeLog 2017-10-03 22:40:35 UTC (rev 222815)
@@ -1,3 +1,25 @@
+2017-10-03 Daniel Bates <[email protected]>
+
+ Share code to determine a forbidden method
+ https://bugs.webkit.org/show_bug.cgi?id=177833
+
+ Reviewed by Andy Estes.
+
+ Currently we duplicate code in XMLHttpRequest and FetchRequest to determine if a method is
+ forbidden. We should add a common helper function and update both classes to make use of it.
+
+ No functionality changed. So, no new tests.
+
+ * Modules/fetch/FetchRequest.cpp:
+ (WebCore::setMethod): Modified to use WebCore::isForbiddenMethod().
+ * platform/network/HTTPParsers.cpp:
+ (WebCore::isForbiddenMethod): Added.
+ * platform/network/HTTPParsers.h:
+ * xml/XMLHttpRequest.cpp:
+ (WebCore::XMLHttpRequest::open): Modified to use WebCore::isForbiddenMethod().
+ (WebCore::XMLHttpRequest::isAllowedHTTPMethod): Deleted.
+ * xml/XMLHttpRequest.h:
+
2017-10-03 Zalan Bujtas <[email protected]>
RenderMenuList should not hold raw pointers
Modified: trunk/Source/WebCore/Modules/fetch/FetchRequest.cpp (222814 => 222815)
--- trunk/Source/WebCore/Modules/fetch/FetchRequest.cpp 2017-10-03 22:39:49 UTC (rev 222814)
+++ trunk/Source/WebCore/Modules/fetch/FetchRequest.cpp 2017-10-03 22:40:35 UTC (rev 222815)
@@ -39,13 +39,10 @@
{
if (!isValidHTTPToken(initMethod))
return Exception { TypeError, ASCIILiteral("Method is not a valid HTTP token.") };
-
+ if (isForbiddenMethod(initMethod))
+ return Exception { TypeError, ASCIILiteral("Method is forbidden.") };
String method = initMethod.convertToASCIIUppercase();
- if (method == "CONNECT" || method == "TRACE" || method == "TRACK")
- return Exception { TypeError, ASCIILiteral("Method is forbidden.") };
-
request.setHTTPMethod((method == "DELETE" || method == "GET" || method == "HEAD" || method == "OPTIONS" || method == "POST" || method == "PUT") ? method : initMethod);
-
return std::nullopt;
}
Modified: trunk/Source/WebCore/platform/network/HTTPParsers.cpp (222814 => 222815)
--- trunk/Source/WebCore/platform/network/HTTPParsers.cpp 2017-10-03 22:39:49 UTC (rev 222814)
+++ trunk/Source/WebCore/platform/network/HTTPParsers.cpp 2017-10-03 22:40:35 UTC (rev 222815)
@@ -778,7 +778,7 @@
}
}
-// Implementation of https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name
+// Implements <https://fetch.spec.whatwg.org/#forbidden-header-name>.
bool isForbiddenHeaderName(const String& name)
{
HTTPHeaderName headerName;
@@ -812,11 +812,18 @@
return startsWithLettersIgnoringASCIICase(name, "sec-") || startsWithLettersIgnoringASCIICase(name, "proxy-");
}
+// Implements <https://fetch.spec.whatwg.org/#forbidden-response-header-name>.
bool isForbiddenResponseHeaderName(const String& name)
{
return equalLettersIgnoringASCIICase(name, "set-cookie") || equalLettersIgnoringASCIICase(name, "set-cookie2");
}
+// Implements <https://fetch.spec.whatwg.org/#forbidden-method>.
+bool isForbiddenMethod(const String& name)
+{
+ return equalLettersIgnoringASCIICase(name, "connect") || equalLettersIgnoringASCIICase(name, "trace") || equalLettersIgnoringASCIICase(name, "track");
+}
+
bool isSimpleHeader(const String& name, const String& value)
{
HTTPHeaderName headerName;
Modified: trunk/Source/WebCore/platform/network/HTTPParsers.h (222814 => 222815)
--- trunk/Source/WebCore/platform/network/HTTPParsers.h 2017-10-03 22:39:49 UTC (rev 222814)
+++ trunk/Source/WebCore/platform/network/HTTPParsers.h 2017-10-03 22:40:35 UTC (rev 222815)
@@ -95,6 +95,7 @@
// HTTP Header routine as per https://fetch.spec.whatwg.org/#terminology-headers
bool isForbiddenHeaderName(const String&);
bool isForbiddenResponseHeaderName(const String&);
+bool isForbiddenMethod(const String&);
bool isSimpleHeader(const String& name, const String& value);
bool isCrossOriginSafeHeader(HTTPHeaderName, const HTTPHeaderSet&);
bool isCrossOriginSafeHeader(const String&, const HTTPHeaderSet&);
Modified: trunk/Source/WebCore/xml/XMLHttpRequest.cpp (222814 => 222815)
--- trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2017-10-03 22:39:49 UTC (rev 222814)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2017-10-03 22:40:35 UTC (rev 222815)
@@ -327,13 +327,6 @@
return { };
}
-bool XMLHttpRequest::isAllowedHTTPMethod(const String& method)
-{
- return !equalLettersIgnoringASCIICase(method, "trace")
- && !equalLettersIgnoringASCIICase(method, "track")
- && !equalLettersIgnoringASCIICase(method, "connect");
-}
-
String XMLHttpRequest::uppercaseKnownHTTPMethod(const String& method)
{
const char* const methods[] = { "DELETE", "GET", "HEAD", "OPTIONS", "POST", "PUT" };
@@ -375,7 +368,7 @@
if (!isValidHTTPToken(method))
return Exception { SyntaxError };
- if (!isAllowedHTTPMethod(method))
+ if (isForbiddenMethod(method))
return Exception { SecurityError };
if (!async && scriptExecutionContext()->isDocument()) {
Modified: trunk/Source/WebCore/xml/XMLHttpRequest.h (222814 => 222815)
--- trunk/Source/WebCore/xml/XMLHttpRequest.h 2017-10-03 22:39:49 UTC (rev 222814)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.h 2017-10-03 22:40:35 UTC (rev 222815)
@@ -104,7 +104,6 @@
void didCacheResponse();
// Expose HTTP validation methods for other untrusted requests.
- static bool isAllowedHTTPMethod(const String&);
static String uppercaseKnownHTTPMethod(const String&);
enum class ResponseType { EmptyString, Arraybuffer, Blob, Document, Json, Text };
