Diff
Modified: branches/safari-609-branch/LayoutTests/ChangeLog (261507 => 261508)
--- branches/safari-609-branch/LayoutTests/ChangeLog 2020-05-12 00:21:15 UTC (rev 261507)
+++ branches/safari-609-branch/LayoutTests/ChangeLog 2020-05-12 00:21:18 UTC (rev 261508)
@@ -1,5 +1,39 @@
2020-05-07 Russell Epstein <[email protected]>
+ Cherry-pick r259141. rdar://problem/62978919
+
+ Web Inspector: should also escape the method when Copy as cURL
+ https://bugs.webkit.org/show_bug.cgi?id=209665
+ <rdar://problem/58432154>
+
+ Reviewed by Joseph Pecoraro.
+
+ Source/WebInspectorUI:
+
+ * UserInterface/Models/Resource.js:
+ (WI.Resource.prototype.generateCURLCommand):
+ (WI.Resource.prototype.generateCURLCommand.escapeStringPosix):
+ The method could be maliciously crafted, so we should also escape it (if needed).
+
+ LayoutTests:
+
+ * http/tests/inspector/network/copy-as-curl.html:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259141 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-03-27 Devin Rousso <[email protected]>
+
+ Web Inspector: should also escape the method when Copy as cURL
+ https://bugs.webkit.org/show_bug.cgi?id=209665
+ <rdar://problem/58432154>
+
+ Reviewed by Joseph Pecoraro.
+
+ * http/tests/inspector/network/copy-as-curl.html:
+
+2020-05-07 Russell Epstein <[email protected]>
+
Cherry-pick r257929. rdar://problem/62978899
In case an activating service worker is terminated, it should go to activated state
Modified: branches/safari-609-branch/LayoutTests/http/tests/inspector/network/copy-as-curl-expected.txt (261507 => 261508)
--- branches/safari-609-branch/LayoutTests/http/tests/inspector/network/copy-as-curl-expected.txt 2020-05-12 00:21:15 UTC (rev 261507)
+++ branches/safari-609-branch/LayoutTests/http/tests/inspector/network/copy-as-curl-expected.txt 2020-05-12 00:21:18 UTC (rev 261508)
@@ -33,3 +33,6 @@
PASS: Command should have JSON Content-Type.
PASS: Command should contain correct JSON data.
+-- Running test case: SpecialMethodGenerateCURLValidPOSIXOutput
+PASS: Command should contain method with properly escaped special characters.
+
Modified: branches/safari-609-branch/LayoutTests/http/tests/inspector/network/copy-as-curl.html (261507 => 261508)
--- branches/safari-609-branch/LayoutTests/http/tests/inspector/network/copy-as-curl.html 2020-05-12 00:21:15 UTC (rev 261507)
+++ branches/safari-609-branch/LayoutTests/http/tests/inspector/network/copy-as-curl.html 2020-05-12 00:21:18 UTC (rev 261508)
@@ -73,7 +73,7 @@
let curl = resource.generateCURLCommand().split(" \\\n");
InspectorTest.expectThat(curl[0].match("https?://.*?/resources/url\\?query=true") !== null, "Command should contain URL.");
- InspectorTest.expectThat(curl[1] === "-XGET", "Command should be a GET request.");
+ InspectorTest.expectThat(curl[1] === "-X 'GET'", "Command should be a GET request.");
InspectorTest.expectThat(curl.find((cmd) => cmd.includes('User-Agent')) !== undefined, "Command should contain User-Agent header.");
InspectorTest.expectThat(curl.find((cmd) => cmd.includes('X-Custom')) === undefined, "Command should not contain a custom header.");
})
@@ -145,7 +145,7 @@
let resource = event.data.resource;
let curl = resource.generateCURLCommand().split(" \\\n");
- InspectorTest.expectThat(curl[1] === "-XPOST", "Command should be a POST request.");
+ InspectorTest.expectThat(curl[1] === "-X 'POST'", "Command should be a POST request.");
InspectorTest.expectThat(curl.find((cmd) => cmd.includes('Content-Type')) === "-H 'Content-Type: application/x-www-form-urlencoded'", "Command should have correct Content-Type.");
InspectorTest.expectThat(curl.find((cmd) => cmd === "--data $'lorem=ipsum&$dolor=\\'sit\\'&amet={1..20}'") !== undefined, "Command should contain correct data.");
})
@@ -182,7 +182,7 @@
let resource = event.data.resource;
let curl = resource.generateCURLCommand().split(" \\\n");
- InspectorTest.expectThat(curl[1] === "-XPUT", "Command should be a PUT request.");
+ InspectorTest.expectThat(curl[1] === "-X 'PUT'", "Command should be a PUT request.");
InspectorTest.expectThat(curl.find((cmd) => cmd.includes('Content-Type')) === "-H 'Content-Type: application/json'", "Command should have JSON Content-Type.");
InspectorTest.expectThat(curl.find((cmd) => cmd === "--data-binary '{\"update\":\"now\"}'") !== undefined, "Command should contain correct JSON data.");
})
@@ -192,6 +192,22 @@
}
});
+ suite.addTestCase({
+ name: "SpecialMethodGenerateCURLValidPOSIXOutput",
+ description: "Generate cURL command from a request containing special characters in the method and verify valid POSIX output.",
+ test(resolve, reject) {
+ let resource = new WI.Resource("TEST", {
+ requestMethod: "METHOD&a$b-c",
+ });
+
+ let curl = resource.generateCURLCommand().split(" \\\n");
+
+ InspectorTest.expectEqual(curl[1], "-X 'METHOD&a$b-c'", "Command should contain method with properly escaped special characters.");
+
+ resolve();
+ }
+ });
+
suite.runTestCasesAndFinish();
}
</script>
Modified: branches/safari-609-branch/Source/WebInspectorUI/ChangeLog (261507 => 261508)
--- branches/safari-609-branch/Source/WebInspectorUI/ChangeLog 2020-05-12 00:21:15 UTC (rev 261507)
+++ branches/safari-609-branch/Source/WebInspectorUI/ChangeLog 2020-05-12 00:21:18 UTC (rev 261508)
@@ -1,3 +1,40 @@
+2020-05-07 Russell Epstein <[email protected]>
+
+ Cherry-pick r259141. rdar://problem/62978919
+
+ Web Inspector: should also escape the method when Copy as cURL
+ https://bugs.webkit.org/show_bug.cgi?id=209665
+ <rdar://problem/58432154>
+
+ Reviewed by Joseph Pecoraro.
+
+ Source/WebInspectorUI:
+
+ * UserInterface/Models/Resource.js:
+ (WI.Resource.prototype.generateCURLCommand):
+ (WI.Resource.prototype.generateCURLCommand.escapeStringPosix):
+ The method could be maliciously crafted, so we should also escape it (if needed).
+
+ LayoutTests:
+
+ * http/tests/inspector/network/copy-as-curl.html:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259141 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-03-27 Devin Rousso <[email protected]>
+
+ Web Inspector: should also escape the method when Copy as cURL
+ https://bugs.webkit.org/show_bug.cgi?id=209665
+ <rdar://problem/58432154>
+
+ Reviewed by Joseph Pecoraro.
+
+ * UserInterface/Models/Resource.js:
+ (WI.Resource.prototype.generateCURLCommand):
+ (WI.Resource.prototype.generateCURLCommand.escapeStringPosix):
+ The method could be maliciously crafted, so we should also escape it (if needed).
+
2020-02-10 Kocsen Chung <[email protected]>
Cherry-pick r256056. rdar://problem/59299137
Modified: branches/safari-609-branch/Source/WebInspectorUI/UserInterface/Models/Resource.js (261507 => 261508)
--- branches/safari-609-branch/Source/WebInspectorUI/UserInterface/Models/Resource.js 2020-05-12 00:21:15 UTC (rev 261507)
+++ branches/safari-609-branch/Source/WebInspectorUI/UserInterface/Models/Resource.js 2020-05-12 00:21:18 UTC (rev 261508)
@@ -1103,14 +1103,14 @@
.replace(/\r/g, "\\r")
.replace(/!/g, "\\041")
.replace(/[^\x20-\x7E]/g, escapeCharacter) + "'";
- } else {
- // Use single quote syntax.
- return `'${str}'`;
}
+
+ // Use single quote syntax.
+ return `'${str}'`;
}
let command = ["curl " + escapeStringPosix(this.url).replace(/[[{}\]]/g, "\\$&")];
- command.push(`-X${this.requestMethod}`);
+ command.push("-X " + escapeStringPosix(this.requestMethod));
for (let key in this.requestHeaders)
command.push("-H " + escapeStringPosix(`${key}: ${this.requestHeaders[key]}`));
