Diff
Modified: releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog (264910 => 264911)
--- releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog 2020-07-27 08:35:35 UTC (rev 264910)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog 2020-07-27 10:47:58 UTC (rev 264911)
@@ -1,3 +1,13 @@
+2020-03-27 Devin Rousso <drou...@apple.com>
+
+ Web Inspector: should also escape the method when Copy as cURL
+ https://bugs.webkit.org/show_bug.cgi?id=209665
+ <rdar://problem/58432154>
+
+ Reviewed by Joseph Pecoraro.
+
+ * http/tests/inspector/network/copy-as-curl.html:
+
2020-06-22 Carlos Garcia Campos <cgar...@igalia.com>
REGRESSION(r258741): [GTK] anchor-file-blob-download-includes-backslash.html is failing
Modified: releases/WebKitGTK/webkit-2.28/LayoutTests/http/tests/inspector/network/copy-as-curl-expected.txt (264910 => 264911)
--- releases/WebKitGTK/webkit-2.28/LayoutTests/http/tests/inspector/network/copy-as-curl-expected.txt 2020-07-27 08:35:35 UTC (rev 264910)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/http/tests/inspector/network/copy-as-curl-expected.txt 2020-07-27 10:47:58 UTC (rev 264911)
@@ -33,3 +33,6 @@
PASS: Command should have JSON Content-Type.
PASS: Command should contain correct JSON data.
+-- Running test case: SpecialMethodGenerateCURLValidPOSIXOutput
+PASS: Command should contain method with properly escaped special characters.
+
Modified: releases/WebKitGTK/webkit-2.28/LayoutTests/http/tests/inspector/network/copy-as-curl.html (264910 => 264911)
--- releases/WebKitGTK/webkit-2.28/LayoutTests/http/tests/inspector/network/copy-as-curl.html 2020-07-27 08:35:35 UTC (rev 264910)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/http/tests/inspector/network/copy-as-curl.html 2020-07-27 10:47:58 UTC (rev 264911)
@@ -73,7 +73,7 @@
let curl = resource.generateCURLCommand().split(" \\\n");
InspectorTest.expectThat(curl[0].match("https?://.*?/resources/url\\?query=true") !== null, "Command should contain URL.");
- InspectorTest.expectThat(curl[1] === "-XGET", "Command should be a GET request.");
+ InspectorTest.expectThat(curl[1] === "-X 'GET'", "Command should be a GET request.");
InspectorTest.expectThat(curl.find((cmd) => cmd.includes('User-Agent')) !== undefined, "Command should contain User-Agent header.");
InspectorTest.expectThat(curl.find((cmd) => cmd.includes('X-Custom')) === undefined, "Command should not contain a custom header.");
})
@@ -145,7 +145,7 @@
let resource = event.data.resource;
let curl = resource.generateCURLCommand().split(" \\\n");
- InspectorTest.expectThat(curl[1] === "-XPOST", "Command should be a POST request.");
+ InspectorTest.expectThat(curl[1] === "-X 'POST'", "Command should be a POST request.");
InspectorTest.expectThat(curl.find((cmd) => cmd.includes('Content-Type')) === "-H 'Content-Type: application/x-www-form-urlencoded'", "Command should have correct Content-Type.");
InspectorTest.expectThat(curl.find((cmd) => cmd === "--data $'lorem=ipsum&$dolor=\\'sit\\'&amet={1..20}'") !== undefined, "Command should contain correct data.");
})
@@ -182,7 +182,7 @@
let resource = event.data.resource;
let curl = resource.generateCURLCommand().split(" \\\n");
- InspectorTest.expectThat(curl[1] === "-XPUT", "Command should be a PUT request.");
+ InspectorTest.expectThat(curl[1] === "-X 'PUT'", "Command should be a PUT request.");
InspectorTest.expectThat(curl.find((cmd) => cmd.includes('Content-Type')) === "-H 'Content-Type: application/json'", "Command should have JSON Content-Type.");
InspectorTest.expectThat(curl.find((cmd) => cmd === "--data-binary '{\"update\":\"now\"}'") !== undefined, "Command should contain correct JSON data.");
})
@@ -192,6 +192,22 @@
}
});
+ suite.addTestCase({
+ name: "SpecialMethodGenerateCURLValidPOSIXOutput",
+ description: "Generate cURL command from a request containing special characters in the method and verify valid POSIX output.",
+ test(resolve, reject) {
+ let resource = new WI.Resource("TEST", {
+ requestMethod: "METHOD&a$b-c",
+ });
+
+ let curl = resource.generateCURLCommand().split(" \\\n");
+
+ InspectorTest.expectEqual(curl[1], "-X 'METHOD&a$b-c'", "Command should contain method with properly escaped special characters.");
+
+ resolve();
+ }
+ });
+
suite.runTestCasesAndFinish();
}
</script>
Modified: releases/WebKitGTK/webkit-2.28/Source/WebInspectorUI/ChangeLog (264910 => 264911)
--- releases/WebKitGTK/webkit-2.28/Source/WebInspectorUI/ChangeLog 2020-07-27 08:35:35 UTC (rev 264910)
+++ releases/WebKitGTK/webkit-2.28/Source/WebInspectorUI/ChangeLog 2020-07-27 10:47:58 UTC (rev 264911)
@@ -1,3 +1,16 @@
+2020-03-27 Devin Rousso <drou...@apple.com>
+
+ Web Inspector: should also escape the method when Copy as cURL
+ https://bugs.webkit.org/show_bug.cgi?id=209665
+ <rdar://problem/58432154>
+
+ Reviewed by Joseph Pecoraro.
+
+ * UserInterface/Models/Resource.js:
+ (WI.Resource.prototype.generateCURLCommand):
+ (WI.Resource.prototype.generateCURLCommand.escapeStringPosix):
+ The method could be maliciously crafted, so we should also escape it (if needed).
+
2020-02-11 Nikita Vasilyev <nvasil...@apple.com>
Web Inspector RTL: Elements closing tag is reversed
Modified: releases/WebKitGTK/webkit-2.28/Source/WebInspectorUI/UserInterface/Models/Resource.js (264910 => 264911)
--- releases/WebKitGTK/webkit-2.28/Source/WebInspectorUI/UserInterface/Models/Resource.js 2020-07-27 08:35:35 UTC (rev 264910)
+++ releases/WebKitGTK/webkit-2.28/Source/WebInspectorUI/UserInterface/Models/Resource.js 2020-07-27 10:47:58 UTC (rev 264911)
@@ -1103,14 +1103,14 @@
.replace(/\r/g, "\\r")
.replace(/!/g, "\\041")
.replace(/[^\x20-\x7E]/g, escapeCharacter) + "'";
- } else {
- // Use single quote syntax.
- return `'${str}'`;
}
+
+ // Use single quote syntax.
+ return `'${str}'`;
}
let command = ["curl " + escapeStringPosix(this.url).replace(/[[{}\]]/g, "\\$&")];
- command.push(`-X${this.requestMethod}`);
+ command.push("-X " + escapeStringPosix(this.requestMethod));
for (let key in this.requestHeaders)
command.push("-H " + escapeStringPosix(`${key}: ${this.requestHeaders[key]}`));
