[webkit-changes] [106519] branches/chromium/1025/Source/WebCore/platform/network

Wed, 01 Feb 2012 18:08:09 -0800

Title: [106519] branches/chromium/1025/Source/WebCore/platform/network
Revision
106519
Author
[email protected]
Date
2012-02-01 18:08:02 -0800 (Wed, 01 Feb 2012)

Log Message

Merge 106514 - contentDispositionType misparses the Content-Disposition header in some obscure corner cases
https://bugs.webkit.org/show_bug.cgi?id=77577

Reviewed by Eric Seidel.

The contentDispositionType extracts the disposition-type from the
Content-Disposition header.  According to RFC 6266 (and previous RFCs),
the disposition-type must be an RFC 2616 token.  Rather than enforce
this general rule, we had special-cased some examples (including
name=foo and filename=bar).  This patch generalizes our check to
properly validate that the disposition-type is an RFC 2616 token.

In conjunction with some other work in the Chromium network stack, this
causes Chromium to pass the following tests:

  http://greenbytes.de/tech/tc2231/#inlonlyquoted
  http://greenbytes.de/tech/tc2231/#attonlyquoted

Without this patch, these test cases neither trigger a navigation nor a
download in Chromium.  This patch does not appear to cause any visible
change in Safari.  (Safari passes these tests both before and after
this patch.)

* platform/network/HTTPParsers.cpp:
(WebCore::isRFC2616Token):
(WebCore::contentDispositionType):
    - This patch also adds a comment to
      filenameFromHTTPContentDisposition, which explains some of the
      was this function incorrectly implements the requirements in
      RFC 6266.  Resolving these issues is a subject for a future
      patch.
* platform/network/HTTPParsers.h:


[email protected]
Review URL: https://chromiumcodereview.appspot.com/9309049

Modified Paths

Diff

Modified: branches/chromium/1025/Source/WebCore/platform/network/HTTPParsers.cpp (106518 => 106519)


--- branches/chromium/1025/Source/WebCore/platform/network/HTTPParsers.cpp	2012-02-02 01:56:58 UTC (rev 106518)
+++ branches/chromium/1025/Source/WebCore/platform/network/HTTPParsers.cpp	2012-02-02 02:08:02 UTC (rev 106519)
@@ -73,30 +73,47 @@
     return true;
 }
 
+// See RFC 2616, Section 2.2.
+bool isRFC2616Token(const String& characters)
+{
+    if (characters.isEmpty())
+        return false;
+    for (unsigned i = 0; i < characters.length(); ++i) {
+        UChar c = characters[i];
+        if (c >= 0x80 || c <= 0x1F || c == 0x7F
+            || c == '(' || c == ')' || c == '<' || c == '>' || c == '@'
+            || c == ',' || c == ';' || c == ':' || c == '\\' || c == '"'
+            || c == '/' || c == '[' || c == ']' || c == '?' || c == '='
+            || c == '{' || c == '}' || c == ' ' || c == '\t')
+        return false;
+    }
+    return true;
+}
+
 ContentDispositionType contentDispositionType(const String& contentDisposition)
-{   
+{
     if (contentDisposition.isEmpty())
         return ContentDispositionNone;
 
-    // Some broken sites just send
-    // Content-Disposition: ; filename="file"
-    // screen those out here.
-    if (contentDisposition.startsWith(";"))
-        return ContentDispositionNone;
+    Vector<String> parameters;
+    contentDisposition.split(';', parameters);
 
-    if (contentDisposition.startsWith("inline", false))
+    String dispositionType = parameters[0];
+    dispositionType.stripWhiteSpace();
+
+    if (equalIgnoringCase(dispositionType, "inline"))
         return ContentDispositionInline;
 
-    // Some broken sites just send
-    // Content-Disposition: filename="file"
+    // Some broken sites just send bogus headers like
+    //
+    //   Content-Disposition: ; filename="file"
+    //   Content-Disposition: filename="file"
+    //   Content-Disposition: name="file"
+    //
     // without a disposition token... screen those out.
-    if (contentDisposition.startsWith("filename", false))
+    if (!isRFC2616Token(dispositionType))
         return ContentDispositionNone;
 
-    // Also in use is Content-Disposition: name="file"
-    if (contentDisposition.startsWith("name", false))
-        return ContentDispositionNone;
-
     // We have a content-disposition of "attachment" or unknown.
     // RFC 2183, section 2.8 says that an unknown disposition
     // value should be treated as "attachment"
@@ -167,6 +184,11 @@
     return parseDateFromNullTerminatedCharacters(value.utf8().data());
 }
 
+// FIXME: This function doesn't comply with RFC 6266.
+// For example, this function doesn't handle the interaction between " and ;
+// that arises from quoted-string, nor does this function properly unquote
+// attribute values. Further this function appears to process parameter names
+// in a case-sensitive manner. (There are likely other bugs as well.)
 String filenameFromHTTPContentDisposition(const String& value)
 {
     Vector<String> keyValuePairs;

Modified: branches/chromium/1025/Source/WebCore/platform/network/HTTPParsers.h (106518 => 106519)


--- branches/chromium/1025/Source/WebCore/platform/network/HTTPParsers.h	2012-02-02 01:56:58 UTC (rev 106518)
+++ branches/chromium/1025/Source/WebCore/platform/network/HTTPParsers.h	2012-02-02 02:08:02 UTC (rev 106519)
@@ -50,6 +50,7 @@
 } ContentDispositionType;
 
 ContentDispositionType contentDispositionType(const String&);
+bool isRFC2616Token(const String&);
 bool parseHTTPRefresh(const String& refresh, bool fromHttpEquivMeta, double& delay, String& url);
 double parseDate(const String&);
 String filenameFromHTTPContentDisposition(const String&); 

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to