[webkit-changes] [WebKit/WebKit] 9a19d0: Align ContentSecurityPolicySource::pathMatches() w...

Wed, 20 May 2026 17:42:16 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 9a19d07c4f53bdf52a375aa4adcdd2edaeb80e28
      
https://github.com/WebKit/WebKit/commit/9a19d07c4f53bdf52a375aa4adcdd2edaeb80e28
  Author: Roberto Rodriguez <[email protected]>
  Date:   2026-05-20 (Wed, 20 May 2026)

  Changed paths:
    A 
LayoutTests/http/tests/security/contentSecurityPolicy/path-traversal-bypass-with-percent-encoding-expected.txt
    A 
LayoutTests/http/tests/security/contentSecurityPolicy/path-traversal-bypass-with-percent-encoding.html
    M Source/WebCore/page/csp/ContentSecurityPolicySource.cpp
    M Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp

  Log Message:
  -----------
  Align ContentSecurityPolicySource::pathMatches() with CSP3 spec path matching 
algorithm
https://bugs.webkit.org/show_bug.cgi?id=308675
rdar://168933742

Reviewed by Anne van Kesteren.

WebKit's pathMatches() diverged from the CSP3 spec by percent-decoding
the entire URL path as a flat string, then doing prefix/equality checks.
This made it vulnerable to %2F..%2F path traversal bypasses.

This change adopts the spec's algorithm (§ 6.7.2.12): split both paths
on literal '/', percent-decode each segment, and compare corresponding
pairs. This eliminates the vulnerability — %2F never produces a segment
boundary, so sequences like %2F..%2F stay trapped in a single segment
and won't match the expected path component.

Test: 
http/tests/security/contentSecurityPolicy/path-traversal-bypass-with-percent-encoding.html

* 
LayoutTests/http/tests/security/contentSecurityPolicy/path-traversal-bypass-with-percent-encoding-expected.txt:
 Added.
* 
LayoutTests/http/tests/security/contentSecurityPolicy/path-traversal-bypass-with-percent-encoding.html:
 Added.
* Source/WebCore/page/csp/ContentSecurityPolicySource.cpp:
(WebCore::ContentSecurityPolicySource::pathMatches const):
* Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::parsePath):

Originally-landed-as: 305413.379@rapid/safari-7624.2.5.110-branch 
(e979e8c9cdc1). rdar://176067678
Canonical link: https://commits.webkit.org/313617@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to