Title: [122242] branches/chromium/1180
- Revision
- 122242
- Author
- [email protected]
- Date
- 2012-07-10 12:09:26 -0700 (Tue, 10 Jul 2012)
Log Message
Merge 120617
BUG=133288
Review URL: https://chromiumcodereview.appspot.com/10690118
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1180/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta-expected.txt (from rev 120617, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta-expected.txt) (0 => 122242)
--- branches/chromium/1180/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta-expected.txt (rev 0)
+++ branches/chromium/1180/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta-expected.txt 2012-07-10 19:09:26 UTC (rev 122242)
@@ -0,0 +1 @@
+This test passes if it doesn't crash.
Copied: branches/chromium/1180/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html (from rev 120617, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html) (0 => 122242)
--- branches/chromium/1180/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html (rev 0)
+++ branches/chromium/1180/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html 2012-07-10 19:09:26 UTC (rev 122242)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="connect-src http://localhost:8000"<script>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<pre id="console"></pre>
+<script>
+function log(msg)
+{
+ document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
+}
+
+try {
+ var xhr = new XMLHttpRequest;
+ xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", true);
+ log("Fail");
+} catch(e) {
+ log("Pass");
+}
+
+</script>
+<p>This test passes if the malformed meta tag doesn't cause a crash and the resource is blocked.</p>
+</body>
+</html>
Modified: branches/chromium/1180/Source/WebCore/page/ContentSecurityPolicy.cpp (122241 => 122242)
--- branches/chromium/1180/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-07-10 19:02:06 UTC (rev 122241)
+++ branches/chromium/1180/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-07-10 19:09:26 UTC (rev 122242)
@@ -314,7 +314,7 @@
return parseHost(beginHost, position, host, hostHasWildcard);
}
- if (*position == '/') {
+ if (position < end && *position == '/') {
// host/path || host/ || /
// ^ ^ ^
if (!parseHost(beginHost, position, host, hostHasWildcard)
@@ -324,7 +324,7 @@
return true;
}
- if (*position == ':') {
+ if (position < end && *position == ':') {
if (end - position == 1) {
// scheme:
// ^
@@ -345,15 +345,15 @@
skipWhile<isNotColonOrSlash>(position, end);
}
- if (*position == ':') {
+ if (position < end && *position == ':') {
// host:port || scheme://host:port
// ^ ^
beginPort = position;
skipUntil(position, end, '/');
}
}
-
- if (*position == '/') {
+
+ if (position < end && *position == '/') {
// scheme://host/path || scheme://host:port/path
// ^ ^
if (position == beginHost)
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
