Attachment 348675 Details for Bug 189198 – PATCH

[patch] PATCH

189198.diff (text/plain), 5.74 KB, created by Basuke Suzuki on 2018-08-31 14:49:18 PDT

(hide)

Description:

Filename:

MIME Type:

Creator: Basuke Suzuki

Created: 2018-08-31 14:49:18 PDT

Size: 5.74 KB

patch

obsolete

>diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
>index 177983f494d..22682ac0021 100644
>--- a/LayoutTests/ChangeLog
>+++ b/LayoutTests/ChangeLog
>@@ -1,3 +1,16 @@
>+2018-08-31  Basuke Suzuki  <Basuke.Suzuki@sony.com>
>+
>+        [Curl][WebKitLegacy] Stop sending credential embedded in the url via XHR.
>+        https://bugs.webkit.org/show_bug.cgi?id=189198
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * TestExpectations:
>+        * http/tests/curl/resources/authenticate.php: Added.
>+        * http/tests/curl/url-with-credentials-expected.txt: Added.
>+        * http/tests/curl/url-with-credentials.html: Added.
>+        * platform/wincairo/TestExpectations:
>+
> 2018-08-24  Youenn Fablet  <youenn@apple.com>
> 
>         libwebrtc PeerConnection::AddTrack sometimes fail
>diff --git a/LayoutTests/TestExpectations b/LayoutTests/TestExpectations
>index db7c940e809..e15eded41cb 100644
>--- a/LayoutTests/TestExpectations
>+++ b/LayoutTests/TestExpectations
>@@ -46,6 +46,7 @@ http/tests/events/touch/ios [ Skip ]
> http/tests/preload/viewport [ Skip ]
> http/tests/gzip-content-encoding [ Skip ]
> http/tests/cookies/same-site [ Skip ]
>+http/tests/curl [ Skip ]
> system-preview [ Skip ]
> 
> # window.showModalDialog is only tested in DumpRenderTree on Mac.
>diff --git a/LayoutTests/http/tests/curl/resources/authenticate.php b/LayoutTests/http/tests/curl/resources/authenticate.php
>new file mode 100644
>index 00000000000..0b47d84573b
>--- /dev/null
>+++ b/LayoutTests/http/tests/curl/resources/authenticate.php
>@@ -0,0 +1,12 @@
>+<?php
>+
>+if (empty($_GET['noauth']) && !isset($_SERVER['PHP_AUTH_USER'])) {
>+    header('HTTP/1.0 401 Unauthorized');
>+    header('WWW-Authenticate: Basic realm="Curl Only"');
>+}
>+
>+header('Content-Type: text/plain');
>+
>+echo 'User: ' . $_SERVER['PHP_AUTH_USER'] . "\n";
>+echo 'Password: ' . $_SERVER['PHP_AUTH_PW'] . "\n";
>+exit(0);
>diff --git a/LayoutTests/http/tests/curl/url-with-credentials-expected.txt b/LayoutTests/http/tests/curl/url-with-credentials-expected.txt
>new file mode 100644
>index 00000000000..d21d4f45cdb
>--- /dev/null
>+++ b/LayoutTests/http/tests/curl/url-with-credentials-expected.txt
>@@ -0,0 +1 @@
>+User: Password: User: foo Password: bar
>diff --git a/LayoutTests/http/tests/curl/url-with-credentials.html b/LayoutTests/http/tests/curl/url-with-credentials.html
>new file mode 100644
>index 00000000000..52ad72e2b2e
>--- /dev/null
>+++ b/LayoutTests/http/tests/curl/url-with-credentials.html
>@@ -0,0 +1,24 @@
>+<html>
>+<script>
>+
>+    /*
>+    * curl send authorization header when credential exists in a url.
>+    */
>+
>+    if (window.testRunner) {
>+        testRunner.dumpAsText();
>+    }
>+
>+    const req = new XMLHttpRequest();
>+
>+    /* First trial must be access without credentials. */
>+    req.open('GET', 'resources/authenticate.php?noauth=1', false, 'foo', 'bar');
>+    req.send(null);
>+    document.writeln(req.responseText);
>+
>+    /* Send auth info after getting authorization header. */
>+    req.open('GET', 'resources/authenticate.php', false, 'foo', 'bar');
>+    req.send(null);
>+    document.writeln(req.responseText);
>+
>+</script>
>diff --git a/LayoutTests/platform/wincairo/TestExpectations b/LayoutTests/platform/wincairo/TestExpectations
>index 775149fc910..091e71e9ce4 100644
>--- a/LayoutTests/platform/wincairo/TestExpectations
>+++ b/LayoutTests/platform/wincairo/TestExpectations
>@@ -844,6 +844,8 @@ imported/blink/fast/dom/Window/open-window-features-fuzz.html [ Pass Timeout ]
> # http
> #//////////////////////////////////////////////////////////////////////////////////////////
> 
>+http/tests/curl [ Pass ]
>+
> http/tests/appcache [ Skip ]
> http/tests/blink/sendbeacon [ Skip ]
> http/tests/cache [ Skip ]
>diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
>index d10643d9539..19946616013 100644
>--- a/Source/WebCore/ChangeLog
>+++ b/Source/WebCore/ChangeLog
>@@ -1,3 +1,19 @@
>+2018-08-31  Basuke Suzuki  <Basuke.Suzuki@sony.com>
>+
>+        [Curl][WebKitLegacy] Stop sending credential embedded in the url via XHR.
>+        https://bugs.webkit.org/show_bug.cgi?id=189198
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        Because sync XHR uses request directly, the credential information in url is
>+        not removed. Use ResourceHandleInternal's firstRequest because those are
>+        already takne out.
>+
>+        Test: http/tests/curl/url-with-credentials.html
>+
>+        * platform/network/curl/ResourceHandleCurl.cpp:
>+        (WebCore::ResourceHandle::platformLoadResourceSynchronously):
>+
> 2018-08-24  Youenn Fablet  <youenn@apple.com>
> 
>         libwebrtc PeerConnection::AddTrack sometimes fail
>diff --git a/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp b/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp
>index 6e0a6e45be5..e46d183a391 100644
>--- a/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp
>+++ b/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp
>@@ -382,7 +382,6 @@ void ResourceHandle::platformLoadResourceSynchronously(NetworkingContext* contex
> {
>     ASSERT(isMainThread());
> 
>-    auto localRequest = request;
>     SynchronousLoaderClient client;
>     bool defersLoading = false;
>     bool shouldContentSniff = true;
>@@ -390,12 +389,13 @@ void ResourceHandle::platformLoadResourceSynchronously(NetworkingContext* contex
>     RefPtr<ResourceHandle> handle = adoptRef(new ResourceHandle(context, request, &client, defersLoading, shouldContentSniff, shouldContentEncodingSniff));
>     handle->d->m_messageQueue = &client.messageQueue();
> 
>-    if (localRequest.url().protocolIsData()) {
>+    if (request.url().protocolIsData()) {
>         handle->handleDataURL();
>         return;
>     }
> 
>-    handle->d->m_curlRequest = handle->createCurlRequest(localRequest);
>+    auto requestCopy = handle->firstRequest();
>+    handle->d->m_curlRequest = handle->createCurlRequest(requestCopy);
>     handle->d->m_curlRequest->start();
> 
>     do {

Flags:

achristensen: review-

Actions: View | Formatted Diff | Diff

Attachments on bug 189198: 348675 | 348834 | 349070 | 349083 | 349087 | 349195 | 349201