WebKit Bugzilla
Attachment 348675 Details for
Bug 189198
: [Curl][WebKitLegacy] Stop sending credential embedded in the url via XHR.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
PATCH
189198.diff (text/plain), 5.74 KB, created by
Basuke Suzuki
on 2018-08-31 14:49:18 PDT
(
hide
)
Description:
PATCH
Filename:
MIME Type:
Creator:
Basuke Suzuki
Created:
2018-08-31 14:49:18 PDT
Size:
5.74 KB
patch
obsolete
>diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index 177983f494d..22682ac0021 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,16 @@ >+2018-08-31 Basuke Suzuki <Basuke.Suzuki@sony.com> >+ >+ [Curl][WebKitLegacy] Stop sending credential embedded in the url via XHR. >+ https://bugs.webkit.org/show_bug.cgi?id=189198 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * TestExpectations: >+ * http/tests/curl/resources/authenticate.php: Added. >+ * http/tests/curl/url-with-credentials-expected.txt: Added. >+ * http/tests/curl/url-with-credentials.html: Added. >+ * platform/wincairo/TestExpectations: >+ > 2018-08-24 Youenn Fablet <youenn@apple.com> > > libwebrtc PeerConnection::AddTrack sometimes fail >diff --git a/LayoutTests/TestExpectations b/LayoutTests/TestExpectations >index db7c940e809..e15eded41cb 100644 >--- a/LayoutTests/TestExpectations >+++ b/LayoutTests/TestExpectations >@@ -46,6 +46,7 @@ http/tests/events/touch/ios [ Skip ] > http/tests/preload/viewport [ Skip ] > http/tests/gzip-content-encoding [ Skip ] > http/tests/cookies/same-site [ Skip ] >+http/tests/curl [ Skip ] > system-preview [ Skip ] > > # window.showModalDialog is only tested in DumpRenderTree on Mac. >diff --git a/LayoutTests/http/tests/curl/resources/authenticate.php b/LayoutTests/http/tests/curl/resources/authenticate.php >new file mode 100644 >index 00000000000..0b47d84573b >--- /dev/null >+++ b/LayoutTests/http/tests/curl/resources/authenticate.php >@@ -0,0 +1,12 @@ >+<?php >+ >+if (empty($_GET['noauth']) && !isset($_SERVER['PHP_AUTH_USER'])) { >+ header('HTTP/1.0 401 Unauthorized'); >+ header('WWW-Authenticate: Basic realm="Curl Only"'); >+} >+ >+header('Content-Type: text/plain'); >+ >+echo 'User: ' . $_SERVER['PHP_AUTH_USER'] . "\n"; >+echo 'Password: ' . $_SERVER['PHP_AUTH_PW'] . "\n"; >+exit(0); >diff --git a/LayoutTests/http/tests/curl/url-with-credentials-expected.txt b/LayoutTests/http/tests/curl/url-with-credentials-expected.txt >new file mode 100644 >index 00000000000..d21d4f45cdb >--- /dev/null >+++ b/LayoutTests/http/tests/curl/url-with-credentials-expected.txt >@@ -0,0 +1 @@ >+User: Password: User: foo Password: bar >diff --git a/LayoutTests/http/tests/curl/url-with-credentials.html b/LayoutTests/http/tests/curl/url-with-credentials.html >new file mode 100644 >index 00000000000..52ad72e2b2e >--- /dev/null >+++ b/LayoutTests/http/tests/curl/url-with-credentials.html >@@ -0,0 +1,24 @@ >+<html> >+<script> >+ >+ /* >+ * curl send authorization header when credential exists in a url. >+ */ >+ >+ if (window.testRunner) { >+ testRunner.dumpAsText(); >+ } >+ >+ const req = new XMLHttpRequest(); >+ >+ /* First trial must be access without credentials. */ >+ req.open('GET', 'resources/authenticate.php?noauth=1', false, 'foo', 'bar'); >+ req.send(null); >+ document.writeln(req.responseText); >+ >+ /* Send auth info after getting authorization header. */ >+ req.open('GET', 'resources/authenticate.php', false, 'foo', 'bar'); >+ req.send(null); >+ document.writeln(req.responseText); >+ >+</script> >diff --git a/LayoutTests/platform/wincairo/TestExpectations b/LayoutTests/platform/wincairo/TestExpectations >index 775149fc910..091e71e9ce4 100644 >--- a/LayoutTests/platform/wincairo/TestExpectations >+++ b/LayoutTests/platform/wincairo/TestExpectations >@@ -844,6 +844,8 @@ imported/blink/fast/dom/Window/open-window-features-fuzz.html [ Pass Timeout ] > # http > #////////////////////////////////////////////////////////////////////////////////////////// > >+http/tests/curl [ Pass ] >+ > http/tests/appcache [ Skip ] > http/tests/blink/sendbeacon [ Skip ] > http/tests/cache [ Skip ] >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index d10643d9539..19946616013 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,19 @@ >+2018-08-31 Basuke Suzuki <Basuke.Suzuki@sony.com> >+ >+ [Curl][WebKitLegacy] Stop sending credential embedded in the url via XHR. >+ https://bugs.webkit.org/show_bug.cgi?id=189198 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Because sync XHR uses request directly, the credential information in url is >+ not removed. Use ResourceHandleInternal's firstRequest because those are >+ already takne out. >+ >+ Test: http/tests/curl/url-with-credentials.html >+ >+ * platform/network/curl/ResourceHandleCurl.cpp: >+ (WebCore::ResourceHandle::platformLoadResourceSynchronously): >+ > 2018-08-24 Youenn Fablet <youenn@apple.com> > > libwebrtc PeerConnection::AddTrack sometimes fail >diff --git a/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp b/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp >index 6e0a6e45be5..e46d183a391 100644 >--- a/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp >+++ b/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp >@@ -382,7 +382,6 @@ void ResourceHandle::platformLoadResourceSynchronously(NetworkingContext* contex > { > ASSERT(isMainThread()); > >- auto localRequest = request; > SynchronousLoaderClient client; > bool defersLoading = false; > bool shouldContentSniff = true; >@@ -390,12 +389,13 @@ void ResourceHandle::platformLoadResourceSynchronously(NetworkingContext* contex > RefPtr<ResourceHandle> handle = adoptRef(new ResourceHandle(context, request, &client, defersLoading, shouldContentSniff, shouldContentEncodingSniff)); > handle->d->m_messageQueue = &client.messageQueue(); > >- if (localRequest.url().protocolIsData()) { >+ if (request.url().protocolIsData()) { > handle->handleDataURL(); > return; > } > >- handle->d->m_curlRequest = handle->createCurlRequest(localRequest); >+ auto requestCopy = handle->firstRequest(); >+ handle->d->m_curlRequest = handle->createCurlRequest(requestCopy); > handle->d->m_curlRequest->start(); > > do {
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Flags:
achristensen
:
review-
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 189198
:
348675
|
348834
|
349070
|
349083
|
349087
|
349195
|
349201