WebKit Bugzilla
Attachment 348834 Details for
Bug 189198
: [Curl][WebKitLegacy] Stop sending credential embedded in the url via XHR.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
PATCH
189198.diff (text/plain), 5.38 KB, created by
Basuke Suzuki
on 2018-09-04 11:40:57 PDT
(
hide
)
Description:
PATCH
Filename:
MIME Type:
Creator:
Basuke Suzuki
Created:
2018-09-04 11:40:57 PDT
Size:
5.38 KB
patch
obsolete
>diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index 9972e44066a..184e38f434b 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,15 @@ >+2018-09-04 Basuke Suzuki <Basuke.Suzuki@sony.com> >+ >+ [Curl][WebKitLegacy] Stop sending credential embedded in the url via XHR. >+ https://bugs.webkit.org/show_bug.cgi?id=189198 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * http/tests/resources/basic-auth/authenticate.php: Added. >+ * http/tests/resources/basic-auth/authorize.php: Added. >+ * http/tests/xmlhttprequest/url-with-credentials-expected.txt: Added. >+ * http/tests/xmlhttprequest/url-with-credentials.html: Added. >+ > 2018-08-31 Chris Dumez <cdumez@apple.com> > > [ WK2 ] http/tests/workers/service/client-*-page-cache.html LayoutTests are flaky >diff --git a/LayoutTests/http/tests/resources/basic-auth/authenticate.php b/LayoutTests/http/tests/resources/basic-auth/authenticate.php >new file mode 100644 >index 00000000000..97621561741 >--- /dev/null >+++ b/LayoutTests/http/tests/resources/basic-auth/authenticate.php >@@ -0,0 +1,5 @@ >+<?php >+ >+header('Content-Type: text/plain'); >+echo 'User: ' . $_SERVER['PHP_AUTH_USER'] . "\n"; >+echo 'Password: ' . $_SERVER['PHP_AUTH_PW'] . "\n"; >diff --git a/LayoutTests/http/tests/resources/basic-auth/authorize.php b/LayoutTests/http/tests/resources/basic-auth/authorize.php >new file mode 100644 >index 00000000000..b37b0801b32 >--- /dev/null >+++ b/LayoutTests/http/tests/resources/basic-auth/authorize.php >@@ -0,0 +1,10 @@ >+<?php >+ >+if (!isset($_SERVER['PHP_AUTH_USER'])) { >+ header('HTTP/1.0 401 Unauthorized'); >+ header('WWW-Authenticate: Basic realm="Curl Only"'); >+} else { >+ header('Content-Type: text/plain'); >+ echo 'User: ' . $_SERVER['PHP_AUTH_USER'] . "\n"; >+ echo 'Password: ' . $_SERVER['PHP_AUTH_PW'] . "\n"; >+} >diff --git a/LayoutTests/http/tests/xmlhttprequest/url-with-credentials-expected.txt b/LayoutTests/http/tests/xmlhttprequest/url-with-credentials-expected.txt >new file mode 100644 >index 00000000000..d21d4f45cdb >--- /dev/null >+++ b/LayoutTests/http/tests/xmlhttprequest/url-with-credentials-expected.txt >@@ -0,0 +1 @@ >+User: Password: User: foo Password: bar >diff --git a/LayoutTests/http/tests/xmlhttprequest/url-with-credentials.html b/LayoutTests/http/tests/xmlhttprequest/url-with-credentials.html >new file mode 100644 >index 00000000000..0b0b1aeaf9c >--- /dev/null >+++ b/LayoutTests/http/tests/xmlhttprequest/url-with-credentials.html >@@ -0,0 +1,25 @@ >+<html> >+<script> >+ >+ /* >+ * If the request contains credentials in its url, it should be stripped from it. >+ * Also first attempt shouldn't contain basic auth header >+ */ >+ >+ if (window.testRunner) { >+ testRunner.dumpAsText(); >+ } >+ >+ const req = new XMLHttpRequest(); >+ >+ /* First trial must be access without credentials. */ >+ req.open('GET', '/resources/basic-auth/authenticate.php', false, 'foo', 'bar'); >+ req.send(null); >+ document.writeln(req.responseText); >+ >+ /* Send auth info after getting authorization header. */ >+ req.open('GET', '/resources/basic-auth/authorize.php', false, 'foo', 'bar'); >+ req.send(null); >+ document.writeln(req.responseText); >+ >+</script> >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 74c70b57cbc..b1be6198a36 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,19 @@ >+2018-09-04 Basuke Suzuki <Basuke.Suzuki@sony.com> >+ >+ [Curl][WebKitLegacy] Stop sending credential embedded in the url via XHR. >+ https://bugs.webkit.org/show_bug.cgi?id=189198 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Test: http/tests/xmlhttprequest/url-with-credentials.html >+ >+ Because sync XHR uses request directly, the credential information in url is >+ not removed. Use ResourceHandleInternal's firstRequest because those are >+ already takne out. >+ >+ * platform/network/curl/ResourceHandleCurl.cpp: >+ (WebCore::ResourceHandle::platformLoadResourceSynchronously): >+ > 2018-08-31 Chris Dumez <cdumez@apple.com> > > [ WK2 ] http/tests/workers/service/client-*-page-cache.html LayoutTests are flaky >diff --git a/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp b/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp >index 55aa9b709ba..c42adc378a6 100644 >--- a/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp >+++ b/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp >@@ -382,7 +382,6 @@ void ResourceHandle::platformLoadResourceSynchronously(NetworkingContext* contex > { > ASSERT(isMainThread()); > >- auto localRequest = request; > SynchronousLoaderClient client; > bool defersLoading = false; > bool shouldContentSniff = true; >@@ -390,12 +389,13 @@ void ResourceHandle::platformLoadResourceSynchronously(NetworkingContext* contex > RefPtr<ResourceHandle> handle = adoptRef(new ResourceHandle(context, request, &client, defersLoading, shouldContentSniff, shouldContentEncodingSniff)); > handle->d->m_messageQueue = &client.messageQueue(); > >- if (localRequest.url().protocolIsData()) { >+ if (request.url().protocolIsData()) { > handle->handleDataURL(); > return; > } > >- handle->d->m_curlRequest = handle->createCurlRequest(WTFMove(localRequest)); >+ auto requestCopy = handle->firstRequest(); >+ handle->d->m_curlRequest = handle->createCurlRequest(WTFMove(requestCopy)); > handle->d->m_curlRequest->start(); > > do {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=348834">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
ap
:
review-
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 189198
:
348675
|
348834
|
349070
|
349083
|
349087
|
349195
|
349201