webkit/plugins/ppapi/ppb_url_request_info_impl.cc - Issue 7645010: Fix security bug that allowed invalid header fields to be injected by

Side by Side Diff: webkit/plugins/ppapi/ppb_url_request_info_impl.cc

Issue 7645010: Fix security bug that allowed invalid header fields to be injected by (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: '' Created 9 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "webkit/plugins/ppapi/ppb_url_request_info_impl.h"	5 #include "webkit/plugins/ppapi/ppb_url_request_info_impl.h"

6	6

7 #include "base/logging.h"	7 #include "base/logging.h"

8 #include "base/string_util.h"	8 #include "base/string_util.h"

9 #include "googleurl/src/gurl.h"	9 #include "googleurl/src/gurl.h"

10 #include "googleurl/src/url_util.h"	10 #include "googleurl/src/url_util.h"

(...skipping 26 matching lines...) Expand all Loading...
37 using WebKit::WebURLRequest;	37 using WebKit::WebURLRequest;

38	38

39 namespace webkit {	39 namespace webkit {

40 namespace ppapi {	40 namespace ppapi {

41	41

42 namespace {	42 namespace {

43	43

44 const int32_t kDefaultPrefetchBufferUpperThreshold = 100 * 1000 * 1000;	44 const int32_t kDefaultPrefetchBufferUpperThreshold = 100 * 1000 * 1000;

45 const int32_t kDefaultPrefetchBufferLowerThreshold = 50 * 1000 * 1000;	45 const int32_t kDefaultPrefetchBufferLowerThreshold = 50 * 1000 * 1000;

46	46

	47 bool IsValidToken(const std::string& token) {
	darin (slow to review) 2011/08/16 05:23:47 It makes me a bit sad to see this validation code It makes me a bit sad to see this validation code replicated here from webkit. an alternative would be to create a webkit API to invoke these validation routines. Or, we could even put this validation logic behind AssociatedURLLoader with an option to disable it.
	48 size_t length = token.size();

	49 if (length == 0)

	50 return false;

	51

	52 for (size_t i = 0; i < length; i++) {

	53 char c = token[i];

	54 if (c >= 127 \|\| c <= 32)

	55 return false;

	56 if (c == '(' \|\| c == ')' \|\| c == '<' \|\| c == '>' \|\| c == '@' \|\|

	57 c == ',' \|\| c == ';' \|\| c == ':' \|\| c == '\\' \|\| c == '\"' \|\|

	58 c == '/' \|\| c == '[' \|\| c == ']' \|\| c == '?' \|\| c == '=' \|\|

	59 c == '{' \|\| c == '}')

	60 return false;

	61 }

	62 return true;

	63 }

	64

	65 // These methods are not allowed by the XMLHttpRequest standard.

	66 // http://www.w3.org/TR/XMLHttpRequest/#the-open-method

	67 const char* const kForbiddenHttpMethods[] = {

	68 "connect",

	69 "trace",

	70 "track",

	71 };

	72

	73 // These are the "known" methods in the Webkit XHR implementation. Also see

	74 // the XMLHttpRequest standard.

	75 // http://www.w3.org/TR/XMLHttpRequest/#the-open-method

	76 const char* const kKnownHttpMethods[] = {

	77 "get",

	78 "post",

	79 "put",

	80 "head",

	81 "copy",

	82 "delete",

	83 "index",

	84 "lock",

	85 "m-post",

	86 "mkcol",

	87 "move",

	88 "options",

	89 "propfind",

	90 "proppatch",

	91 "unlock",

	92 };

	93

	94 std::string ValidateMethod(const std::string& method) {

	95 for (size_t i = 0; i < arraysize(kForbiddenHttpMethods); ++i) {

	96 if (LowerCaseEqualsASCII(method, kForbiddenHttpMethods[i]))

	97 return std::string();

	98 }

	99 for (size_t i = 0; i < arraysize(kKnownHttpMethods); ++i) {

	100 if (LowerCaseEqualsASCII(method, kKnownHttpMethods[i])) {

	101 // Convert the method name to upper case to match Webkit and Firefox's

	102 // XHR implementation.

	103 return StringToUpperASCII(std::string(kKnownHttpMethods[i]));

	104 }

	105 }

	106 // Pass through unknown methods that are not forbidden.

	107 return method;

	108 }

	109

47 // A header string containing any of the following fields will cause	110 // A header string containing any of the following fields will cause

48 // an error. The list comes from the XMLHttpRequest standard.	111 // an error. The list comes from the XMLHttpRequest standard.

49 // http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method	112 // http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method

50 const char* const kForbiddenHeaderFields[] = {	113 const char* const kForbiddenHeaderFields[] = {

51 "accept-charset",	114 "accept-charset",

52 "accept-encoding",	115 "accept-encoding",

53 "connection",	116 "connection",

54 "content-length",	117 "content-length",

55 "cookie",	118 "cookie",

56 "cookie2",	119 "cookie2",

(...skipping 265 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
322 }	385 }

323	386

324 bool PPB_URLRequestInfo_Impl::SetStringProperty(PP_URLRequestProperty property,	387 bool PPB_URLRequestInfo_Impl::SetStringProperty(PP_URLRequestProperty property,

325 const std::string& value) {	388 const std::string& value) {

326 // TODO(darin): Validate input. Perhaps at a different layer?	389 // TODO(darin): Validate input. Perhaps at a different layer?

327 switch (property) {	390 switch (property) {

328 case PP_URLREQUESTPROPERTY_URL:	391 case PP_URLREQUESTPROPERTY_URL:

329 url_ = value; // NOTE: This may be a relative URL.	392 url_ = value; // NOTE: This may be a relative URL.

330 return true;	393 return true;

331 case PP_URLREQUESTPROPERTY_METHOD:	394 case PP_URLREQUESTPROPERTY_METHOD:

332 method_ = value;	395 if (!IsValidToken(value))

333 return true;	396 return false;

	397 method_ = ValidateMethod(value);

	398 return !method_.empty();

334 case PP_URLREQUESTPROPERTY_HEADERS:	399 case PP_URLREQUESTPROPERTY_HEADERS:

335 if (!AreValidHeaders(value))	400 if (!AreValidHeaders(value))

336 return false;	401 return false;

337 headers_ = value;	402 headers_ = value;

338 return true;	403 return true;

339 case PP_URLREQUESTPROPERTY_CUSTOMREFERRERURL:	404 case PP_URLREQUESTPROPERTY_CUSTOMREFERRERURL:

340 has_custom_referrer_url_ = true;	405 has_custom_referrer_url_ = true;

341 custom_referrer_url_ = value;	406 custom_referrer_url_ = value;

342 return true;	407 return true;

343 case PP_URLREQUESTPROPERTY_CUSTOMCONTENTTRANSFERENCODING:	408 case PP_URLREQUESTPROPERTY_CUSTOMCONTENTTRANSFERENCODING:

344 has_custom_content_transfer_encoding_ = true;	409 has_custom_content_transfer_encoding_ = true;

345 custom_content_transfer_encoding_ = value;	410 custom_content_transfer_encoding_ = value;

346 return true;	411 return true;

347 default:	412 default:

348 return false;	413 return false;

349 }	414 }

350 }	415 }

351	416

352 } // namespace ppapi	417 } // namespace ppapi

353 } // namespace webkit	418 } // namespace webkit

OLD	NEW

« no previous file with comments | « no previous file | webkit/plugins/ppapi/url_request_info_unittest.cc » ('j') | no next file with comments »