Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1803)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: webkit/plugins/ppapi/ppb_url_request_info_impl.cc

Issue 7645010: Fix security bug that allowed invalid header fields to be injected by (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: '' Created 9 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | webkit/plugins/ppapi/url_request_info_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: webkit/plugins/ppapi/ppb_url_request_info_impl.cc
===================================================================
--- webkit/plugins/ppapi/ppb_url_request_info_impl.cc (revision 96431)
+++ webkit/plugins/ppapi/ppb_url_request_info_impl.cc (working copy)
@@ -44,6 +44,69 @@
const int32_t kDefaultPrefetchBufferUpperThreshold = 100 * 1000 * 1000;
const int32_t kDefaultPrefetchBufferLowerThreshold = 50 * 1000 * 1000;
+bool IsValidToken(const std::string& token) {
darin (slow to review) 2011/08/16 05:23:47 It makes me a bit sad to see this validation code
+ size_t length = token.size();
+ if (length == 0)
+ return false;
+
+ for (size_t i = 0; i < length; i++) {
+ char c = token[i];
+ if (c >= 127 || c <= 32)
+ return false;
+ if (c == '(' || c == ')' || c == '<' || c == '>' || c == '@' ||
+ c == ',' || c == ';' || c == ':' || c == '\\' || c == '\"' ||
+ c == '/' || c == '[' || c == ']' || c == '?' || c == '=' ||
+ c == '{' || c == '}')
+ return false;
+ }
+ return true;
+}
+
+// These methods are not allowed by the XMLHttpRequest standard.
+// http://www.w3.org/TR/XMLHttpRequest/#the-open-method
+const char* const kForbiddenHttpMethods[] = {
+ "connect",
+ "trace",
+ "track",
+};
+
+// These are the "known" methods in the Webkit XHR implementation. Also see
+// the XMLHttpRequest standard.
+// http://www.w3.org/TR/XMLHttpRequest/#the-open-method
+const char* const kKnownHttpMethods[] = {
+ "get",
+ "post",
+ "put",
+ "head",
+ "copy",
+ "delete",
+ "index",
+ "lock",
+ "m-post",
+ "mkcol",
+ "move",
+ "options",
+ "propfind",
+ "proppatch",
+ "unlock",
+};
+
+std::string ValidateMethod(const std::string& method) {
+ for (size_t i = 0; i < arraysize(kForbiddenHttpMethods); ++i) {
+ if (LowerCaseEqualsASCII(method, kForbiddenHttpMethods[i]))
+ return std::string();
+ }
+ for (size_t i = 0; i < arraysize(kKnownHttpMethods); ++i) {
+ if (LowerCaseEqualsASCII(method, kKnownHttpMethods[i])) {
+ // Convert the method name to upper case to match Webkit and Firefox's
+ // XHR implementation.
+ return StringToUpperASCII(std::string(kKnownHttpMethods[i]));
+ }
+ }
+ // Pass through unknown methods that are not forbidden.
+ return method;
+}
+
// A header string containing any of the following fields will cause
// an error. The list comes from the XMLHttpRequest standard.
// http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method
@@ -329,8 +392,10 @@
url_ = value; // NOTE: This may be a relative URL.
return true;
case PP_URLREQUESTPROPERTY_METHOD:
- method_ = value;
- return true;
+ if (!IsValidToken(value))
+ return false;
+ method_ = ValidateMethod(value);
+ return !method_.empty();
case PP_URLREQUESTPROPERTY_HEADERS:
if (!AreValidHeaders(value))
return false;
« no previous file with comments | « no previous file | webkit/plugins/ppapi/url_request_info_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698