Chromium Code Reviews Chromium Code Reviews
Issue 2134083003:
Reject line terminators in HttpUtil::IsValidHeaderValue() (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <algorithm> | 5 #include <algorithm> |
| 6 | 6 |
| 7 #include "base/strings/string_util.h" | 7 #include "base/strings/string_util.h" |
| 8 #include "net/http/http_util.h" | 8 #include "net/http/http_util.h" |
| 9 #include "testing/gtest/include/gtest/gtest.h" | 9 #include "testing/gtest/include/gtest/gtest.h" |
| 10 | 10 |
| (...skipping 1349 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1360 EXPECT_TRUE(HttpUtil::HasValidators(v1_1, kEtagStrong, kLastModified)); | 1360 EXPECT_TRUE(HttpUtil::HasValidators(v1_1, kEtagStrong, kLastModified)); |
| 1361 EXPECT_TRUE(HttpUtil::HasValidators(v1_1, kEtagWeak, kLastModified)); | 1361 EXPECT_TRUE(HttpUtil::HasValidators(v1_1, kEtagWeak, kLastModified)); |
| 1362 EXPECT_TRUE(HttpUtil::HasValidators(v1_1, kEtagEmpty, kLastModified)); | 1362 EXPECT_TRUE(HttpUtil::HasValidators(v1_1, kEtagEmpty, kLastModified)); |
| 1363 | 1363 |
| 1364 EXPECT_FALSE(HttpUtil::HasValidators(v1_1, kMissing, kLastModifiedInvalid)); | 1364 EXPECT_FALSE(HttpUtil::HasValidators(v1_1, kMissing, kLastModifiedInvalid)); |
| 1365 EXPECT_TRUE(HttpUtil::HasValidators(v1_1, kEtagStrong, kLastModifiedInvalid)); | 1365 EXPECT_TRUE(HttpUtil::HasValidators(v1_1, kEtagStrong, kLastModifiedInvalid)); |
| 1366 EXPECT_TRUE(HttpUtil::HasValidators(v1_1, kEtagWeak, kLastModifiedInvalid)); | 1366 EXPECT_TRUE(HttpUtil::HasValidators(v1_1, kEtagWeak, kLastModifiedInvalid)); |
| 1367 EXPECT_TRUE(HttpUtil::HasValidators(v1_1, kEtagEmpty, kLastModifiedInvalid)); | 1367 EXPECT_TRUE(HttpUtil::HasValidators(v1_1, kEtagEmpty, kLastModifiedInvalid)); |
| 1368 } | 1368 } |
| 1369 | 1369 |
| 1370 TEST(HttpUtilTest, IsValidHeaderValue) { | |
| 1371 static const char* const invalid_values[] = { | |
|
mmenke
2016/07/12 18:24:49
nit: Don't use static (I think the consensus is i
Adam Rice
2016/07/13 01:47:00
I wasn't aware of that.
I'm never quite sure when
mmenke
2016/07/13 01:52:23
I think the issue is that function-scoped statics
| |
| 1372 "X-Requested-With: chrome${NUL}Sec-Unsafe: injected", | |
| 1373 "X-Requested-With: chrome\r\nSec-Unsafe: injected", | |
| 1374 "X-Requested-With: chrome\nSec-Unsafe: injected", | |
| 1375 "X-Requested-With: chrome\rSec-Unsafe: injected", | |
| 1376 }; | |
| 1377 for (std::string value : invalid_values) { | |
|
mmenke
2016/07/12 18:24:49
nit: const std::string&
Adam Rice
2016/07/13 01:47:00
Done.
| |
| 1378 base::ReplaceSubstringsAfterOffset(&value, 0, "${NUL}", | |
| 1379 std::string(1, '\0')); | |
| 1380 EXPECT_FALSE(HttpUtil::IsValidHeaderValue(value)) << value; | |
| 1381 } | |
|
mmenke
2016/07/12 18:24:49
nit: Suggest a blank line here
Adam Rice
2016/07/13 01:47:00
Done.
| |
| 1382 // Check that all characters permitted by RFC7230 3.2.6 are allowed. | |
| 1383 std::string allowed = "\t"; | |
| 1384 for (char c = '\x20'; c < '\x7F'; ++c) { | |
| 1385 allowed.append(1, c); | |
| 1386 } | |
| 1387 for (int c = 0x80; c <= 0xFF; ++c) { | |
| 1388 allowed.append(1, static_cast<char>(c)); | |
| 1389 } | |
| 1390 EXPECT_TRUE(HttpUtil::IsValidHeaderValue(allowed)); | |
| 1391 } | |
| 1392 | |
| 1370 } // namespace net | 1393 } // namespace net |
| OLD | NEW |
