| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "config.h" | 5 #include "config.h" |
| 6 #include "core/frame/csp/CSPSourceList.h" | 6 #include "core/frame/csp/CSPSourceList.h" |
| 7 | 7 |
| 8 #include "core/frame/csp/CSPSource.h" | 8 #include "core/frame/csp/CSPSource.h" |
| 9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
| 10 #include "platform/ParsingUtilities.h" | 10 #include "platform/ParsingUtilities.h" |
| (...skipping 242 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 253 } | 253 } |
| 254 | 254 |
| 255 return true; | 255 return true; |
| 256 } | 256 } |
| 257 | 257 |
| 258 // nonce-source = "'nonce-" nonce-value "'" | 258 // nonce-source = "'nonce-" nonce-value "'" |
| 259 // nonce-value = 1*( ALPHA / DIGIT / "+" / "/" / "=" ) | 259 // nonce-value = 1*( ALPHA / DIGIT / "+" / "/" / "=" ) |
| 260 // | 260 // |
| 261 bool CSPSourceList::parseNonce(const UChar* begin, const UChar* end, String& non
ce) | 261 bool CSPSourceList::parseNonce(const UChar* begin, const UChar* end, String& non
ce) |
| 262 { | 262 { |
| 263 DEFINE_STATIC_LOCAL(const String, noncePrefix, ("'nonce-")); | 263 size_t nonceLength = end - begin; |
| 264 const char* prefix = "'nonce-"; |
| 264 | 265 |
| 265 if (!equalIgnoringCase(noncePrefix.characters8(), begin, noncePrefix.length(
))) | 266 if (nonceLength <= strlen(prefix) || !equalIgnoringCase(prefix, begin, strle
n(prefix))) |
| 266 return true; | 267 return true; |
| 267 | 268 |
| 268 const UChar* position = begin + noncePrefix.length(); | 269 const UChar* position = begin + strlen(prefix); |
| 269 const UChar* nonceBegin = position; | 270 const UChar* nonceBegin = position; |
| 270 | 271 |
| 272 ASSERT(position < end); |
| 271 skipWhile<UChar, isNonceCharacter>(position, end); | 273 skipWhile<UChar, isNonceCharacter>(position, end); |
| 272 ASSERT(nonceBegin <= position); | 274 ASSERT(nonceBegin <= position); |
| 273 | 275 |
| 274 if ((position + 1) != end || *position != '\'' || !(position - nonceBegin)) | 276 if (position + 1 != end || *position != '\'' || position == nonceBegin) |
| 275 return false; | 277 return false; |
| 276 | 278 |
| 277 nonce = String(nonceBegin, position - nonceBegin); | 279 nonce = String(nonceBegin, position - nonceBegin); |
| 278 return true; | 280 return true; |
| 279 } | 281 } |
| 280 | 282 |
| 281 // hash-source = "'" hash-algorithm "-" hash-value "'" | 283 // hash-source = "'" hash-algorithm "-" hash-value "'" |
| 282 // hash-algorithm = "sha1" / "sha256" / "sha384" / "sha512" | 284 // hash-algorithm = "sha1" / "sha256" / "sha384" / "sha512" |
| 283 // hash-value = 1*( ALPHA / DIGIT / "+" / "/" / "=" ) | 285 // hash-value = 1*( ALPHA / DIGIT / "+" / "/" / "=" ) |
| 284 // | 286 // |
| (...skipping 193 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 478 } | 480 } |
| 479 | 481 |
| 480 void CSPSourceList::addSourceHash(const ContentSecurityPolicyHashAlgorithm& algo
rithm, const DigestValue& hash) | 482 void CSPSourceList::addSourceHash(const ContentSecurityPolicyHashAlgorithm& algo
rithm, const DigestValue& hash) |
| 481 { | 483 { |
| 482 m_hashes.add(CSPHashValue(algorithm, hash)); | 484 m_hashes.add(CSPHashValue(algorithm, hash)); |
| 483 m_hashAlgorithmsUsed |= algorithm; | 485 m_hashAlgorithmsUsed |= algorithm; |
| 484 } | 486 } |
| 485 | 487 |
| 486 | 488 |
| 487 } // namespace blink | 489 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 705663003:
CSP: Harden nonce parsing. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master