[webkit-changes] [141446] trunk/Source/WebCore

Thu, 31 Jan 2013 11:04:37 -0800

Title: [141446] trunk/Source/WebCore
Revision
141446
Author
commit-qu...@webkit.org
Date
2013-01-31 11:06:28 -0800 (Thu, 31 Jan 2013)

Log Message

[BlackBerry] CookieParser should ignore invalid/unsupported attributes instead of ignoring the cookie
https://bugs.webkit.org/show_bug.cgi?id=108494

PR 287832
Patch by Otto Derek Cheung <otche...@rim.com> on 2013-01-31
Reviewed by Rob Buis.
Internally Reviewed by Liam Quinn.

A short-term fix for CookieParser to not blow up when a Set-Cookie header has an invalid
or unsupported cookie attribute.

We will ignore the attribute only, not the entire cookie.

Also, making sure the parser won't replace values of valid attributes when evaluating an unsupported
cookie with the same length and same first character as a supported attribute.

Tested using opera cookie and browser.swlab.rim.net cookies test suite. Tested using regular sites that
has a login mechanism.

* platform/blackberry/CookieParser.cpp:
(WebCore::CookieParser::parseOneCookie):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (141445 => 141446)


--- trunk/Source/WebCore/ChangeLog	2013-01-31 19:05:30 UTC (rev 141445)
+++ trunk/Source/WebCore/ChangeLog	2013-01-31 19:06:28 UTC (rev 141446)
@@ -1,3 +1,26 @@
+2013-01-31  Otto Derek Cheung  <otche...@rim.com>
+
+        [BlackBerry] CookieParser should ignore invalid/unsupported attributes instead of ignoring the cookie
+        https://bugs.webkit.org/show_bug.cgi?id=108494
+
+        PR 287832
+        Reviewed by Rob Buis.
+        Internally Reviewed by Liam Quinn.
+
+        A short-term fix for CookieParser to not blow up when a Set-Cookie header has an invalid
+        or unsupported cookie attribute.
+
+        We will ignore the attribute only, not the entire cookie.
+
+        Also, making sure the parser won't replace values of valid attributes when evaluating an unsupported
+        cookie with the same length and same first character as a supported attribute.
+
+        Tested using opera cookie and browser.swlab.rim.net cookies test suite. Tested using regular sites that
+        has a login mechanism.
+
+        * platform/blackberry/CookieParser.cpp:
+        (WebCore::CookieParser::parseOneCookie):
+
 2013-01-31  Tommy Widenflycht  <tom...@google.com>
 
         [chromium] MediaStream API: Rename WebMediaStreamDescriptor and WebMediaStreamComponent to WebMediaStream and WebMediaStreamTrack

Modified: trunk/Source/WebCore/platform/blackberry/CookieParser.cpp (141445 => 141446)


--- trunk/Source/WebCore/platform/blackberry/CookieParser.cpp	2013-01-31 19:05:30 UTC (rev 141445)
+++ trunk/Source/WebCore/platform/blackberry/CookieParser.cpp	2013-01-31 19:06:28 UTC (rev 141446)
@@ -239,7 +239,7 @@
         switch (cookie[tokenStartSvg]) {
         case 'P':
         case 'p' : {
-            if (length >= 4 && cookie.find("ath", tokenStartSvg + 1, false)) {
+            if (length >= 4 && ((cookie.find("ath", tokenStartSvg + 1, false) - tokenStartSvg) == 1)) {
                 // We need the path to be decoded to match those returned from KURL::path().
                 // The path attribute may or may not include percent-encoded characters. Fortunately
                 // if there are no percent-encoded characters, decoding the url is a no-op.
@@ -250,24 +250,23 @@
 #if 0
                 // Check if path attribute is a prefix of the request URI.
                 if (!m_defaultCookieURL.path().startsWith(res->path()))
-                    LOG_AND_DELETE("Invalid cookie %s (path): it does not math the URL", cookie.ascii().data());
+                    LOG_AND_DELETE("Invalid cookie attribute %s (path): it does not math the URL", cookie.ascii().data());
 #endif
-
             } else
-                LOG_AND_DELETE("Invalid cookie %s (path)", cookie.ascii().data());
+                LOG_ERROR("Invalid cookie attribute %s (path)", cookie.ascii().data());
             break;
         }
 
         case 'D':
         case 'd' : {
-            if (length >= 6 && cookie.find("omain", tokenStartSvg + 1, false)) {
+            if (length >= 6 && ((cookie.find("omain", tokenStartSvg + 1, false) - tokenStartSvg) == 1)) {
                 if (parsedValue.length() > 1 && parsedValue[0] == '"' && parsedValue[parsedValue.length() - 1] == '"')
                     parsedValue = parsedValue.substring(1, parsedValue.length() - 2);
 
                 // Check if the domain contains an embedded dot.
                 size_t dotPosition = parsedValue.find(".", 1);
                 if (dotPosition == notFound || dotPosition == parsedValue.length())
-                    LOG_AND_DELETE("Invalid cookie %s (domain): it does not contain an embedded dot", cookie.ascii().data());
+                    LOG_AND_DELETE("Invalid cookie attribute %s (domain): it does not contain an embedded dot", cookie.ascii().data());
 
                 // If the domain does not start with a dot, add one for security checks,
                 // For example: ab.c.com dose not domain match b.c.com;
@@ -283,7 +282,7 @@
                 if (m_defaultDomainIsIPAddress) {
                     String realDomainCanonical = String(BlackBerry::Platform::getCanonicalIPFormat(realDomain.utf8().data()).c_str());
                     if (realDomainCanonical.isEmpty() || realDomainCanonical != m_defaultCookieHost)
-                        LOG_AND_DELETE("Invalid cookie %s (domain): domain is IP but does not match host's IP", cookie.ascii().data());
+                        LOG_AND_DELETE("Invalid cookie attribute %s (domain): domain is IP but does not match host's IP", cookie.ascii().data());
                     realDomain = realDomainCanonical;
                     isIPAddress = true;
                 } else {
@@ -295,52 +294,52 @@
                     // We also have to make a special case for IP addresses. If a website tries to set
                     // a cookie to 61.97, that domain is not an IP address and will end with the m_defaultCookieHost
                     if (!m_defaultCookieHost.endsWith(realDomain, false))
-                        LOG_AND_DELETE("Invalid cookie %s (domain): it does not domain match the host", cookie.ascii().data());
+                        LOG_AND_DELETE("Invalid cookie attribute %s (domain): it does not domain match the host", cookie.ascii().data());
                     // We should check for an embedded dot in the portion of string in the host not in the domain
                     // but to match firefox behaviour we do not.
 
                     // Check whether the domain is a top level domain, if it is throw it out
                     // http://publicsuffix.org/list/
                     if (BlackBerry::Platform::isTopLevelDomain(realDomain.utf8().data()))
-                        LOG_AND_DELETE("Invalid cookie %s (domain): it did not pass the top level domain check", cookie.ascii().data());
+                        LOG_AND_DELETE("Invalid cookie attribute %s (domain): it did not pass the top level domain check", cookie.ascii().data());
                 }
                 res->setDomain(realDomain, isIPAddress);
             } else
-                LOG_AND_DELETE("Invalid cookie %s (domain)", cookie.ascii().data());
+                LOG_ERROR("Invalid cookie attribute %s (domain)", cookie.ascii().data());
             break;
         }
 
         case 'E' :
         case 'e' : {
-            if (length >= 7 && cookie.find("xpires", tokenStartSvg + 1, false))
+            if (length >= 7 && ((cookie.find("xpires", tokenStartSvg + 1, false) - tokenStartSvg) == 1))
                 res->setExpiry(parsedValue);
             else
-                LOG_AND_DELETE("Invalid cookie %s (expires)", cookie.ascii().data());
+                LOG_ERROR("Invalid cookie attribute %s (expires)", cookie.ascii().data());
             break;
         }
 
         case 'M' :
         case 'm' : {
-            if (length >= 7 && cookie.find("ax-age", tokenStartSvg + 1, false))
+            if (length >= 7 && ((cookie.find("ax-age", tokenStartSvg + 1, false) - tokenStartSvg) == 1))
                 res->setMaxAge(parsedValue);
             else
-                LOG_AND_DELETE("Invalid cookie %s (max-age)", cookie.ascii().data());
+                LOG_ERROR("Invalid cookie attribute %s (max-age)", cookie.ascii().data());
             break;
         }
 
         case 'C' :
         case 'c' : {
-            if (length >= 7 && cookie.find("omment", tokenStartSvg + 1, false))
+            if (length >= 7 && ((cookie.find("omment", tokenStartSvg + 1, false) - tokenStartSvg) == 1))
                 // We do not have room for the comment part (and so do Mozilla) so just log the comment.
                 LOG(Network, "Comment %s for ParsedCookie : %s\n", parsedValue.ascii().data(), cookie.ascii().data());
             else
-                LOG_AND_DELETE("Invalid cookie %s (comment)", cookie.ascii().data());
+                LOG_ERROR("Invalid cookie attribute %s (comment)", cookie.ascii().data());
             break;
         }
 
         case 'V' :
         case 'v' : {
-            if (length >= 7 && cookie.find("ersion", tokenStartSvg + 1, false)) {
+            if (length >= 7 && ((cookie.find("ersion", tokenStartSvg + 1, false) - tokenStartSvg) == 1)) {
                 // Although the out-of-dated Cookie Spec(RFC2965, http://tools.ietf.org/html/rfc2965) defined
                 // the value of version can only contain DIGIT, some random sites, e.g. https://devforums.apple.com
                 // would use double quotation marks to quote the digit. So we need to get rid of them for compliance.
@@ -350,26 +349,26 @@
                 if (parsedValue.toInt() != 1)
                     LOG_AND_DELETE("ParsedCookie version %d not supported (only support version=1)", parsedValue.toInt());
             } else
-                LOG_AND_DELETE("Invalid cookie %s (version)", cookie.ascii().data());
+                LOG_ERROR("Invalid cookie attribute %s (version)", cookie.ascii().data());
             break;
         }
 
         case 'S' :
         case 's' : {
             // Secure is a standalone token ("Secure;")
-            if (length >= 6 && cookie.find("ecure", tokenStartSvg + 1, false))
+            if (length >= 6 && ((cookie.find("ecure", tokenStartSvg + 1, false) - tokenStartSvg) == 1))
                 res->setSecureFlag(true);
             else
-                LOG_AND_DELETE("Invalid cookie %s (secure)", cookie.ascii().data());
+                LOG_ERROR("Invalid cookie attribute %s (secure)", cookie.ascii().data());
             break;
         }
         case 'H':
         case 'h': {
             // HttpOnly is a standalone token ("HttpOnly;")
-            if (length >= 8 && cookie.find("ttpOnly", tokenStartSvg + 1, false))
+            if (length >= 8 && ((cookie.find("ttpOnly", tokenStartSvg + 1, false) - tokenStartSvg) == 1))
                 res->setIsHttpOnly(true);
             else
-                LOG_AND_DELETE("Invalid cookie %s (HttpOnly)", cookie.ascii().data());
+                LOG_ERROR("Invalid cookie attribute %s (HttpOnly)", cookie.ascii().data());
             break;
         }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to