Changeset 20074 in webkit
- Timestamp:
- Mar 8, 2007 6:25:25 PM (17 years ago)
- Location:
- trunk/WebCore
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/WebCore/ChangeLog
r20072 r20074 1 2007-03-08 Darin Adler <darin@apple.com> 2 3 Reviewed by Adele. 4 5 - <rdar://problem/4470381> multipart/form-data boundary security vulnerability 6 7 By making the form data boundary a string with some random data in it, we reduce 8 the possibility that anyone could take advantage of it by creating a file that 9 intentionally has the boundary string in it. 10 11 * html/HTMLFormElement.h: Removed boundary(), setBoundary(), and m_boundary. 12 Marked a lot more stuff private. 13 * html/HTMLFormElement.cpp: 14 (WebCore::HTMLFormElement::HTMLFormElement): Removed code to initialize 15 m_boundary. 16 (WebCore::randomNumber): Added. Function that returns a random number, including 17 seeding the random number generator the first time it's called. For now, usees the more 18 random function random() on Mac OS X and the more-standard rand() on other platforms. 19 (WebCore::HTMLFormElement::formData): Take a parameter with the form boundary string, 20 and use that instead of m_boundary. 21 (WebCore::getUniqueBoundaryString): Added. Makes a boundary string using random numbers 22 and base 64 encoding. 23 (WebCore::HTMLFormElement::submit): Call getUniqueBoundaryString and pass the boundary 24 string into formData for multipart form posts. 25 1 26 2007-03-08 Maciej Stachowiak <mjs@apple.com> 2 27 -
trunk/WebCore/html/HTMLFormElement.cpp
r19872 r20074 1 1 /* 2 * This file is part of the DOM implementation for KDE.3 *4 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 5 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 6 4 * (C) 2001 Dirk Mueller (mueller@kde.org) 7 * Copyright (C) 2004, 2005, 2006 Apple Computer, Inc.5 * Copyright (C) 2004, 2005, 2006, 2007 Apple Inc. All rights reserved. 8 6 * (C) 2006 Alexey Proskuryakov (ap@nypop.com) 9 7 * … … 28 26 #include "HTMLFormElement.h" 29 27 28 #include "Base64.h" 30 29 #include "CString.h" 31 30 #include "csshelper.h" … … 60 59 m_inreset = false; 61 60 m_enctype = "application/x-www-form-urlencoded"; 62 m_boundary = "----------0xKhTmLbOuNdArY";63 61 m_malformed = false; 64 62 m_preserveAcrossRemove = false; … … 197 195 } 198 196 199 PassRefPtr<FormData> HTMLFormElement::formData() const 200 { 201 DeprecatedCString enc_string = ""; // used for non-multipart data 197 static int randomNumber() 198 { 199 static bool randomSeeded = false; 200 201 #if PLATFORM(DARWIN) 202 if (!randomSeeded) { 203 srandomdev(); 204 randomSeeded = true; 205 } 206 return random(); 207 #else 208 if (!randomSeeded) { 209 srand(static_cast<unsigned>(time(0))); 210 randomSeeded = true; 211 } 212 return rand(); 213 #endif 214 } 215 216 PassRefPtr<FormData> HTMLFormElement::formData(const char* boundary) const 217 { 218 DeprecatedCString enc_string = ""; 202 219 203 220 String str = m_acceptcharset; … … 246 263 { 247 264 DeprecatedCString hstr("--"); 248 hstr += m_boundary.deprecatedString().latin1();265 hstr += boundary; 249 266 hstr += "\r\n"; 250 267 hstr += "Content-Disposition: form-data; name=\""; … … 295 312 296 313 297 if (m_multipart) 298 enc_string = ("--" + m_boundary.deprecatedString() + "--\r\n").ascii(); 314 if (m_multipart) { 315 enc_string = "--"; 316 enc_string += boundary; 317 enc_string += "--\r\n"; 318 } 299 319 300 320 result->appendData(enc_string.data(), enc_string.length()); … … 316 336 } 317 337 318 void HTMLFormElement::setBoundary( const String& bound )319 {320 m_boundary = bound;321 }322 323 338 bool HTMLFormElement::prepareSubmit(Event* event) 324 339 { … … 344 359 { 345 360 submit(0, false); 361 } 362 363 // Returns a 0-terminated C string in the vector. 364 static void getUniqueBoundaryString(Vector<char>& boundary) 365 { 366 // Start with an informative prefix. 367 const char boundaryPrefix[] = "----WebKit-form-boundary-"; 368 boundary.append(boundaryPrefix, strlen(boundaryPrefix)); 369 370 // Append 16 characters of base 64 randomness. 371 Vector<char> randomBytes; 372 for (int i = 0; i < 3; ++i) { 373 int randomness = randomNumber(); 374 randomBytes.append(static_cast<char>(randomness >> 24)); 375 randomBytes.append(static_cast<char>(randomness >> 16)); 376 randomBytes.append(static_cast<char>(randomness >> 8)); 377 randomBytes.append(static_cast<char>(randomness)); 378 } 379 Vector<char> randomBase64; 380 base64Encode(randomBytes, randomBase64); 381 boundary.append(randomBase64); 382 383 // Add a 0 at the end so we can use this as a C-style string. 384 boundary.append(0); 346 385 } 347 386 … … 386 425 387 426 if (!m_post) 427 428 if (m_post) { 429 if (!m_multipart) 430 frame->loader()->submitForm("POST", m_url, formData(0), m_target, enctype(), String(), event); 431 else { 432 Vector<char> boundary; 433 getUniqueBoundaryString(boundary); 434 frame->loader()->submitForm("POST", m_url, formData(boundary.data()), m_target, enctype(), boundary.data(), event); 435 } 436 } else { 388 437 m_multipart = false; 389 390 if (m_post) 391 frame->loader()->submitForm("POST", m_url, formData(), m_target, enctype(), boundary(), event); 392 else 393 frame->loader()->submitForm("GET", m_url, formData(), m_target, String(), String(), event); 438 frame->loader()->submitForm("GET", m_url, formData(0), m_target, String(), String(), event); 439 } 394 440 395 441 if (needButtonActivation && firstSuccessfulSubmitButton) -
trunk/WebCore/html/HTMLFormElement.h
r19872 r20074 1 1 /* 2 * This file is part of the DOM implementation for KDE.3 *4 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 5 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 6 4 * (C) 2000 Dirk Mueller (mueller@kde.org) 7 * Copyright (C) 2004, 2005, 2006 Apple Computer, Inc.5 * Copyright (C) 2004, 2005, 2006, 2007 Apple Inc. All rights reserved. 8 6 * 9 7 * This library is free software; you can redistribute it and/or … … 62 60 void setEncoding(const String& enctype) { setEnctype(enctype); } 63 61 64 String boundary() const { return m_boundary; }65 void setBoundary(const String&);66 67 62 bool autoComplete() const { return m_autocomplete; } 68 63 … … 105 100 void setTarget(const String&); 106 101 102 // FIXME: Change this to be private after getting rid of all the clients. 103 Vector<HTMLGenericFormElement*> formElements; 104 105 private: 106 void parseEnctype(const String&); 107 PassRefPtr<FormData> formData(const char* boundary) const; 108 unsigned formElementIndex(HTMLGenericFormElement*); 109 107 110 friend class HTMLFormCollection; 108 111 109 112 HTMLCollection::CollectionInfo* collectionInfo; 110 113 111 Vector<HTMLGenericFormElement*> formElements;112 114 Vector<HTMLImageElement*> imgElements; 113 115 String m_url; … … 125 127 bool m_preserveAcrossRemove : 1; 126 128 127 private:128 void parseEnctype(const String&);129 PassRefPtr<FormData> formData() const;130 131 unsigned formElementIndex(HTMLGenericFormElement*);132 133 129 String oldNameAttr; 134 130 };
Note: See TracChangeset
for help on using the changeset viewer.