Changeset 211616 in webkit

Timestamp:

Feb 2, 2017 5:46:25 PM (7 years ago)

Author:

ap@apple.com

Message:

Multiple HTTP tests fail with Apache 2.4.25
​https://bugs.webkit.org/show_bug.cgi?id=167678
<rdar://problem/30060142>

Reviewed by Sam Weinig.

Newer versions of Apache have a security fix where they generate an internal server
error upon seeing an invalid HTTP header field. There is an opt-out configuration
option which didn't quite work in my testing, but regardless, we should only use
"nph-" CGIs for invalid responses. This is how Apache knows that it shouldn't
attempt to parse the response.

This also uncovered a test bug.

• http/tests/cache/disk-cache/resources/cache-test.js: (generateTestURL):

Without escaping, we were getting a broken response in attachment tests:

Content-Disposition: attachment

filename: "f.txt"

Note how ";" turned into a newline.

• http/tests/misc/non-utf8-header-name-expected.txt: Removed.
• http/tests/misc/non-utf8-header-name.php: Removed.
• http/tests/misc/nph-non-utf8-header-name-expected.txt: Copied from LayoutTests/http/tests/misc/non-utf8-header-name-expected.txt.
• http/tests/misc/nph-non-utf8-header-name.pl: Copied from LayoutTests/http/tests/misc/non-utf8-header-name.php.
• http/tests/preload/download_resources_from_invalid_headers.html:
• http/tests/preload/resources/invalid_resources_from_header.php: Removed.
• http/tests/preload/resources/nph-invalid_resources_from_header.pl: Copied from LayoutTests/http/tests/preload/resources/invalid_resources_from_header.php.
• http/tests/security/contentSecurityPolicy/directive-parsing-01.html:
• http/tests/security/contentSecurityPolicy/directive-parsing-02.html:
• http/tests/security/contentSecurityPolicy/directive-parsing-03.html:
• http/tests/security/contentSecurityPolicy/directive-parsing-04.html:
• http/tests/security/contentSecurityPolicy/directive-parsing-05.html:
• http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl: Removed.
• http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js:
• http/tests/security/contentSecurityPolicy/resources/nph-echo-script-src.pl: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl.
• http/tests/security/contentSecurityPolicy/script-loads-with-img-src.html:
• http/tests/security/contentSecurityPolicy/script-src-none.html:
• http/tests/security/contentSecurityPolicy/script-src-self-blocked-01.html:
• http/tests/security/contentSecurityPolicy/script-src-self-blocked-02.html:
• http/tests/security/contentSecurityPolicy/script-src-self-blocked-03.html:
• http/tests/security/contentSecurityPolicy/script-src-self.html:
• http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html:

Changed scripts that are used to generate invalid responses to "nph-" ones.

Location:

trunk/LayoutTests

Files:

• ChangeLog (modified) (1 diff)
• http/tests/cache/disk-cache/resources/cache-test.js (modified) (2 diffs)
• http/tests/misc/non-utf8-header-name.php (deleted)
• http/tests/misc/nph-non-utf8-header-name-expected.txt (moved) (moved from trunk/LayoutTests/http/tests/misc/non-utf8-header-name-expected.txt)
• http/tests/misc/nph-non-utf8-header-name.pl (added)
• http/tests/preload/download_resources_from_invalid_headers.html (modified) (1 diff)
• http/tests/preload/resources/invalid_resources_from_header.php (deleted)
• http/tests/preload/resources/nph-invalid_resources_from_header.pl (added)
• http/tests/security/contentSecurityPolicy/directive-parsing-01.html (modified) (1 diff)
• http/tests/security/contentSecurityPolicy/directive-parsing-02.html (modified) (1 diff)
• http/tests/security/contentSecurityPolicy/directive-parsing-03.html (modified) (1 diff)
• http/tests/security/contentSecurityPolicy/directive-parsing-04.html (modified) (1 diff)
• http/tests/security/contentSecurityPolicy/directive-parsing-05.html (modified) (1 diff)
• http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js (modified) (1 diff)
• http/tests/security/contentSecurityPolicy/resources/nph-echo-script-src.pl (moved) (moved from trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl) (1 diff)
• http/tests/security/contentSecurityPolicy/script-loads-with-img-src.html (modified) (1 diff)
• http/tests/security/contentSecurityPolicy/script-src-none.html (modified) (1 diff)
• http/tests/security/contentSecurityPolicy/script-src-self-blocked-01.html (modified) (1 diff)
• http/tests/security/contentSecurityPolicy/script-src-self-blocked-02.html (modified) (1 diff)
• http/tests/security/contentSecurityPolicy/script-src-self-blocked-03.html (modified) (1 diff)
• http/tests/security/contentSecurityPolicy/script-src-self.html (modified) (1 diff)
• http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-02-02  Alexey Proskuryakov  <ap@apple.com>
+
+        Multiple HTTP tests fail with Apache 2.4.25
+        https://bugs.webkit.org/show_bug.cgi?id=167678
+        <rdar://problem/30060142>
+
+        Reviewed by Sam Weinig.
+
+        Newer versions of Apache have a security fix where they generate an internal server
+        error upon seeing an invalid HTTP header field. There is an opt-out configuration
+        option which didn't quite work in my testing, but regardless, we should only use
+        "nph-" CGIs for invalid responses. This is how Apache knows that it shouldn't
+        attempt to parse the response.
+
+        This also uncovered a test bug.
+
+        * http/tests/cache/disk-cache/resources/cache-test.js: (generateTestURL):
+        Without escaping, we were getting a broken response in attachment tests:
+           Content-Disposition: attachment
+            filename: "f.txt"
+        Note how ";" turned into a newline.
+
+        * http/tests/misc/non-utf8-header-name-expected.txt: Removed.
+        * http/tests/misc/non-utf8-header-name.php: Removed.
+        * http/tests/misc/nph-non-utf8-header-name-expected.txt: Copied from LayoutTests/http/tests/misc/non-utf8-header-name-expected.txt.
+        * http/tests/misc/nph-non-utf8-header-name.pl: Copied from LayoutTests/http/tests/misc/non-utf8-header-name.php.
+        * http/tests/preload/download_resources_from_invalid_headers.html:
+        * http/tests/preload/resources/invalid_resources_from_header.php: Removed.
+        * http/tests/preload/resources/nph-invalid_resources_from_header.pl: Copied from LayoutTests/http/tests/preload/resources/invalid_resources_from_header.php.
+        * http/tests/security/contentSecurityPolicy/directive-parsing-01.html:
+        * http/tests/security/contentSecurityPolicy/directive-parsing-02.html:
+        * http/tests/security/contentSecurityPolicy/directive-parsing-03.html:
+        * http/tests/security/contentSecurityPolicy/directive-parsing-04.html:
+        * http/tests/security/contentSecurityPolicy/directive-parsing-05.html:
+        * http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl: Removed.
+        * http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js:
+        * http/tests/security/contentSecurityPolicy/resources/nph-echo-script-src.pl: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl.
+        * http/tests/security/contentSecurityPolicy/script-loads-with-img-src.html:
+        * http/tests/security/contentSecurityPolicy/script-src-none.html:
+        * http/tests/security/contentSecurityPolicy/script-src-self-blocked-01.html:
+        * http/tests/security/contentSecurityPolicy/script-src-self-blocked-02.html:
+        * http/tests/security/contentSecurityPolicy/script-src-self-blocked-03.html:
+        * http/tests/security/contentSecurityPolicy/script-src-self.html:
+        * http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html:
+        Changed scripts that are used to generate invalid responses to "nph-" ones.
+
 2017-02-02  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/http/tests/cache/disk-cache/resources/cache-test.js

@@ -43 +43 @@
 function generateTestURL(test)
 {
-    var body = typeof test.body !== 'undefined' ? test.body : "";
+    var body = typeof test.body !== 'undefined' ? escape(test.body) : "";
     var expiresInFutureIn304 = typeof test.expiresInFutureIn304 !== 'undefined' ? test.expiresInFutureIn304 : false;
     var uniqueTestId = Math.floor((Math.random() * 1000000000000));
@@ -55 +55 @@
         testURL += "&Content-Type=text/plain";
     for (var header in test.responseHeaders)
-        testURL += '&' + header + '=' + makeHeaderValue(test.responseHeaders[header]);
+        testURL += '&' + header + '=' + escape(makeHeaderValue(test.responseHeaders[header]));
     return testURL;
 }

trunk/LayoutTests/http/tests/preload/download_resources_from_invalid_headers.html

@@ -6 +6 @@
     }
 </script>
-<iframe src="resources/invalid_resources_from_header.php">
+<iframe src="resources/nph-invalid_resources_from_header.pl">
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01.html

@@ -13 +13 @@
     This script should not execute even though there are parse errors in the policy.
   </p>
-  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=allow%20*%3B%20script-src%20'none'%3B%20%20%3B%20"></iframe>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/nph-echo-script-src.pl?should_run=no&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=allow%20*%3B%20script-src%20'none'%3B%20%20%3B%20"></iframe>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02.html

@@ -13 +13 @@
     This script should not execute even though there are parse errors in the policy.
   </p>
-  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'none'%3B%20aaa%20%3B%20"></iframe>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/nph-echo-script-src.pl?should_run=no&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'none'%3B%20aaa%20%3B%20"></iframe>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03.html

@@ -13 +13 @@
     This script should not execute even though there are parse errors in the policy.
   </p>
-  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'none'%3B%20a%07aa%20%3B%20"></iframe>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/nph-echo-script-src.pl?should_run=no&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'none'%3B%20a%07aa%20%3B%20"></iframe>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-04.html

@@ -14 +14 @@
     contain a colon. Since the directive is invalid, the script should run.
   </p>
-  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=yes&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=script-src%3A%20'none'"></iframe>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/nph-echo-script-src.pl?should_run=yes&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=script-src%3A%20'none'"></iframe>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-05.html

@@ -13 +13 @@
     Directives starting with an invalid character should be logged and ignored.
   </p>
-  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=yes&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=:script-src%20'none'"></iframe>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/nph-echo-script-src.pl?should_run=yes&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=:script-src%20'none'"></iframe>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js

@@ -33 +33 @@
         scriptToLoad = encodeURIComponent(current[2]);
 
-    iframe.src = baseURL + "resources/echo-script-src.pl?" +
+    iframe.src = baseURL + "resources/nph-echo-script-src.pl?" +
                  "experimental=" + (experimental ? "true" : "false") +
                  "&should_run=" + encodeURIComponent(current[0]) +

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/nph-echo-script-src.pl

@@ -5 +5 @@
 my $cgi = new CGI;
 
+print "HTTP/1.1 200 OK\n";
 print "Content-Type: text/html; charset=UTF-8\n";
 my $experimental = $cgi->param('experimental') || "";

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-loads-with-img-src.html

@@ -10 +10 @@
 </head>
 <body>
-  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=yes&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=script-img%20'none'"></iframe>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/nph-echo-script-src.pl?should_run=yes&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=script-img%20'none'"></iframe>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none.html

@@ -13 +13 @@
     Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed.
   </p>
-  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=allow%20*%3B%20script-src%20'none'"></iframe>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/nph-echo-script-src.pl?should_run=no&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=allow%20*%3B%20script-src%20'none'"></iframe>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-01.html

@@ -10 +10 @@
 </head>
 <body>
-  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&q=http://localhost:8000/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/nph-echo-script-src.pl?should_run=no&q=http://localhost:8000/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-02.html

@@ -10 +10 @@
 </head>
 <body>
-  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&q=http://127.0.0.1:8080/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/nph-echo-script-src.pl?should_run=no&q=http://127.0.0.1:8080/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-03.html

@@ -10 +10 @@
 </head>
 <body>
-  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&q=https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/nph-echo-script-src.pl?should_run=no&q=https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self.html

@@ -10 +10 @@
 </head>
 <body>
-  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=yes&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/nph-echo-script-src.pl?should_run=yes&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html

@@ -10 +10 @@
 </head>
 <body>
-  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=yes&q=https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js&csp=script-src%20*"></iframe>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/nph-echo-script-src.pl?should_run=yes&q=https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js&csp=script-src%20*"></iframe>
 </body>
 </html>