Changeset 118105 in webkit

Timestamp:

May 22, 2012 7:49:58 PM (12 years ago)

Author:

commit-queue@webkit.org

Message:

[BlackBerry] Possible to clobber httponly cookie.
​https://bugs.webkit.org/show_bug.cgi?id=86067

Patch by Jason Liu <​jason.liu@torchmobile.com.cn> on 2012-05-22
Reviewed by Rob Buis.

Source/WebCore:

If a cookie is set by javaScript and there is already a same httpOnly cookie in cookieManager,
we should reject it. If it has a httpOnly property, we reject it, too.

Test: http/tests/cookies/js-get-and-set-http-only-cookie.php

• platform/blackberry/CookieJarBlackBerry.cpp:

(WebCore::setCookies):

• platform/blackberry/CookieManager.cpp:

(WebCore::CookieManager::setCookies):
(WebCore::CookieManager::shouldRejectNotHttpCookie):
(WebCore):

• platform/blackberry/CookieManager.h:

LayoutTests:

• http/tests/cookies/js-get-and-set-http-only-cookie-expected.txt: Added.
• http/tests/cookies/js-get-and-set-http-only-cookie.php: Added.
• http/tests/cookies/script-tests/js-get-and-set-http-only-cookie.js: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/cookies/js-get-and-set-http-only-cookie-expected.txt (added)
• LayoutTests/http/tests/cookies/js-get-and-set-http-only-cookie.php (added)
• LayoutTests/http/tests/cookies/script-tests/js-get-and-set-http-only-cookie.js (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/platform/blackberry/CookieJarBlackBerry.cpp (modified) (1 diff)
• Source/WebCore/platform/blackberry/CookieManager.cpp (modified) (10 diffs)
• Source/WebCore/platform/blackberry/CookieManager.h (modified) (4 diffs)
• Source/WebCore/platform/blackberry/CookieMap.cpp (modified) (2 diffs)
• Source/WebCore/platform/blackberry/CookieMap.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-05-22  Jason Liu  <jason.liu@torchmobile.com.cn>
+
+        [BlackBerry] Possible to clobber httponly cookie.
+        https://bugs.webkit.org/show_bug.cgi?id=86067
+
+        Reviewed by Rob Buis.
+
+        * http/tests/cookies/js-get-and-set-http-only-cookie-expected.txt: Added.
+        * http/tests/cookies/js-get-and-set-http-only-cookie.php: Added.
+        * http/tests/cookies/script-tests/js-get-and-set-http-only-cookie.js: Added.
+
 2012-05-22  Kangil Han  <kangil.han@samsung.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-05-22  Jason Liu  <jason.liu@torchmobile.com.cn>
+
+        [BlackBerry] Possible to clobber httponly cookie.
+        https://bugs.webkit.org/show_bug.cgi?id=86067
+
+        Reviewed by Rob Buis.
+
+        If a cookie is set by javaScript and there is already a same httpOnly cookie in cookieManager,
+        we should reject it. If it has a httpOnly property, we reject it, too.
+
+        Test: http/tests/cookies/js-get-and-set-http-only-cookie.php
+
+        * platform/blackberry/CookieJarBlackBerry.cpp:
+        (WebCore::setCookies):
+        * platform/blackberry/CookieManager.cpp:
+        (WebCore::CookieManager::setCookies):
+        (WebCore::CookieManager::shouldRejectNotHttpCookie):
+        (WebCore):
+        * platform/blackberry/CookieManager.h:
+
 2012-05-22  Dana Jansens  <danakj@chromium.org>
 

trunk/Source/WebCore/platform/blackberry/CookieJarBlackBerry.cpp

@@ -70 +70 @@
 
     ASSERT(document && url == document->cookieURL());
-    cookieManager().setCookies(url, value);
+    cookieManager().setCookies(url, value, NoHttpOnlyCookie);
 }
 

trunk/Source/WebCore/platform/blackberry/CookieManager.cpp

@@ -132 +132 @@
 }
 
-void CookieManager::setCookies(const KURL& url, const String& value)
+void CookieManager::setCookies(const KURL& url, const String& value, CookieFilter filter)
 {
     CookieLog("CookieManager - Setting cookies");
@@ -140 +140 @@
     for (size_t i = 0; i < cookies.size(); ++i) {
         BackingStoreRemovalPolicy treatment = m_privateMode ? DoNotRemoveFromBackingStore : RemoveFromBackingStore;
-        checkAndTreatCookie(cookies[i], treatment);
+        checkAndTreatCookie(cookies[i], treatment, filter);
     }
 }
@@ -307 +307 @@
 }
 
-void CookieManager::checkAndTreatCookie(ParsedCookie* candidateCookie, BackingStoreRemovalPolicy postToBackingStore)
+void CookieManager::checkAndTreatCookie(ParsedCookie* candidateCookie, BackingStoreRemovalPolicy postToBackingStore, CookieFilter filter)
 {
     CookieLog("CookieManager - checkAndTreatCookie - processing url with domain - %s & protocol %s\n", candidateCookie->domain().utf8().data(), candidateCookie->protocol().utf8().data());
+
+    // A cookie which is not from http shouldn't have a httpOnly property.
+    if (filter == NoHttpOnlyCookie && candidateCookie->isHttpOnly()) {
+        delete candidateCookie;
+        return;
+    }
 
     const bool ignoreDomain = shouldIgnoreDomain(candidateCookie->protocol());
@@ -357 +363 @@
         else if (curMap) {
             // RemoveCookie will return 0 if the cookie doesn't exist.
-            ParsedCookie* expired = curMap->removeCookie(candidateCookie);
+            ParsedCookie* expired = curMap->removeCookie(candidateCookie, filter);
             // Cookie is useless, Remove the cookie from the backingstore if it exists.
             // Backup check for BackingStoreCookieEntry incase someone incorrectly uses this enum.
@@ -370 +376 @@
     } else {
         ASSERT(curMap);
-        addCookieToMap(curMap, candidateCookie, postToBackingStore);
-    }
-}
-
-void CookieManager::addCookieToMap(CookieMap* targetMap, ParsedCookie* candidateCookie, BackingStoreRemovalPolicy postToBackingStore)
-{
-    ParsedCookie* prevCookie = targetMap->addOrReplaceCookie(candidateCookie);
-    if (prevCookie) {
+        addCookieToMap(curMap, candidateCookie, postToBackingStore, filter);
+    }
+}
+
+void CookieManager::addCookieToMap(CookieMap* targetMap, ParsedCookie* candidateCookie, BackingStoreRemovalPolicy postToBackingStore, CookieFilter filter)
+{
+    ParsedCookie* replacedCookie = 0;
+
+    if (!targetMap->addOrReplaceCookie(candidateCookie, &replacedCookie, filter)) {
+
+        CookieLog("CookieManager - rejecting new cookie - %s.\n", candidateCookie->toString().utf8().data());
+
+        delete candidateCookie;
+        return;
+    }
+ 
+    if (replacedCookie) {
 
         CookieLog("CookieManager - updating new cookie - %s.\n", candidateCookie->toString().utf8().data());
@@ -386 +401 @@
         // If both sessions are non-session, then we update it in the backingstore
         bool newIsSession = candidateCookie->isSession();
-        bool oldIsSession = prevCookie->isSession();
+        bool oldIsSession = replacedCookie->isSession();
 
         if (postToBackingStore == RemoveFromBackingStore) {
@@ -395 +410 @@
                 // the cookie was removed in cookieVector.
                 removedCookie();
-                m_cookieBackingStore->remove(prevCookie);
+                m_cookieBackingStore->remove(replacedCookie);
             } else if (!newIsSession && oldIsSession) {
                 // Must manually increase the counter because it was not counted when
@@ -403 +418 @@
             }
         }
-        delete prevCookie;
+        delete replacedCookie;
         return;
     }
@@ -457 +472 @@
 }
 
-void CookieManager::setPrivateMode(const bool mode)
+void CookieManager::setPrivateMode(bool mode)
 {
     if (m_privateMode == mode)
@@ -501 +516 @@
 }
 
-
 void CookieManager::removeCookieWithName(const KURL& url, const String& cookieName)
 {

trunk/Source/WebCore/platform/blackberry/CookieManager.h

@@ -50 +50 @@
 };
 
-enum CookieFilter {
-    NoHttpOnlyCookie,
-    WithHttpOnlyCookies,
-};
-
 enum CookieStorageAcceptPolicy {
     CookieStorageAcceptPolicyAlways,
@@ -80 +75 @@
     void setCanLocalAccessAllCookies(bool enabled) { m_shouldDumpAllCookies = enabled; }
 
-    void setCookies(const KURL&, const String& value);
+    void setCookies(const KURL&, const String& value, CookieFilter = WithHttpOnlyCookies);
 
     void removeAllCookies(BackingStoreRemovalPolicy);
@@ -102 +97 @@
     void setCookiePolicy(CookieStorageAcceptPolicy policy) { m_policy = policy; }
     CookieStorageAcceptPolicy cookiePolicy() const { return m_policy; }
-    void setPrivateMode(const bool);
+    void setPrivateMode(bool);
 
     String generateHtmlFragmentForCookies();
@@ -118 +113 @@
     virtual ~CookieManager();
 
-    void checkAndTreatCookie(ParsedCookie*, BackingStoreRemovalPolicy);
+    void checkAndTreatCookie(ParsedCookie*, BackingStoreRemovalPolicy, CookieFilter = WithHttpOnlyCookies);
 
-    void addCookieToMap(CookieMap* targetMap, ParsedCookie* candidateCookie, BackingStoreRemovalPolicy postToBackingStore);
+    void addCookieToMap(CookieMap* targetMap, ParsedCookie* candidateCookie, BackingStoreRemovalPolicy postToBackingStore, CookieFilter = WithHttpOnlyCookies);
 
     CookieMap* findOrCreateCookieMap(CookieMap* protocolMap, const String& domain, bool findOnly);

trunk/Source/WebCore/platform/blackberry/CookieMap.cpp

@@ -55 +55 @@
 }
 
-ParsedCookie* CookieMap::addOrReplaceCookie(ParsedCookie* cookie)
+bool CookieMap::addOrReplaceCookie(ParsedCookie* candidateCookie, ParsedCookie** replacedCookie, CookieFilter filter)
 {
     CookieLog("CookieMap - Attempting to add cookie - %s", cookie->name().utf8().data());
 
-    ParsedCookie* prevCookie = 0;
     size_t cookieCount = m_cookieVector.size();
     for (size_t i = 0; i < cookieCount; i++) {
-        if (m_cookieVector[i]->name() == cookie->name() && m_cookieVector[i]->path() == cookie->path()) {
-            prevCookie = m_cookieVector[i];
-            m_cookieVector[i] = cookie;
-            if (prevCookie == m_oldestCookie)
+        if (m_cookieVector[i]->name() == candidateCookie->name() && m_cookieVector[i]->path() == candidateCookie->path()) {
+
+            if (filter == NoHttpOnlyCookie && m_cookieVector[i]->isHttpOnly())
+                return false;
+
+            *replacedCookie = m_cookieVector[i];
+            m_cookieVector[i] = candidateCookie;
+            if (*replacedCookie == m_oldestCookie)
                 updateOldestCookie();
-            return prevCookie;
-        }
-    }
-
-    m_cookieVector.append(cookie);
-    if (!cookie->isSession())
+            return true;
+        }
+    }
+
+    m_cookieVector.append(candidateCookie);
+    if (!candidateCookie->isSession())
         cookieManager().addedCookie();
-    if (!m_oldestCookie || m_oldestCookie->lastAccessed() > cookie->lastAccessed())
-        m_oldestCookie = cookie;
-    return 0;
+    if (!m_oldestCookie || m_oldestCookie->lastAccessed() > candidateCookie->lastAccessed())
+        m_oldestCookie = candidateCookie;
+    return true;
 }
 
@@ -100 +103 @@
 }
 
-ParsedCookie* CookieMap::removeCookie(const ParsedCookie* cookie)
+ParsedCookie* CookieMap::removeCookie(const ParsedCookie* cookie, CookieFilter filter)
 {
     size_t cookieCount = m_cookieVector.size();
     for (size_t position = 0; position < cookieCount; ++position) {
-        if (m_cookieVector[position]->name() == cookie->name() && m_cookieVector[position]->path() == cookie->path())
+        if (m_cookieVector[position]->name() == cookie->name() && m_cookieVector[position]->path() == cookie->path()) {
+            if (filter == NoHttpOnlyCookie && m_cookieVector[position]->isHttpOnly())
+                return 0;
             return removeCookieAtIndex(position, cookie);
+        }
     }
     return 0;

trunk/Source/WebCore/platform/blackberry/CookieMap.h

@@ -35 +35 @@
 namespace WebCore {
 
+enum CookieFilter {
+    NoHttpOnlyCookie,
+    WithHttpOnlyCookies,
+};
+
 class ParsedCookie;
 
@@ -55 +60 @@
     const String& getName() const { return m_name; }
 
-    // Returning the original cookie object so manager can keep a reference to the updates in the database queue.
-    ParsedCookie* addOrReplaceCookie(ParsedCookie*);
+    // Return false if the candidateCookie is rejected.
+    bool addOrReplaceCookie(ParsedCookie* candidateCookie, ParsedCookie** replacedCookie, CookieFilter = WithHttpOnlyCookies);
 
     // Need to return the reference to the removed cookie so manager can deal with it (garbage collect).
-    ParsedCookie* removeCookie(const ParsedCookie*);
+    ParsedCookie* removeCookie(const ParsedCookie*, CookieFilter = WithHttpOnlyCookies);
 
     // Returns a map with that given subdomain.