Changeset 119947 in webkit
- Timestamp:
- Jun 10, 2012 7:16:19 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r119946 r119947 1 2012-06-10 Jason Liu <jason.liu@torchmobile.com.cn> 2 3 [BlackBerry] Possible to clobber httponly cookie. 4 https://bugs.webkit.org/show_bug.cgi?id=86067 5 6 Reviewed by Rob Buis. 7 8 * http/tests/cookies/js-get-and-set-http-only-cookie-expected.txt: Added. 9 * http/tests/cookies/js-get-and-set-http-only-cookie.html: Added. 10 * platform/chromium/http/tests/cookies/js-get-and-set-http-only-cookie-expected.txt: Added. 11 1 12 2012-06-10 Ryosuke Niwa <rniwa@webkit.org> 2 13 -
trunk/Source/WebCore/ChangeLog
r119945 r119947 1 2012-06-10 Jason Liu <jason.liu@torchmobile.com.cn> 2 3 [BlackBerry] Possible to clobber httponly cookie. 4 https://bugs.webkit.org/show_bug.cgi?id=86067 5 6 Reviewed by Rob Buis. 7 8 If a cookie is set by javaScript and there is already a same httpOnly cookie in cookieManager, 9 we should reject it. If it has a httpOnly property, we reject it, too. 10 11 Test: http/tests/cookies/js-get-and-set-http-only-cookie.html 12 13 * platform/blackberry/CookieJarBlackBerry.cpp: 14 (WebCore::setCookies): 15 * platform/blackberry/CookieManager.cpp: 16 (WebCore::CookieManager::setCookies): 17 (WebCore::CookieManager::checkAndTreatCookie): 18 (WebCore::CookieManager::addCookieToMap): 19 (WebCore::CookieManager::setPrivateMode): 20 * platform/blackberry/CookieManager.h: 21 * platform/blackberry/CookieMap.cpp: 22 (WebCore::CookieMap::addOrReplaceCookie): 23 (WebCore::CookieMap::removeCookie): 24 * platform/blackberry/CookieMap.h: 25 (CookieMap): 26 1 27 2012-06-10 Pablo Flouret <pablof@motorola.com> 2 28 -
trunk/Source/WebCore/platform/blackberry/CookieJarBlackBerry.cpp
r118166 r119947 70 70 71 71 ASSERT(document && url == document->cookieURL()); 72 cookieManager().setCookies(url, value );72 cookieManager().setCookies(url, value, NoHttpOnlyCookie); 73 73 } 74 74 -
trunk/Source/WebCore/platform/blackberry/CookieManager.cpp
r118166 r119947 132 132 } 133 133 134 void CookieManager::setCookies(const KURL& url, const String& value )134 void CookieManager::setCookies(const KURL& url, const String& value, CookieFilter filter) 135 135 { 136 136 CookieLog("CookieManager - Setting cookies"); … … 140 140 for (size_t i = 0; i < cookies.size(); ++i) { 141 141 BackingStoreRemovalPolicy treatment = m_privateMode ? DoNotRemoveFromBackingStore : RemoveFromBackingStore; 142 checkAndTreatCookie(cookies[i], treatment );142 checkAndTreatCookie(cookies[i], treatment, filter); 143 143 } 144 144 } … … 307 307 } 308 308 309 void CookieManager::checkAndTreatCookie(ParsedCookie* candidateCookie, BackingStoreRemovalPolicy postToBackingStore )309 void CookieManager::checkAndTreatCookie(ParsedCookie* candidateCookie, BackingStoreRemovalPolicy postToBackingStore, CookieFilter filter) 310 310 { 311 311 CookieLog("CookieManager - checkAndTreatCookie - processing url with domain - %s & protocol %s\n", candidateCookie->domain().utf8().data(), candidateCookie->protocol().utf8().data()); 312 313 // A cookie which is not from http shouldn't have a httpOnly property. 314 if (filter == NoHttpOnlyCookie && candidateCookie->isHttpOnly()) { 315 delete candidateCookie; 316 return; 317 } 312 318 313 319 const bool ignoreDomain = shouldIgnoreDomain(candidateCookie->protocol()); … … 357 363 else if (curMap) { 358 364 // RemoveCookie will return 0 if the cookie doesn't exist. 359 ParsedCookie* expired = curMap->removeCookie(candidateCookie );365 ParsedCookie* expired = curMap->removeCookie(candidateCookie, filter); 360 366 // Cookie is useless, Remove the cookie from the backingstore if it exists. 361 367 // Backup check for BackingStoreCookieEntry incase someone incorrectly uses this enum. … … 370 376 } else { 371 377 ASSERT(curMap); 372 addCookieToMap(curMap, candidateCookie, postToBackingStore); 373 } 374 } 375 376 void CookieManager::addCookieToMap(CookieMap* targetMap, ParsedCookie* candidateCookie, BackingStoreRemovalPolicy postToBackingStore) 377 { 378 ParsedCookie* prevCookie = targetMap->addOrReplaceCookie(candidateCookie); 379 if (prevCookie) { 380 378 addCookieToMap(curMap, candidateCookie, postToBackingStore, filter); 379 } 380 } 381 382 void CookieManager::addCookieToMap(CookieMap* targetMap, ParsedCookie* candidateCookie, BackingStoreRemovalPolicy postToBackingStore, CookieFilter filter) 383 { 384 ParsedCookie* replacedCookie = 0; 385 386 if (!targetMap->addOrReplaceCookie(candidateCookie, &replacedCookie, filter)) { 387 388 CookieLog("CookieManager - rejecting new cookie - %s.\n", candidateCookie->toString().utf8().data()); 389 390 delete candidateCookie; 391 return; 392 } 393 394 if (replacedCookie) { 381 395 CookieLog("CookieManager - updating new cookie - %s.\n", candidateCookie->toString().utf8().data()); 382 396 … … 386 400 // If both sessions are non-session, then we update it in the backingstore 387 401 bool newIsSession = candidateCookie->isSession(); 388 bool oldIsSession = prevCookie->isSession();402 bool oldIsSession = replacedCookie->isSession(); 389 403 390 404 if (postToBackingStore == RemoveFromBackingStore) { … … 395 409 // the cookie was removed in cookieVector. 396 410 removedCookie(); 397 m_cookieBackingStore->remove( prevCookie);411 m_cookieBackingStore->remove(replacedCookie); 398 412 } else if (!newIsSession && oldIsSession) { 399 413 // Must manually increase the counter because it was not counted when … … 403 417 } 404 418 } 405 delete prevCookie;419 delete replacedCookie; 406 420 return; 407 421 } … … 457 471 } 458 472 459 void CookieManager::setPrivateMode( constbool mode)473 void CookieManager::setPrivateMode(bool mode) 460 474 { 461 475 if (m_privateMode == mode) … … 501 515 } 502 516 503 504 517 void CookieManager::removeCookieWithName(const KURL& url, const String& cookieName) 505 518 { -
trunk/Source/WebCore/platform/blackberry/CookieManager.h
r118166 r119947 50 50 }; 51 51 52 enum CookieFilter {53 NoHttpOnlyCookie,54 WithHttpOnlyCookies,55 };56 57 52 enum CookieStorageAcceptPolicy { 58 53 CookieStorageAcceptPolicyAlways, … … 80 75 void setCanLocalAccessAllCookies(bool enabled) { m_shouldDumpAllCookies = enabled; } 81 76 82 void setCookies(const KURL&, const String& value );77 void setCookies(const KURL&, const String& value, CookieFilter = WithHttpOnlyCookies); 83 78 84 79 void removeAllCookies(BackingStoreRemovalPolicy); … … 102 97 void setCookiePolicy(CookieStorageAcceptPolicy policy) { m_policy = policy; } 103 98 CookieStorageAcceptPolicy cookiePolicy() const { return m_policy; } 104 void setPrivateMode( constbool);99 void setPrivateMode(bool); 105 100 106 101 String generateHtmlFragmentForCookies(); … … 118 113 virtual ~CookieManager(); 119 114 120 void checkAndTreatCookie(ParsedCookie*, BackingStoreRemovalPolicy );115 void checkAndTreatCookie(ParsedCookie*, BackingStoreRemovalPolicy, CookieFilter = WithHttpOnlyCookies); 121 116 122 void addCookieToMap(CookieMap* targetMap, ParsedCookie* candidateCookie, BackingStoreRemovalPolicy postToBackingStore );117 void addCookieToMap(CookieMap* targetMap, ParsedCookie* candidateCookie, BackingStoreRemovalPolicy postToBackingStore, CookieFilter = WithHttpOnlyCookies); 123 118 124 119 CookieMap* findOrCreateCookieMap(CookieMap* protocolMap, const String& domain, bool findOnly); -
trunk/Source/WebCore/platform/blackberry/CookieMap.cpp
r118166 r119947 55 55 } 56 56 57 ParsedCookie* CookieMap::addOrReplaceCookie(ParsedCookie* cookie)57 bool CookieMap::addOrReplaceCookie(ParsedCookie* candidateCookie, ParsedCookie** replacedCookie, CookieFilter filter) 58 58 { 59 59 CookieLog("CookieMap - Attempting to add cookie - %s", cookie->name().utf8().data()); 60 60 61 ParsedCookie* prevCookie = 0;62 61 size_t cookieCount = m_cookieVector.size(); 63 62 for (size_t i = 0; i < cookieCount; i++) { 64 if (m_cookieVector[i]->name() == cookie->name() && m_cookieVector[i]->path() == cookie->path()) { 65 prevCookie = m_cookieVector[i]; 66 m_cookieVector[i] = cookie; 67 if (prevCookie == m_oldestCookie) 63 if (m_cookieVector[i]->name() == candidateCookie->name() && m_cookieVector[i]->path() == candidateCookie->path()) { 64 65 if (filter == NoHttpOnlyCookie && m_cookieVector[i]->isHttpOnly()) 66 return false; 67 68 *replacedCookie = m_cookieVector[i]; 69 m_cookieVector[i] = candidateCookie; 70 if (*replacedCookie == m_oldestCookie) 68 71 updateOldestCookie(); 69 return prevCookie;70 } 71 } 72 73 m_cookieVector.append(c ookie);74 if (!c ookie->isSession())72 return true; 73 } 74 } 75 76 m_cookieVector.append(candidateCookie); 77 if (!candidateCookie->isSession()) 75 78 cookieManager().addedCookie(); 76 if (!m_oldestCookie || m_oldestCookie->lastAccessed() > c ookie->lastAccessed())77 m_oldestCookie = c ookie;78 return 0;79 if (!m_oldestCookie || m_oldestCookie->lastAccessed() > candidateCookie->lastAccessed()) 80 m_oldestCookie = candidateCookie; 81 return true; 79 82 } 80 83 … … 100 103 } 101 104 102 ParsedCookie* CookieMap::removeCookie(const ParsedCookie* cookie )105 ParsedCookie* CookieMap::removeCookie(const ParsedCookie* cookie, CookieFilter filter) 103 106 { 104 107 size_t cookieCount = m_cookieVector.size(); 105 108 for (size_t position = 0; position < cookieCount; ++position) { 106 if (m_cookieVector[position]->name() == cookie->name() && m_cookieVector[position]->path() == cookie->path()) 109 if (m_cookieVector[position]->name() == cookie->name() && m_cookieVector[position]->path() == cookie->path()) { 110 if (filter == NoHttpOnlyCookie && m_cookieVector[position]->isHttpOnly()) 111 return 0; 107 112 return removeCookieAtIndex(position, cookie); 113 } 108 114 } 109 115 return 0; -
trunk/Source/WebCore/platform/blackberry/CookieMap.h
r118166 r119947 35 35 namespace WebCore { 36 36 37 enum CookieFilter { 38 NoHttpOnlyCookie, 39 WithHttpOnlyCookies, 40 }; 41 37 42 class ParsedCookie; 38 43 … … 55 60 const String& getName() const { return m_name; } 56 61 57 // Return ing the original cookie object so manager can keep a reference to the updates in the database queue.58 ParsedCookie* addOrReplaceCookie(ParsedCookie*);62 // Return false if the candidateCookie is rejected. 63 bool addOrReplaceCookie(ParsedCookie* candidateCookie, ParsedCookie** replacedCookie, CookieFilter = WithHttpOnlyCookies); 59 64 60 65 // Need to return the reference to the removed cookie so manager can deal with it (garbage collect). 61 ParsedCookie* removeCookie(const ParsedCookie* );66 ParsedCookie* removeCookie(const ParsedCookie*, CookieFilter = WithHttpOnlyCookies); 62 67 63 68 // Returns a map with that given subdomain.
Note: See TracChangeset
for help on using the changeset viewer.