Changeset 125614 in webkit


Ignore:
Timestamp:
Aug 14, 2012 3:27:08 PM (12 years ago)
Author:
commit-queue@webkit.org
Message:

Tighten up parsing the 'script-nonce' CSP directive value.
https://bugs.webkit.org/show_bug.cgi?id=93783

Patch by Mike West <mkwst@chromium.org> on 2012-08-14
Reviewed by Adam Barth.

Source/WebCore:

Currently we're accepting any non-whitespace character. This patch
limits the valid characters to VCHAR minus ',' and ';', and pulls the
validity check out into a named function for clarity.

Test: http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html

  • page/ContentSecurityPolicy.cpp:

(WebCore::CSPDirectiveList::parseScriptNonce):

LayoutTests:

  • http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html: Added.
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r125613 r125614  
     12012-08-14  Mike West  <mkwst@chromium.org>
     2
     3        Tighten up parsing the 'script-nonce' CSP directive value.
     4        https://bugs.webkit.org/show_bug.cgi?id=93783
     5
     6        Reviewed by Adam Barth.
     7
     8        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt: Added.
     9        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html: Added.
     10
    1112012-08-14  Adam Barth  <abarth@webkit.org>
    212
  • trunk/Source/WebCore/ChangeLog

    r125613 r125614  
     12012-08-14  Mike West  <mkwst@chromium.org>
     2
     3        Tighten up parsing the 'script-nonce' CSP directive value.
     4        https://bugs.webkit.org/show_bug.cgi?id=93783
     5
     6        Reviewed by Adam Barth.
     7
     8        Currently we're accepting any non-whitespace character. This patch
     9        limits the valid characters to VCHAR minus ',' and ';', and pulls the
     10        validity check out into a named function for clarity.
     11
     12        Test: http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html
     13
     14        * page/ContentSecurityPolicy.cpp:
     15        (WebCore::CSPDirectiveList::parseScriptNonce):
     16
    1172012-08-14  Adam Barth  <abarth@webkit.org>
    218
  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r125531 r125614  
    6262}
    6363
     64bool isNonceCharacter(UChar c)
     65{
     66    return (c >= 0x21 && c <= 0x7e) && c != ',' && c != ';'; // VCHAR - ',' - ';'
     67}
     68
    6469bool isSourceCharacter(UChar c)
    6570{
     
    9991004        return;
    10001005    }
    1001     skipWhile<isNotASCIISpace>(position, end);
     1006    skipWhile<isNonceCharacter>(position, end);
    10021007    if (nonceBegin < position)
    10031008        nonce = String(nonceBegin, position - nonceBegin);
Note: See TracChangeset for help on using the changeset viewer.