Context Navigation

← Previous Changeset
Next Changeset →

Changeset 210077 in webkit

Timestamp:

Dec 21, 2016 2:06:22 PM (7 years ago)

Author:

wilander@apple.com

Message:

Switch to a blacklist model for restricted Accept headers in simple CORS requests
https://bugs.webkit.org/show_bug.cgi?id=166363

Reviewed by Alex Christensen.

Source/WebCore:

Updated existing tests.

platform/network/HTTPParsers.cpp:

(WebCore::isDelimiterCharacter):

Convenience function for checking delimiter characters according to:
https://tools.ietf.org/html/rfc7230#section-3.2.6

(WebCore::isValidAcceptHeaderValue):

Now uses WebCore::isDelimiterCharacter() to blacklist delimiter characters
instead of a whitelist of accepted non-alphanumeric characters.

LayoutTests:

http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt:
http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html:

Location:

trunk

Files:

: 5 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt (modified) (2 diffs)
LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html (modified) (5 diffs)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/platform/network/HTTPParsers.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r210072
+                      r210077
+-12-21  John Wilander  <wilander@apple.com>
+        Switch to a blacklist model for restricted Accept headers in simple CORS requests
+        https://bugs.webkit.org/show_bug.cgi?id=166363
+        Reviewed by Alex Christensen.
+        * http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt:
+        * http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html:
 -12-21  Wenson Hsieh  <wenson_hsieh@apple.com>

trunk/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight-expected.txt

-                      r209261
+                      r210077
 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Content-Language is not allowed by Access-Control-Allow-Headers.
 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
+PASS Accept header with normal value SHOULD NOT cause a preflight
+PASS Accept header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight
+PASS Accept-Language header with normal value SHOULD NOT cause a preflight
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cors-preflight-safelisted-headers-responder.php. Request header field Accept is not allowed by Access-Control-Allow-Headers.
+PASS Accept header value 'application/json,text/*,*/*' SHOULD NOT cause a preflight
+PASS Accept header with normal value 'application/vnd.api+json' SHOULD NOT cause a preflight
+PASS Accept header with normal value 'text/plain; q=0.5, text/html, text/x-dvi; q=0.8, text/x-c' SHOULD NOT cause a preflight
+PASS Accept header with normal value 'text/*;q=0.3, text/html;q=0.7, text/html;level=1, text/html;level=2;q=0.4, */*;q=0.5' SHOULD NOT cause a preflight
+PASS Accept header value with all allowed delimiter characters SHOULD NOT cause a preflight
+PASS Accept-Language header value 'en-US,en;q=0.8' SHOULD NOT cause a preflight
+PASS Accept-Language header value 'zh-Latn-CN-variant1-a-extend1-x-wadegile-private1' SHOULD NOT cause a preflight
 PASS Accept-Language header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight
+PASS Content-Language header with normal value SHOULD NOT cause a preflight
+PASS Content-Language header value 'en-US,en;q=0.8' SHOULD NOT cause a preflight
+PASS Content-Language header value 'zh-Latn-CN-variant1-a-extend1-x-wadegile-private1' SHOULD NOT cause a preflight
 PASS Content-Language header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight
 PASS Accept header with abnormal value SHOULD cause a preflight
 …
 PASS Accept header with normal value, Accept-Language header with normal value, Content-Language header with abnormal value, and explicitly allowed headers SHOULD be allowed
 PASS Accept header with normal value, then another Accept header with abnormal value, and explicitly allowed headers SHOULD be allowed
+PASS Accept header with disallowed delimiter '"' SHOULD cause a preflight
+PASS Accept header with disallowed delimiter '(' SHOULD cause a preflight
+PASS Accept header with disallowed delimiter ')' SHOULD cause a preflight
+PASS Accept header with disallowed delimiter ':' SHOULD cause a preflight
+PASS Accept header with disallowed delimiter '<' SHOULD cause a preflight
+PASS Accept header with disallowed delimiter '>' SHOULD cause a preflight
+PASS Accept header with disallowed delimiter '?' SHOULD cause a preflight
+PASS Accept header with disallowed delimiter '@' SHOULD cause a preflight
+PASS Accept header with disallowed delimiter '[' SHOULD cause a preflight
+PASS Accept header with disallowed delimiter '\' SHOULD cause a preflight
+PASS Accept header with disallowed delimiter ']' SHOULD cause a preflight
+PASS Accept header with disallowed delimiter '{' SHOULD cause a preflight
+PASS Accept header with disallowed delimiter '}' SHOULD cause a preflight

trunk/LayoutTests/http/tests/xmlhttprequest/cors-non-standard-safelisted-headers-should-trigger-preflight.html

-                      r209510
+                      r210077
     var abnormalSimpleCorsHeaderValue = "() { :;};"
+    var allAllowedNonAlphanumericCharactersForAcceptHeader = " *,./;="
+    var allAllowedDelimiterCharactersForAcceptHeader = ",/;="
+    var allDisallowedDelimiterCharactersForAcceptHeader = ['"', '(', ')', ':', '<', '>', '?', '@', '[', '\\', ']', '{', '}'];
     var allAllowedNonAlphanumericCharactersForAcceptAndContentLanguageHeader = " *,-.;="
     var testCases = [
 …
             explicitlyAllowHeaders: false,
             shouldCausePreflight: false,
+            description: "Accept header with normal value SHOULD NOT cause a preflight"
+        }
+        ,{
+            headersToAdd: [{ name : "Accept", value: allAllowedNonAlphanumericCharactersForAcceptHeader }],
+            explicitlyAllowHeaders: false,
+            shouldCausePreflight: false,
+            description: "Accept header value with all allowed non-alphanumeric characters SHOULD NOT cause a preflight"
+            description: "Accept header value 'application/json,text/*,*/*' SHOULD NOT cause a preflight"
+        }
+        ,{
+            headersToAdd: [{ name : "Accept", value: "application/vnd.api+json" }],
+            explicitlyAllowHeaders: false,
+            shouldCausePreflight: false,
+            description: "Accept header with normal value 'application/vnd.api+json' SHOULD NOT cause a preflight"
+        }
+        ,{
+            headersToAdd: [{ name : "Accept", value: "text/plain; q=0.5, text/html, text/x-dvi; q=0.8, text/x-c" }],
+            explicitlyAllowHeaders: false,
+            shouldCausePreflight: false,
+            description: "Accept header with normal value 'text/plain; q=0.5, text/html, text/x-dvi; q=0.8, text/x-c' SHOULD NOT cause a preflight"
+        }
+        ,{
+            headersToAdd: [{ name : "Accept", value: "text/*;q=0.3, text/html;q=0.7, text/html;level=1, text/html;level=2;q=0.4, */*;q=0.5" }],
+            explicitlyAllowHeaders: false,
+            shouldCausePreflight: false,
+            description: "Accept header with normal value 'text/*;q=0.3, text/html;q=0.7, text/html;level=1, text/html;level=2;q=0.4, */*;q=0.5' SHOULD NOT cause a preflight"
+        }
+        ,{
+            headersToAdd: [{ name : "Accept", value: allAllowedDelimiterCharactersForAcceptHeader }],
+            explicitlyAllowHeaders: false,
+            shouldCausePreflight: false,
+            description: "Accept header value with all allowed delimiter characters SHOULD NOT cause a preflight"
+        }
         ,{
 …
             explicitlyAllowHeaders: false,
             shouldCausePreflight: false,
+            description: "Accept-Language header with normal value SHOULD NOT cause a preflight"
+            description: "Accept-Language header value 'en-US,en;q=0.8' SHOULD NOT cause a preflight"
+        }
+        ,{
+            headersToAdd: [{ name : "Accept-Language", value: "zh-Latn-CN-variant1-a-extend1-x-wadegile-private1" }],
+            explicitlyAllowHeaders: false,
+            shouldCausePreflight: false,
+            description: "Accept-Language header value 'zh-Latn-CN-variant1-a-extend1-x-wadegile-private1' SHOULD NOT cause a preflight"
+        }
         ,{
 …
+        }
         ,{
+            headersToAdd: [{ name : "Content-Language", value: "en" }],
+            explicitlyAllowHeaders: false,
+            shouldCausePreflight: false,
+            description: "Content-Language header with normal value SHOULD NOT cause a preflight"
+            headersToAdd: [{ name : "Content-Language", value: "en-US,en;q=0.8" }],
+            explicitlyAllowHeaders: false,
+            shouldCausePreflight: false,
+            description: "Content-Language header value 'en-US,en;q=0.8' SHOULD NOT cause a preflight"
+        }
+        ,{
+            headersToAdd: [{ name : "Content-Language", value: "zh-Latn-CN-variant1-a-extend1-x-wadegile-private1" }],
+            explicitlyAllowHeaders: false,
+            shouldCausePreflight: false,
+            description: "Content-Language header value 'zh-Latn-CN-variant1-a-extend1-x-wadegile-private1' SHOULD NOT cause a preflight"
+        }
         ,{
 …
+        }
     ];
+    // Individual negative test cases for each disallowed delimiter character in Accept header values.
+    for (var i = 0; i < allDisallowedDelimiterCharactersForAcceptHeader.length; i++) {
+        var disallowedDelimiter = allDisallowedDelimiterCharactersForAcceptHeader[i];
+        testCases.push(
+            {
+                headersToAdd: [{ name : "Accept", value: disallowedDelimiter }],
+                explicitlyAllowHeaders: false,
+                shouldCausePreflight: true,
+                description: "Accept header with disallowed delimiter '" + disallowedDelimiter + "' SHOULD cause a preflight"
+            }
+        );
+    }
     function runTestCase(testNumber) {

trunk/Source/WebCore/ChangeLog

-                      r210075
+                      r210077
+-12-21  John Wilander  <wilander@apple.com>
+        Switch to a blacklist model for restricted Accept headers in simple CORS requests
+        https://bugs.webkit.org/show_bug.cgi?id=166363
+        Reviewed by Alex Christensen.
+        Updated existing tests.
+        * platform/network/HTTPParsers.cpp:
+        (WebCore::isDelimiterCharacter):
+            Convenience function for checking delimiter characters according to:
+            https://tools.ietf.org/html/rfc7230#section-3.2.6
+        (WebCore::isValidAcceptHeaderValue):
+            Now uses WebCore::isDelimiterCharacter() to blacklist delimiter characters
+            instead of a whitelist of accepted non-alphanumeric characters.
 -12-21  Beth Dakin  <bdakin@apple.com>

trunk/Source/WebCore/platform/network/HTTPParsers.cpp

-                      r209510
+                      r210077
+}
+// See RFC 7231, Section 5.3.2
+// See RFC 7230, Section 3.2.6.
+static bool isDelimiterCharacter(const UChar c)
+{
+    // DQUOTE and "(),/:;<=>?@[\]{}"
+    return (c == '"' || c == '(' || c == ')' || c == ',' || c == '/' || c == ':' || c == ';'
+        || c == '<' || c == '=' || c == '>' || c == '?' || c == '@' || c == '[' || c == '\\'
+        || c == ']' || c == '{' || c == '}');
+}
+// See RFC 7231, Section 5.3.2.
 bool isValidAcceptHeaderValue(const String& value)
+{
     for (unsigned i = 0; i < value.length(); ++i) {
         UChar c = value[i];
+        if (isASCIIAlphanumeric(c) || c == ' ' || c == '*' || c == ',' || c == '.' || c == '/' || c == ';' || c == '=')
+        // First check for alphanumeric for performance reasons then whitelist four delimiter characters.
+        if (isASCIIAlphanumeric(c) || c == ',' || c == '/' || c == ';' || c == '=')
             continue;
+        return false;
+        if (isDelimiterCharacter(c))
+            return false;
+    }
 …
+}
 // See RFC 7231, Section 5.3.5 and 3.1.3.2
+// See RFC 7231, Section 5.3.5 and 3.1.3.2.
 bool isValidLanguageHeaderValue(const String& value)
+{

Note: See TracChangeset for help on using the changeset viewer.