Changeset 211248 in webkit

Timestamp:

Jan 26, 2017 6:00:17 PM (7 years ago)

Author:

aestes@apple.com

Message:

[QuickLook] REGRESSION (WebKit2): Requests are made to invalid x-apple-ql-id: URLs
​https://bugs.webkit.org/show_bug.cgi?id=167453

Reviewed by Brent Fulgham.

Source/WebCore:

Requests to x-apple-ql-id: URLs should be filtered by
-[QLPreviewConverter safeRequestForRequest:]. This method checks that the URL is one of the
ones generated for the current preview, and changes it to "about:" if it isn't.

WebCore::safeQLURLForDocumentURLAndResourceURL() was responsible for finding the
QLPreviewConverter instance to use by looking it up in an NSMutableDictionary using the
document URL as a key. In WebKit1, this dictionary was populated by the
QuickLookHandleClient when new QuickLookHandles were created, but the WebKit2
QuickLookHandleClient never did this. As a result, requests to invalid URLs were not being
rewritten.

An easy way to load a QuickLook document with invalid URLs is to create an HTML file with a
Microsoft Office extension (e.g. .xls); QuickLook, iWork, and Office support opening HTML
files with Office document extensions. In r207155 we applied a Content Security Policy to
QuickLook documents that only allows x-apple-ql-id: resources to load. This blocked
cross-origin requests from loading, but same-origin requests to URLs that weren't generated
by QLPreviewConverter were still allowed to load.

This change blocks these URLs by calling -[QLPreviewConverter safeRequestForRequest:] in a
way that works for both WebKit1 and WebKit2.

After implementing QuickLook for WebKit2, we found a bug when loading HTML-as-Office
documents (webkit.org/b/135651) that presented as a nil MIME type in the preview
NSURLResponse returned by QLPreviewConverter. Unfortunately r172159 papered over the actual
bug by failing to load previews with nil MIME types.

The real issue was that we were asking for the preview response before QuickLook had
received enough data to determine a MIME type, so this change also removes the bad fix from
r172159 and instead waits until QuickLook has converted the document to ask for its preview
response. This restores the ability to load HTML files with Office document extensions.
These two fixes are combined in a single patch because I don't know how to create an invalid
QuickLook URL for testing without loading an HTML-as-Office document.

Test: quicklook/invalid-ql-id-url.html

• loader/ResourceLoader.cpp:

(WebCore::ResourceLoader::willSendRequestInternal): Called
QuickLookHandle::willSendRequest() if m_documentLoader has a QuickLookHandle.

• loader/cache/CachedResource.cpp:

(WebCore::CachedResource::load): Removed the call to
WebCore::safeQLURLForDocumentURLAndResourceURL().

• loader/ios/QuickLook.h: Removed safeQLURLForDocumentURLAndResourceURL() and declared

QuickLookHandle::willSendRequest().

• loader/ios/QuickLook.mm: Removed _previewResponse and _hasFailed ivars from

WebPreviewConverter.
(-[WebPreviewConverter initWithResourceLoader:resourceResponse:quickLookHandle:]): Stopped
setting _previewResponse.
(-[WebPreviewConverter _sendDidReceiveResponseIfNecessary]): Only emptied _bufferedDataArray
if we haven't already called -_sendDidReceiveResponseIfNecessary; removed the check for a
nil _previewResponse MIME type; accessed -[QLPreviewConverter previewResponse] now that the
document has been converted and asserted its MIME type is non-nil.
(-[WebPreviewConverter connection:didReceiveData:lengthReceived:]): Removed _hasFailed check.
(-[WebPreviewConverter connectionDidFinishLoading:]): Ditto.
(isQuickLookPasswordError): Moved the check for password failure errors to here from
-connection:didFailWithError: for better readability.
(-[WebPreviewConverter connection:didFailWithError:]): Removed _hasFailed check and used
more early returns.
(WebCore::QuickLookHandle::willSendRequest): Filtered the request through
-[QLPreviewConverter safeRequestWithRequest:] if the request URL's scheme is x-apple-ql-id:.
(WebCore::safeQLURLForDocumentURLAndResourceURL): Deleted.

LayoutTests:

• quicklook/invalid-ql-id-url-expected.txt: Added.
• quicklook/invalid-ql-id-url.html: Added.
• quicklook/nil-response-mime-type-expected.txt: Removed.
• quicklook/nil-response-mime-type.html: Removed.
• quicklook/resources/invalid-ql-id-url.xls: Added.
• quicklook/resources/nil-response-mime-type.xls: Removed.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/quicklook/invalid-ql-id-url-expected.txt (added)
• LayoutTests/quicklook/invalid-ql-id-url.html (added)
• LayoutTests/quicklook/nil-response-mime-type-expected.txt (deleted)
• LayoutTests/quicklook/nil-response-mime-type.html (deleted)
• LayoutTests/quicklook/resources/invalid-ql-id-url.xls (added)
• LayoutTests/quicklook/resources/nil-response-mime-type.xls (deleted)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/ResourceLoader.cpp (modified) (2 diffs)
• Source/WebCore/loader/cache/CachedResource.cpp (modified) (1 diff)
• Source/WebCore/loader/ios/QuickLook.h (modified) (3 diffs)
• Source/WebCore/loader/ios/QuickLook.mm (modified) (8 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-01-26  Andy Estes  <aestes@apple.com>
+
+        [QuickLook] REGRESSION (WebKit2): Requests are made to invalid x-apple-ql-id: URLs
+        https://bugs.webkit.org/show_bug.cgi?id=167453
+
+        Reviewed by Brent Fulgham.
+
+        * quicklook/invalid-ql-id-url-expected.txt: Added.
+        * quicklook/invalid-ql-id-url.html: Added.
+        * quicklook/nil-response-mime-type-expected.txt: Removed.
+        * quicklook/nil-response-mime-type.html: Removed.
+        * quicklook/resources/invalid-ql-id-url.xls: Added.
+        * quicklook/resources/nil-response-mime-type.xls: Removed.
+
 2017-01-26  Jeremy Jones  <jeremyj@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-01-26  Andy Estes  <aestes@apple.com>
+
+        [QuickLook] REGRESSION (WebKit2): Requests are made to invalid x-apple-ql-id: URLs
+        https://bugs.webkit.org/show_bug.cgi?id=167453
+
+        Reviewed by Brent Fulgham.
+
+        Requests to x-apple-ql-id: URLs should be filtered by
+        -[QLPreviewConverter safeRequestForRequest:]. This method checks that the URL is one of the
+        ones generated for the current preview, and changes it to "about:" if it isn't.
+
+        WebCore::safeQLURLForDocumentURLAndResourceURL() was responsible for finding the
+        QLPreviewConverter instance to use by looking it up in an NSMutableDictionary using the
+        document URL as a key. In WebKit1, this dictionary was populated by the
+        QuickLookHandleClient when new QuickLookHandles were created, but the WebKit2
+        QuickLookHandleClient never did this. As a result, requests to invalid URLs were not being
+        rewritten.
+
+        An easy way to load a QuickLook document with invalid URLs is to create an HTML file with a
+        Microsoft Office extension (e.g. .xls); QuickLook, iWork, and Office support opening HTML
+        files with Office document extensions. In r207155 we applied a Content Security Policy to
+        QuickLook documents that only allows x-apple-ql-id: resources to load. This blocked
+        cross-origin requests from loading, but same-origin requests to URLs that weren't generated
+        by QLPreviewConverter were still allowed to load.
+
+        This change blocks these URLs by calling -[QLPreviewConverter safeRequestForRequest:] in a
+        way that works for both WebKit1 and WebKit2.
+
+        After implementing QuickLook for WebKit2, we found a bug when loading HTML-as-Office
+        documents (webkit.org/b/135651) that presented as a nil MIME type in the preview
+        NSURLResponse returned by QLPreviewConverter. Unfortunately r172159 papered over the actual
+        bug by failing to load previews with nil MIME types.
+
+        The real issue was that we were asking for the preview response before QuickLook had
+        received enough data to determine a MIME type, so this change also removes the bad fix from
+        r172159 and instead waits until QuickLook has converted the document to ask for its preview
+        response. This restores the ability to load HTML files with Office document extensions.
+        These two fixes are combined in a single patch because I don't know how to create an invalid
+        QuickLook URL for testing without loading an HTML-as-Office document.
+
+        Test: quicklook/invalid-ql-id-url.html
+
+        * loader/ResourceLoader.cpp:
+        (WebCore::ResourceLoader::willSendRequestInternal): Called
+        QuickLookHandle::willSendRequest() if m_documentLoader has a QuickLookHandle.
+        * loader/cache/CachedResource.cpp:
+        (WebCore::CachedResource::load): Removed the call to
+        WebCore::safeQLURLForDocumentURLAndResourceURL().
+        * loader/ios/QuickLook.h: Removed safeQLURLForDocumentURLAndResourceURL() and declared
+        QuickLookHandle::willSendRequest().
+        * loader/ios/QuickLook.mm: Removed _previewResponse and _hasFailed ivars from
+        WebPreviewConverter.
+        (-[WebPreviewConverter initWithResourceLoader:resourceResponse:quickLookHandle:]): Stopped
+        setting _previewResponse.
+        (-[WebPreviewConverter _sendDidReceiveResponseIfNecessary]): Only emptied _bufferedDataArray
+        if we haven't already called -_sendDidReceiveResponseIfNecessary; removed the check for a
+        nil _previewResponse MIME type; accessed -[QLPreviewConverter previewResponse] now that the
+        document has been converted and asserted its MIME type is non-nil.
+        (-[WebPreviewConverter connection:didReceiveData:lengthReceived:]): Removed _hasFailed check.
+        (-[WebPreviewConverter connectionDidFinishLoading:]): Ditto.
+        (isQuickLookPasswordError): Moved the check for password failure errors to here from
+        -connection:didFailWithError: for better readability.
+        (-[WebPreviewConverter connection:didFailWithError:]): Removed _hasFailed check and used
+        more early returns.
+        (WebCore::QuickLookHandle::willSendRequest): Filtered the request through
+        -[QLPreviewConverter safeRequestWithRequest:] if the request URL's scheme is x-apple-ql-id:.
+        (WebCore::safeQLURLForDocumentURLAndResourceURL): Deleted.
+
 2017-01-26  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/WebCore/loader/ResourceLoader.cpp

@@ -56 +56 @@
 #endif
 
+#if USE(QUICK_LOOK)
+#include "QuickLook.h"
+#endif
+
 namespace WebCore {
 
@@ -371 +375 @@
     else
         InspectorInstrumentation::willSendRequest(m_frame.get(), m_identifier, m_frame->loader().documentLoader(), request, redirectResponse);
+
+#if USE(QUICK_LOOK)
+    if (auto quickLookHandle = m_documentLoader->quickLookHandle())
+        quickLookHandle->willSendRequest(request);
+#endif
 
     bool isRedirect = !redirectResponse.isNull();

trunk/Source/WebCore/loader/cache/CachedResource.cpp

@@ -215 +215 @@
     m_loading = true;
 
-#if USE(QUICK_LOOK)
-    if (!m_resourceRequest.isNull() && m_resourceRequest.url().protocolIs(QLPreviewProtocol())) {
-        // When QuickLook is invoked to convert a document, it returns a unique URL in the
-        // NSURLReponse for the main document. To make safeQLURLForDocumentURLAndResourceURL()
-        // work, we need to use the QL URL not the original URL.
-        const URL& documentURL = frameLoader.documentLoader()->response().url();
-        m_resourceRequest.setURL(safeQLURLForDocumentURLAndResourceURL(documentURL, url()));
-    }
-#endif
-
     if (isCacheValidator()) {
         CachedResource* resourceToRevalidate = m_resourceToRevalidate;

trunk/Source/WebCore/loader/ios/QuickLook.h

@@ -47 +47 @@
 class QuickLookHandleClient;
 class ResourceLoader;
+class ResourceRequest;
 class ResourceResponse;
 class SharedBuffer;
@@ -60 +61 @@
 WEBCORE_EXPORT RetainPtr<NSURLRequest> registerQLPreviewConverterIfNeeded(NSURL *, NSString *mimeType, NSData *);
 
-const URL safeQLURLForDocumentURLAndResourceURL(const URL& documentURL, const String& resourceURL);
-
 WEBCORE_EXPORT const char* QLPreviewProtocol();
 
@@ -73 +72 @@
     ~QuickLookHandle();
 
+    void willSendRequest(ResourceRequest&);
     bool didReceiveData(const char* data, unsigned length);
     bool didReceiveBuffer(const SharedBuffer&);

trunk/Source/WebCore/loader/ios/QuickLook.mm

@@ -35 +35 @@
 #import "ResourceError.h"
 #import "ResourceLoader.h"
+#import "ResourceRequest.h"
 #import "SharedBuffer.h"
 #import <wtf/NeverDestroyed.h>
@@ -124 +125 @@
 
     return nil;
-}
-
-const URL WebCore::safeQLURLForDocumentURLAndResourceURL(const URL& documentURL, const String& resourceURL)
-{
-    id converter = nil;
-    NSURL *nsDocumentURL = documentURL;
-    {
-        LockHolder lock(qlPreviewConverterDictionaryMutex());
-        converter = [QLPreviewConverterDictionary() objectForKey:nsDocumentURL];
-    }
-
-    if (!converter)
-        return URL(ParsedURLString, resourceURL);
-
-    RetainPtr<NSURLRequest> request = adoptNS([[NSURLRequest alloc] initWithURL:[NSURL URLWithString:resourceURL]]);
-    NSURLRequest *safeRequest = [converter safeRequestForRequest:request.get()];
-    return [safeRequest URL];
 }
 
@@ -182 +166 @@
     RetainPtr<NSURLResponse> _originalResponse;
     RetainPtr<QLPreviewConverter> _platformConverter;
-    RetainPtr<NSURLResponse> _previewResponse;
     RetainPtr<NSMutableArray> _bufferedDataArray;
     BOOL _hasSentDidReceiveResponse;
-    BOOL _hasFailed;
 }
 
@@ -211 +193 @@
     _originalResponse = resourceResponse.nsURLResponse();
     _platformConverter = adoptNS([allocQLPreviewConverterInstance() initWithConnection:nil delegate:self response:_originalResponse.get() options:nil]);
-    _previewResponse = [_platformConverter previewResponse];
     _bufferedDataArray = adoptNS([[NSMutableArray alloc] init]);
 
@@ -253 +234 @@
 - (void)_sendDidReceiveResponseIfNecessary
 {
+    if (_hasSentDidReceiveResponse)
+        return;
+
     [_bufferedDataArray removeAllObjects];
 
-    if (_hasSentDidReceiveResponse || _hasFailed)
-        return;
-
-    // QuickLook might fail to convert a document without calling connection:didFailWithError: (see <rdar://problem/17927972>).
-    // A nil MIME type is an indication of such a failure, so stop loading the resource and ignore subsequent delegate messages.
-    if (![_previewResponse MIMEType]) {
-        _hasFailed = YES;
-        _resourceLoader->didFail(_resourceLoader->cannotShowURLError());
-        return;
-    }
-
-    ResourceResponse response { _previewResponse.get() };
+    ResourceResponse response { [_platformConverter previewResponse] };
     response.setIsQuickLook(true);
+    ASSERT(response.mimeType().length());
 
     _hasSentDidReceiveResponse = YES;
@@ -277 +251 @@
     ASSERT_UNUSED(connection, !connection);
     [self _sendDidReceiveResponseIfNecessary];
-    if (_hasFailed)
-        return;
 
     // QuickLook code sends us a nil data at times. The check below is the same as the one in
@@ -289 +261 @@
 {
     ASSERT_UNUSED(connection, !connection);
-    if (_hasFailed)
-        return;
-
     ASSERT(_hasSentDidReceiveResponse);
     _resourceLoader->didFinishLoading(0);
 }
 
+static inline bool isQuickLookPasswordError(NSError *error)
+{
+    return error.code == kQLReturnPasswordProtected && [error.domain isEqualToString:@"QuickLookErrorDomain"];
+}
+
 - (void)connection:(NSURLConnection *)connection didFailWithError:(NSError *)error
 {
     ASSERT_UNUSED(connection, !connection);
 
-    if (error.code == kQLReturnPasswordProtected && [error.domain isEqualToString:@"QuickLookErrorDomain"]) {
-        if (!_client->supportsPasswordEntry()) {
-            _resourceLoader->didFail(_resourceLoader->cannotShowURLError());
-            return;
-        }
-
-        _client->didRequestPassword([retainedSelf = retainPtr(self)] (const String& password) {
-            NSDictionary *passwordOption = @{ (NSString *)kQLPreviewOptionPasswordKey : password };
-            auto converterWithPassword = adoptNS([allocQLPreviewConverterInstance() initWithConnection:nil delegate:retainedSelf.get() response:retainedSelf->_originalResponse.get() options:passwordOption]);
-            [converterWithPassword appendDataArray:retainedSelf->_bufferedDataArray.get()];
-            [converterWithPassword finishedAppendingData];
-            retainedSelf->_previewResponse = [converterWithPassword previewResponse];
-            retainedSelf->_platformConverter = WTFMove(converterWithPassword);
-        });
+    if (!isQuickLookPasswordError(error)) {
+        [self _sendDidReceiveResponseIfNecessary];
+        _resourceLoader->didFail(error);
         return;
     }
 
-    [self _sendDidReceiveResponseIfNecessary];
-    if (!_hasFailed)
-        _resourceLoader->didFail(error);
+    if (!_client->supportsPasswordEntry()) {
+        _resourceLoader->didFail(_resourceLoader->cannotShowURLError());
+        return;
+    }
+
+    _client->didRequestPassword([retainedSelf = retainPtr(self)] (const String& password) {
+        NSDictionary *passwordOption = @{ (NSString *)kQLPreviewOptionPasswordKey : password };
+        auto converterWithPassword = adoptNS([allocQLPreviewConverterInstance() initWithConnection:nil delegate:retainedSelf.get() response:retainedSelf->_originalResponse.get() options:passwordOption]);
+        [converterWithPassword appendDataArray:retainedSelf->_bufferedDataArray.get()];
+        [converterWithPassword finishedAppendingData];
+        retainedSelf->_platformConverter = WTFMove(converterWithPassword);
+    });
 }
 
@@ -390 +362 @@
 }
 
+void QuickLookHandle::willSendRequest(ResourceRequest& request)
+{
+    if (request.url().protocolIs(QLPreviewProtocol()))
+        request = [[m_converter platformConverter] safeRequestForRequest:request.nsURLRequest(DoNotUpdateHTTPBody)];
+}
+
 bool QuickLookHandle::didReceiveData(const char* data, unsigned length)
 {