Changeset 50072 in webkit


Ignore:
Timestamp:
Oct 26, 2009 10:26:26 AM (14 years ago)
Author:
ap@apple.com
Message:

Reviewed by Adam Barth and Darin Adler.

https://bugs.webkit.org/show_bug.cgi?id=30723
<rdar://problem/6189415> Input names added to multipart/form-data headers need to be escaped.

Test: http/tests/security/escape-form-data-field-names.html

  • platform/network/FormDataBuilder.cpp: (WebCore::appendQuotedString): (WebCore::FormDataBuilder::beginMultiPartHeader): (WebCore::FormDataBuilder::addFilenameToMultiPartHeader): Percent-escape line breaks and quotation marks.
Location:
trunk
Files:
3 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r50071 r50072  
     12009-10-23  Alexey Proskuryakov  <ap@apple.com>
     2
     3        Reviewed by Adam Barth and Darin Adler.
     4
     5        https://bugs.webkit.org/show_bug.cgi?id=30723
     6        <rdar://problem/6189415> Input names added to multipart/form-data headers need to be escaped.
     7
     8        * http/tests/security/escape-form-data-field-names-expected.txt: Added.
     9        * http/tests/security/escape-form-data-field-names.html: Added.
     10        * http/tests/security/resources/escape-form-data-field-names.cgi: Added.
     11
    1122009-10-26  Andras Becsi  <becsi.andras@stud.u-szeged.hu>
    213
  • trunk/WebCore/ChangeLog

    r50068 r50072  
     12009-10-23  Alexey Proskuryakov  <ap@apple.com>
     2
     3        Reviewed by Adam Barth and Darin Adler.
     4
     5        https://bugs.webkit.org/show_bug.cgi?id=30723
     6        <rdar://problem/6189415> Input names added to multipart/form-data headers need to be escaped.
     7
     8        Test: http/tests/security/escape-form-data-field-names.html
     9
     10        * platform/network/FormDataBuilder.cpp:
     11        (WebCore::appendQuotedString):
     12        (WebCore::FormDataBuilder::beginMultiPartHeader):
     13        (WebCore::FormDataBuilder::addFilenameToMultiPartHeader):
     14        Percent-escape line breaks and quotation marks.
     15
    1162009-10-26  Kelly Norton  <knorton@google.com>
    217
  • trunk/WebCore/platform/network/FormDataBuilder.cpp

    r39432 r50072  
    107107{
    108108    buffer.append(string.data(), string.length());
     109}
     110
     111static void appendQuotedString(Vector<char>& buffer, const CString& string)
     112{
     113    // Append a string as a quoted value, escaping quotes and line breaks.
     114    // FIXME: Is it correct to use percent escaping here? Other browsers do not encode these characters yet,
     115    // so we should test popular servers to find out if there is an encoding form they can handle.
     116    unsigned length = string.length();
     117    for (unsigned i = 0; i < length; ++i) {
     118        unsigned char c = string.data()[i];
     119
     120        switch (c) {
     121        case  0x0a:
     122            append(buffer, "%0A");
     123            break;
     124        case 0x0d:
     125            append(buffer, "%0D");
     126            break;
     127        case '"':
     128            append(buffer, "%22");
     129            break;
     130        case '%':
     131            append(buffer, "%25");
     132            break;
     133        default:
     134            append(buffer, c);
     135        }
     136    }
    109137}
    110138
     
    162190    addBoundaryToMultiPartHeader(buffer, boundary);
    163191
     192    // FIXME: This loses data irreversibly if the input name includes characters you can't encode
     193    // in the website's character set.
    164194    append(buffer, "Content-Disposition: form-data; name=\"");
    165     append(buffer, name);
     195    appendQuotedString(buffer, name);
    166196    append(buffer, '"');
    167197}
     
    180210void FormDataBuilder::addFilenameToMultiPartHeader(Vector<char>& buffer, const TextEncoding& encoding, const String& filename)
    181211{
    182     // FIXME: This won't work if the filename includes a " mark,
    183     // or control characters like CR or LF. This also does strange
    184     // things if the filename includes characters you can't encode
     212    // FIXME: This loses data irreversibly if the filename includes characters you can't encode
    185213    // in the website's character set.
    186214    append(buffer, "; filename=\"");
    187     append(buffer, encoding.encode(filename.characters(), filename.length(), QuestionMarksForUnencodables));
     215    appendQuotedString(buffer, encoding.encode(filename.characters(), filename.length(), QuestionMarksForUnencodables));
    188216    append(buffer, '"');
    189217}
Note: See TracChangeset for help on using the changeset viewer.