Changeset 81425 in webkit


Ignore:
Timestamp:
Mar 17, 2011 6:58:18 PM (13 years ago)
Author:
abarth@webkit.org
Message:

2011-03-17 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

Update CSP directive parser to match spec
https://bugs.webkit.org/show_bug.cgi?id=56582

Test some error-handling cases.

  • http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/directive-parsing.html: Added.

2011-03-17 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

Update CSP directive parser to match spec
https://bugs.webkit.org/show_bug.cgi?id=56582

Brandon updated the CSP spec. I've updated our implementation to
match. In the process, I found a couple bugs in the spec, which I've
sent to the working group. This patch assumes that the bugs will be
fixed in the way I suggested. If they get fixed a different way, we
might need to update the parser again.

Test: http/tests/security/contentSecurityPolicy/directive-parsing.html

  • page/ContentSecurityPolicy.cpp: (WebCore::isDirectiveNameCharacter): (WebCore::isDirectiveValueCharacter): (WebCore::advanceUntil): (WebCore::ContentSecurityPolicy::parse): (WebCore::ContentSecurityPolicy::parseDirective):
  • page/ContentSecurityPolicy.h:
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r81423 r81425  
     12011-03-17  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        Update CSP directive parser to match spec
     6        https://bugs.webkit.org/show_bug.cgi?id=56582
     7
     8        Test some error-handling cases.
     9
     10        * http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt: Added.
     11        * http/tests/security/contentSecurityPolicy/directive-parsing.html: Added.
     12
    1132011-03-17  James Simonsen  <simonjam@chromium.org>
    214

  • trunk/Source/WebCore/ChangeLog

    r81424 r81425  
     12011-03-17  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        Update CSP directive parser to match spec
     6        https://bugs.webkit.org/show_bug.cgi?id=56582
     7
     8        Brandon updated the CSP spec.  I've updated our implementation to
     9        match.  In the process, I found a couple bugs in the spec, which I've
     10        sent to the working group.  This patch assumes that the bugs will be
     11        fixed in the way I suggested.  If they get fixed a different way, we
     12        might need to update the parser again.
     13
     14        Test: http/tests/security/contentSecurityPolicy/directive-parsing.html
     15
     16        * page/ContentSecurityPolicy.cpp:
     17        (WebCore::isDirectiveNameCharacter):
     18        (WebCore::isDirectiveValueCharacter):
     19        (WebCore::advanceUntil):
     20        (WebCore::ContentSecurityPolicy::parse):
     21        (WebCore::ContentSecurityPolicy::parseDirective):
     22        * page/ContentSecurityPolicy.h:
     23
    1242011-03-17  Adam Barth  <abarth@webkit.org>
    225

  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r79547 r81425  
    2929
    3030namespace WebCore {
     31
     32static bool isDirectiveNameCharacter(UChar c)
     33{
     34    return isASCIIAlpha(c) || isASCIIDigit(c) || c == '-';
     35}
     36
     37static bool isDirectiveValueCharacter(UChar c)
     38{
     39    return isASCIISpace(c) || (c >= 0x21 && c <= 0x7e); // Whitespace + VCHAR
     40}
     41
     42static void advanceUntil(const UChar*& pos, const UChar* end, UChar delimiter)
     43{
     44    while (pos < end) {
     45        if (*pos++ == delimiter)
     46            return;
     47    }
     48}
    3149
    3250class CSPDirective {
     
    88106        Vector<UChar, 64> value;
    89107
    90         parseDirective(pos, end, name, value);
     108        if (!parseDirective(pos, end, name, value))
     109            continue;
    91110        if (name.isEmpty())
    92111            continue;
     
    99118}
    100119
    101 void ContentSecurityPolicy::parseDirective(const UChar*& pos, const UChar* end, Vector<UChar, 32>& name, Vector<UChar, 64>& value)
     120bool ContentSecurityPolicy::parseDirective(const UChar*& pos, const UChar* end, Vector<UChar, 32>& name, Vector<UChar, 64>& value)
    102121{
    103122    ASSERT(pos < end);
     
    105124    ASSERT(value.isEmpty());
    106125
    107     enum {
    108         BeforeDirectiveName,
    109         DirectiveName,
    110         AfterDirectiveName,
    111         DirectiveValue,
    112     } state = BeforeDirectiveName;
     126    while (pos < end && isASCIISpace(*pos))
     127        pos++;
    113128
    114129    while (pos < end) {
    115         UChar currentCharacter = *pos++;
    116         switch (state) {
    117         case BeforeDirectiveName:
    118             if (isASCIISpace(currentCharacter))
    119                 continue;
    120             state = DirectiveName;
    121             // Fall through.
    122         case DirectiveName:
    123             if (!isASCIISpace(currentCharacter)) {
    124                 name.append(currentCharacter);
    125                 continue;
    126             }
    127             state = AfterDirectiveName;
    128             // Fall through.
    129         case AfterDirectiveName:
    130             if (isASCIISpace(currentCharacter))
    131                 continue;
    132             state = DirectiveValue;
    133             // Fall through.
    134         case DirectiveValue:
    135             if (currentCharacter != ';') {
    136                 value.append(currentCharacter);
    137                 continue;
    138             }
    139             return;
     130        UChar currentCharacter = *pos;
     131        if (currentCharacter == ';')
     132            break;
     133        if (isASCIISpace(currentCharacter))
     134            break;
     135        if (!isDirectiveNameCharacter(currentCharacter)) {
     136            advanceUntil(pos, end, ';');
     137            return false;
    140138        }
     139        name.append(currentCharacter);
     140        pos++;
    141141    }
     142
     143    while (pos < end && isASCIISpace(*pos))
     144        pos++;
     145
     146    if (pos < end && *pos == ';') {
     147        pos++;
     148        return true;
     149    }
     150
     151    while (pos < end) {
     152        UChar currentCharacter = *pos;
     153        if (currentCharacter == ';')
     154            break;
     155        if (!isDirectiveValueCharacter(currentCharacter)) {
     156            advanceUntil(pos, end, ';');
     157            return false;
     158        }
     159        value.append(currentCharacter);
     160        pos++;
     161    }
     162
     163    if (pos < end && *pos == ';') {
     164        pos++;
     165        return true;
     166    }
     167
     168    return true;
    142169}
    143170

  • trunk/Source/WebCore/page/ContentSecurityPolicy.h

    r79547 r81425  
    4949
    5050    void parse(const String&);
    51     void parseDirective(const UChar*& pos, const UChar* end, Vector<UChar, 32>& name, Vector<UChar, 64>& value);
     51    bool parseDirective(const UChar*& pos, const UChar* end, Vector<UChar, 32>& name, Vector<UChar, 64>& value);
    5252    void emitDirective(const String& name, const String& value);
    5353
Note: See TracChangeset for help on using the changeset viewer.