190005 2018-09-26 12:01:51 -0700 URLs with mismatched surrogate pairs in the host should fail to parse 2018-09-30 20:15:13 -0700 1 1 1 Unclassified WebKit New Bugs WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 achristensen achristensen ap cdumez darin webkit-bug-importer oldest_to_newest 1463672 0 achristensen 2018-09-26 12:01:51 -0700 URLs with mismatched surrogate pairs in the host should fail to parse 1463673 1 350879 achristensen 2018-09-26 12:04:26 -0700 Created attachment 350879 Patch 1463773 2 achristensen 2018-09-26 14:58:48 -0700 http://trac.webkit.org/r236528 1463774 3 webkit-bug-importer 2018-09-26 14:59:27 -0700 <rdar://problem/44809426> 1464468 4 350879 ap 2018-09-28 12:55:46 -0700 Comment on attachment 350879 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=350879&action=review > Tools/TestWebKitAPI/Tests/WebCore/URLParser.cpp:1260 > + const wchar_t replacementCharacter = 0xFFFD; Can this be verified with a web facing test? API tests are a lot more costly in many ways (poor infrastructure to maintain, no EWS support, no parallelization). 1464896 5 350879 darin 2018-09-30 20:15:13 -0700 Comment on attachment 350879 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=350879&action=review > Source/WebCore/platform/URLParser.cpp:2758 > + if (!U_IS_UNICODE_CHAR(*iterator)) This line of code does not simply check for mismatched surrogates. If we only wanted to do that, the correct code would be: if (U_IS_SURROGATE(*iterator)) The U_IS_UNICODE_CHAR function excludes surrogates, but also excludes FDD0-FDEF, FFFE, and FFFF. Do we want that behavior? The added test doesn't cover this, but it should cover those cases too if we think the behavior change is helpful. 350879 2018-09-26 12:04:26 -0700 2018-09-26 14:18:20 -0700 Patch bug-190005-20180926120426.patch text/plain 3838 achristensen SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDIzNjQ4OCkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE4IEBACisyMDE4LTA5LTI2ICBBbGV4IENo cmlzdGVuc2VuICA8YWNocmlzdGVuc2VuQHdlYmtpdC5vcmc+CisKKyAgICAgICAgVVJMcyB3aXRo IG1pc21hdGNoZWQgc3Vycm9nYXRlIHBhaXJzIGluIHRoZSBob3N0IHNob3VsZCBmYWlsIHRvIHBh cnNlCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xOTAw MDUKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBFbHNl d2hlcmUgaW4gdGhlIFVSTFBhcnNlciwgd2hlbiB3ZSBlbmNvdW50ZXIgbWlzbWF0Y2hlZCBzdXJy b2dhdGUgcGFpcnMgd2UgdXNlIHRoZSByZXBsYWNlbWVudCBjaGFyYWN0ZXIsCisgICAgICAgIGJ1 dCB0aGF0IGp1c3QgZmFpbHMgbGF0ZXIgb24gaW4gZG9tYWluVG9BU0NJSSwgc28gd2UgbWF5IGFz IHdlbGwganVzdCBmYWlsLgorICAgICAgICBUaGlzIGJlaGF2aW9yIG1hdGNoZXMgQ2hyb21lLCBi dXQgaXMgdW5jbGVhciBpbiB0aGUgc3BlYy4gIFRoZXJlIGFyZSBubyB2YWxpZCB1c2VzIG9mIGhv c3RzIGNvbnRhaW5pbmcgbWlzbWF0Y2hlZCBzdXJyb2dhdGUgcGFpcnMuCisgICAgICAgIENvdmVy ZWQgYnkgbmV3IEFQSSB0ZXN0cy4KKworICAgICAgICAqIHBsYXRmb3JtL1VSTFBhcnNlci5jcHA6 CisgICAgICAgIChXZWJDb3JlOjpVUkxQYXJzZXI6OnBhcnNlSG9zdEFuZFBvcnQpOgorCiAyMDE4 LTA5LTI1ICBKb2huIFdpbGFuZGVyICA8d2lsYW5kZXJAYXBwbGUuY29tPgogCiAgICAgICAgIENo YW5nZSBmcm9tIEhBVkUoQ0ZORVRXT1JLX1NUT1JBR0VfUEFSVElUSU9OSU5HKSB0byBFTkFCTEUo UkVTT1VSQ0VfTE9BRF9TVEFUSVNUSUNTKQpJbmRleDogU291cmNlL1dlYkNvcmUvcGxhdGZvcm0v VVJMUGFyc2VyLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9VUkxQ YXJzZXIuY3BwCShyZXZpc2lvbiAyMzY0ODgpCisrKyBTb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9V UkxQYXJzZXIuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0yNzU1LDEyICsyNzU1LDExIEBAIGJvb2wg VVJMUGFyc2VyOjpwYXJzZUhvc3RBbmRQb3J0KENvZGVQb2kKICAgICAgICAgaWYgKFVOTElLRUxZ KCFpc0FTQ0lJKCppdGVyYXRvcikpKQogICAgICAgICAgICAgc3ludGF4VmlvbGF0aW9uKGhvc3RC ZWdpbik7CiAKKyAgICAgICAgaWYgKCFVX0lTX1VOSUNPREVfQ0hBUigqaXRlcmF0b3IpKQorICAg ICAgICAgICAgcmV0dXJuIGZhbHNlOwogICAgICAgICB1aW50OF90IGJ1ZmZlcltVOF9NQVhfTEVO R1RIXTsKICAgICAgICAgaW50MzJfdCBvZmZzZXQgPSAwOwotICAgICAgICBVQm9vbCBlcnJvciA9 IGZhbHNlOwotICAgICAgICBVOF9BUFBFTkQoYnVmZmVyLCBvZmZzZXQsIFU4X01BWF9MRU5HVEgs ICppdGVyYXRvciwgZXJyb3IpOwotICAgICAgICBBU1NFUlRfV0lUSF9TRUNVUklUWV9JTVBMSUNB VElPTihvZmZzZXQgPD0gc3RhdGljX2Nhc3Q8aW50MzJfdD4oc2l6ZW9mKGJ1ZmZlcikpKTsKLSAg ICAgICAgLy8gRklYTUU6IENoZWNrIGVycm9yLgorICAgICAgICBVOF9BUFBFTkRfVU5TQUZFKGJ1 ZmZlciwgb2Zmc2V0LCAqaXRlcmF0b3IpOwogICAgICAgICB1dGY4RW5jb2RlZC5hcHBlbmQoYnVm ZmVyLCBvZmZzZXQpOwogICAgIH0KICAgICBMQ2hhckJ1ZmZlciBwZXJjZW50RGVjb2RlZCA9IHBl cmNlbnREZWNvZGUodXRmOEVuY29kZWQuZGF0YSgpLCB1dGY4RW5jb2RlZC5zaXplKCksIGhvc3RC ZWdpbik7CkluZGV4OiBUb29scy9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gVG9vbHMvQ2hhbmdl TG9nCShyZXZpc2lvbiAyMzY1MTQpCisrKyBUb29scy9DaGFuZ2VMb2cJKHdvcmtpbmcgY29weSkK QEAgLTEsMyArMSwxMyBAQAorMjAxOC0wOS0yNiAgQWxleCBDaHJpc3RlbnNlbiAgPGFjaHJpc3Rl bnNlbkB3ZWJraXQub3JnPgorCisgICAgICAgIFVSTHMgd2l0aCBtaXNtYXRjaGVkIHN1cnJvZ2F0 ZSBwYWlycyBpbiB0aGUgaG9zdCBzaG91bGQgZmFpbCB0byBwYXJzZQorICAgICAgICBodHRwczov L2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTkwMDA1CisKKyAgICAgICAgUmV2aWV3 ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgKiBUZXN0V2ViS2l0QVBJL1Rlc3RzL1dl YkNvcmUvVVJMUGFyc2VyLmNwcDoKKyAgICAgICAgKFRlc3RXZWJLaXRBUEk6OlRFU1RfRik6CisK IDIwMTgtMDktMjYgIFBoaWxpcHBlIE5vcm1hbmQgIDxwbm9ybWFuZEBpZ2FsaWEuY29tPgogCiAg ICAgICAgIFtGbGF0cGFrXSBCdW1wIHRvIGFwciAxLjYuNQpJbmRleDogVG9vbHMvVGVzdFdlYktp dEFQSS9UZXN0cy9XZWJDb3JlL1VSTFBhcnNlci5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gVG9vbHMvVGVz dFdlYktpdEFQSS9UZXN0cy9XZWJDb3JlL1VSTFBhcnNlci5jcHAJKHJldmlzaW9uIDIzNjQ4OCkK KysrIFRvb2xzL1Rlc3RXZWJLaXRBUEkvVGVzdHMvV2ViQ29yZS9VUkxQYXJzZXIuY3BwCSh3b3Jr aW5nIGNvcHkpCkBAIC0xMjU3LDkgKzEyNTcsMTIgQEAgVEVTVF9GKFVSTFBhcnNlclRlc3QsIEFk ZGl0aW9uYWxUZXN0cykKICAgICBjb25zdCB3Y2hhcl90IHN1cnJvZ2F0ZUJlZ2luID0gMHhEODAw OwogICAgIGNvbnN0IHdjaGFyX3QgdmFsaWRTdXJyb2dhdGVFbmQgPSAweERENTU7CiAgICAgY29u c3Qgd2NoYXJfdCBpbnZhbGlkU3Vycm9nYXRlRW5kID0gJ0EnOworICAgIGNvbnN0IHdjaGFyX3Qg cmVwbGFjZW1lbnRDaGFyYWN0ZXIgPSAweEZGRkQ7CiAgICAgY2hlY2tVUkwodXRmMTZTdHJpbmc8 MTI+KHsnaCcsICd0JywgJ3QnLCAncCcsICc6JywgJy8nLCAnLycsICd3JywgJy8nLCBzdXJyb2dh dGVCZWdpbiwgdmFsaWRTdXJyb2dhdGVFbmQsICdcMCd9KSwKICAgICAgICAgeyJodHRwIiwgIiIs ICIiLCAidyIsIDAsICIvJUYwJTkwJTg1JTk1IiwgIiIsICIiLCAiaHR0cDovL3cvJUYwJTkwJTg1 JTk1In0sIHRlc3RUYWJzVmFsdWVGb3JTdXJyb2dhdGVQYWlycyk7Ci0KKyAgICBzaG91bGRGYWls KHV0ZjE2U3RyaW5nPDEwPih7J2gnLCAndCcsICd0JywgJ3AnLCAnOicsICcvJywgc3Vycm9nYXRl QmVnaW4sIGludmFsaWRTdXJyb2dhdGVFbmQsICcvJywgJ1wwJ30pKTsKKyAgICBzaG91bGRGYWls KHV0ZjE2U3RyaW5nPDk+KHsnaCcsICd0JywgJ3QnLCAncCcsICc6JywgJy8nLCByZXBsYWNlbWVu dENoYXJhY3RlciwgJy8nLCAnXDAnfSkpOworICAgIAogICAgIC8vIFVSTFBhcnNlciBtYXRjaGVz IENocm9tZSBhbmQgRmlyZWZveCBidXQgbm90IFVSTDo6cGFyc2UuCiAgICAgY2hlY2tVUkxEaWZm ZXJlbmNlcyh1dGYxNlN0cmluZzwxMj4oeydoJywgJ3QnLCAndCcsICdwJywgJzonLCAnLycsICcv JywgJ3cnLCAnLycsIHN1cnJvZ2F0ZUJlZ2luLCBpbnZhbGlkU3Vycm9nYXRlRW5kfSksCiAgICAg ICAgIHsiaHR0cCIsICIiLCAiIiwgInciLCAwLCAiLyVFRiVCRiVCREEiLCAiIiwgIiIsICJodHRw Oi8vdy8lRUYlQkYlQkRBIn0sCg==