Bug 15530

Summary: XMLHttpRequest should not support certain methods
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: XMLAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P3    
Version: 523.x (Safari 3)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch + test case
ap: review-
Patch updated with Ap's comments ap: review+

Alexey Proskuryakov
Reported 2007-10-16 04:07:00 PDT
These methods make various XSS attacks possible. TRACE http://www.kb.cert.org/vuls/id/867593 TRACK http://www.kb.cert.org/vuls/id/288308 CONNECT http://www.kb.cert.org/vuls/id/150227 AFAIK the network layer blocks them on the Mac anyway, but I think we should explicitly check for these in XMLHttpRequest implementation itself.
Attachments
Patch + test case (5.30 KB, patch)
2007-11-21 03:41 PST, Julien Chaffraix 		ap: review-
DetailsFormatted DiffDiff
Patch updated with Ap's comments (5.25 KB, patch)
2007-11-21 07:55 PST, Julien Chaffraix 		ap: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Julien Chaffraix
Comment 1 2007-11-21 03:41:02 PST
Created attachment 17429 [details] Patch + test case Other browsers' behaviour : - IE7 does not support these methods so raise an exception (message: invalid argument) - Firefox raises a NS_ERROR_INVALID_ARG exception for track and trace (no exception for connect) - Opera does not raise any exception The patch makes us raise a SECURITY_ERR for the 3 methods (IE's behaviour and close to Firefox's).
Alexey Proskuryakov
Comment 2 2007-11-21 05:48:12 PST
Comment on attachment 17429 [details] Patch + test case + layoutTestController.waitUntilDone(); This is not needed. + try { + xhr.open(method, "resources/1251.html", true); + xhr.send(null); This test doesn't differentiate between open() and send() raising an exception, I think it should. It may be slightly better to use sync XHR in the test, to maqke it more explicit that we don't wait for anything to finish.
Julien Chaffraix
Comment 3 2007-11-21 07:55:41 PST
Created attachment 17430 [details] Patch updated with Ap's comments > (From update of attachment 17429 [details] [edit]) > + layoutTestController.waitUntilDone(); > This is not needed. Removed. > + try { > + xhr.open(method, "resources/1251.html", true); > + xhr.send(null); > This test doesn't differentiate between open() and send() raising an > exception, > I think it should. In fact, the exception should be raised only for open() so I removed send() as it was not relevant. > It may be slightly better to use sync XHR in the test, to maqke it more > explicit that we don't wait for anything to finish. The new test case uses a sync XHR.
Alexey Proskuryakov
Comment 4 2007-11-21 09:01:46 PST
Comment on attachment 17430 [details] Patch updated with Ap's comments r=me
Alexey Proskuryakov
Comment 5 2007-11-22 03:04:00 PST
Committed revision 27970.
Note You need to log in before you can comment on or make changes to this bug.