Bug 67655

Summary:

AssociatedURLLoader should check HTTP method / headers for untrusted requests.

Product:

WebKit

Reporter:

Bill Budge <bbudge>

Component:

Platform

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

dglazkov, fishd, levin, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Proposed Patch	levin: commit-queue-
Proposed Patch	none
Proposed Patch	fishd: review+, fishd: commit-queue-
Proposed Patch	none

Bill Budge

Reported 2011-09-06 10:51:51 PDT

Perform HTTP method and header validation in AssociatedURLLoader for requests coming from untrusted code (eg. Native Client in Chrome). Use the same code as XMLHttpRequest to reduce code duplication and have behavior identical to XHR in Javascript. Add an 'untrustedHTTP' option to WebURLLoaderOptions, which AssociatedURLLoader can use to determine if it should check the request method and headers.

Attachments
Proposed Patch (11.90 KB, patch) 2011-09-06 11:02 PDT, Bill Budge	levin: commit-queue-	Details Formatted Diff Diff
Proposed Patch (11.91 KB, patch) 2011-09-07 11:30 PDT, Bill Budge	no flags	Details Formatted Diff Diff
Proposed Patch (11.87 KB, patch) 2011-09-07 13:55 PDT, Bill Budge	fishd: review+ fishd: commit-queue-	Details Formatted Diff Diff
Proposed Patch (11.86 KB, patch) 2011-09-13 14:01 PDT, Bill Budge	no flags	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Bill Budge

Comment 1 2011-09-06 11:02:51 PDT

Created attachment 106444 [details] Proposed Patch

David Levin

Comment 2 2011-09-06 12:54:53 PDT

Comment on attachment 106444 [details] Proposed Patch View in context: https://bugs.webkit.org/attachment.cgi?id=106444&action=review Looks good to me. Since there is a chromium/public change, I'll leave the final r+ for Darin. > Source/WebKit/chromium/public/WebURLLoaderOptions.h:49 > + , crossOriginRequestPolicy(CrossOriginRequestPolicyDeny) { } Ideally put the {} on separate lines at this point.

Bill Budge

Comment 3 2011-09-07 11:30:52 PDT

Created attachment 106607 [details] Proposed Patch

Bill Budge

Comment 4 2011-09-07 11:56:14 PDT

*** Bug 66963 has been marked as a duplicate of this bug. ***

Bill Budge

Comment 5 2011-09-07 11:57:01 PDT

Comment on attachment 106607 [details] Proposed Patch Adding some tests for invalid header values.

Bill Budge

Comment 6 2011-09-07 13:55:28 PDT

Created attachment 106631 [details] Proposed Patch Improved the tests to check for invalid header values. Improved helper method names.

WebKit Review Bot

Comment 7 2011-09-08 10:05:02 PDT

Comment on attachment 106631 [details] Proposed Patch Attachment 106631 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/9616952

Bill Budge

Comment 8 2011-09-08 16:27:09 PDT

Comment on attachment 106631 [details] Proposed Patch I believe this build failure is spurious.

Darin Fisher (:fishd, Google)

Comment 9 2011-09-09 09:38:50 PDT

Comment on attachment 106631 [details] Proposed Patch View in context: https://bugs.webkit.org/attachment.cgi?id=106631&action=review > Source/WebKit/chromium/src/AssociatedURLLoader.cpp:56 > +namespace { nit: put the anonymous namespace inside the WebKit namespace. then we shoudn't need the 'using namespace WebKit' up above. > Source/WebKit/chromium/src/AssociatedURLLoader.cpp:289 > + m_clientAdapter->setDelayedError(ResourceError()); what are your plans for this?

Bill Budge

Comment 10 2011-09-09 12:28:59 PDT

Once this lands, I can redo PPAPI and WebKit glue code that does all of these checks. As part of that CL I will have to modify URLRequest and URLLoader tests since these errors are reported asynchronously now. I also have FIXMEs to improve error reporting in the glue code. I will need to define a new error domain in WebKit so AssociatedURLLoader can report syntax vs. security errors in a way that WebKit glue understands. Currently it doesn't know about WebKit error domains, only our net:: one, and reports the former as PP_ERROR. It might make sense to modify this patch to generate ResourceErrors with enough information to make this possible.

Bill Budge

Comment 11 2011-09-09 12:29:56 PDT

Quick question about the red bot. This is the first time I've seen a failure that isn't caused by the patch. Is there a way to re-run the bot?

David Levin

Comment 12 2011-09-09 12:43:34 PDT

(In reply to comment #11) > Quick question about the red bot. This is the first time I've seen a failure that isn't caused by the patch. Is there a way to re-run the bot? Reupload the patch is the only way that I know of. (New attachment).

Bill Budge

Comment 13 2011-09-13 14:01:11 PDT

Created attachment 107222 [details] Proposed Patch Moved header visitor into WebKit namespace. Added information on plans for fixing error reporting from this layer.

Darin Fisher (:fishd, Google)

Comment 14 2011-09-19 14:58:49 PDT

Comment on attachment 107222 [details] Proposed Patch R=me, sorry for the delayed response!

WebKit Review Bot

Comment 15 2011-09-19 16:01:59 PDT

Comment on attachment 107222 [details] Proposed Patch Clearing flags on attachment: 107222 Committed r95490: <http://trac.webkit.org/changeset/95490>

WebKit Review Bot

Comment 16 2011-09-19 16:02:04 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.