RESOLVED FIXED Bug 163253
Don't run SecurityOrigin's port through URLParser 
https://bugs.webkit.org/show_bug.cgi?id=163253
Summary Don't run SecurityOrigin's port through URLParser
Alex Christensen
Reported 2016-10-10 16:35:58 PDT
Don't run SecurityOrigin constructor parameters through URLParser
Attachments
Patch (6.02 KB, patch)
2016-10-10 16:37 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (2.28 KB, patch)
2016-10-10 16:52 PDT, Alex Christensen 		beidson: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Alex Christensen
Comment 1 2016-10-10 16:37:40 PDT
Created attachment 291183 [details] Patch
Brady Eidson
Comment 2 2016-10-10 16:42:15 PDT
Comment on attachment 291183 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=291183&action=review > Source/WebCore/page/SecurityOrigin.cpp:-107 > - : m_protocol(url.protocol().isNull() ? emptyString() : url.protocol().convertToASCIILowercase()) > - , m_host(url.host().isNull() ? emptyString() : url.host().convertToASCIILowercase()) Empty vs null is important. Can't lose this. > Source/WebCore/page/SecurityOrigin.cpp:114 > + : m_protocol(protocol.convertToASCIILowercase()) > + , m_host(host.convertToASCIILowercase()) Ditto. > Source/WebCore/page/SecurityOrigin.h:235 > + String m_protocol { emptyString() }; > + String m_host { emptyString() }; > + String m_domain { emptyString() }; All constructors overwrite these defaults. I wonder if there's any scenarios where SecurityOrigin is hot enough that this is a concern (overriding them) I also wonder if the compiler optimizes that out anyways. I wonder...
Alex Christensen
Comment 3 2016-10-10 16:52:35 PDT
Created attachment 291187 [details] Patch
Alex Christensen
Comment 4 2016-10-10 16:54:45 PDT
http://trac.webkit.org/changeset/207033
Note You need to log in before you can comment on or make changes to this bug.