[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.1.15-1-40151-g37bb677
trey
trey at 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Sat Sep 26 08:46:55 UTC 2009
The following commit has been merged in the debian/unstable branch:
commit 37c6880ab6d4fcb9bf86ed0f225db9b2d312ca1e
Author: trey <trey at 268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Jun 16 01:59:26 2004 +0000
3639321 - Harvard PIN authentication ends up sending PIN as clear text with POST action
When going back/forward to an item, if we went there originally via a POST,
we ask the user about rePOSTing, and if they say yes, we resend the POST.
This rePOST case is triggered by the form data that we saved on the b/f item.
In the case of this bug, the overall navigation was accomplished by a POST,
then a redirect, causing a GET. When a load of type redirect achieves the Committed
stage, we replace the current URL in the b/f item with the new URL (instead of
adding a new item to the b/f list).
The bug is that at the same time we should also update the form data in
the b/f item to match that of the new request. I think this will normally
mean nil'ing it out, unless there's some way for the result of the redirect
to be another POST.
The security leak occurred because we did not clear the form data on the item,
so when going back or forward to the page, we would go into the rePOSTing code,
even though we eventually reached that page via a GET (caused by the redirect).
So we would do a POST to the redirect URL containing the private data sent in
the original POST.
Reviewed by mjs and rjw.
* History.subproj/WebHistoryItem.m:
(-[WebHistoryItem _setFormInfoFromRequest:]): New method, just wraps 3 old set methods.
(-[WebHistoryItem formData]): Diff being dumb, no change.
(-[WebHistoryItem formContentType]): Ditto
(-[WebHistoryItem formReferrer]): Ditto
* History.subproj/WebHistoryItemPrivate.h:
* WebView.subproj/WebFrame.m:
(-[WebFrame _createItem:]): Call new WebHistoryItem method - no change in real behavior
(-[WebFrame _transitionToCommitted:]): Clear out the form data at the key time, to fix the bug.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@6861 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebKit/ChangeLog b/WebKit/ChangeLog
index 4857c1a..9fe4eea 100644
--- a/WebKit/ChangeLog
+++ b/WebKit/ChangeLog
@@ -1,3 +1,38 @@
+2004-06-15 Trey Matteson <trey at apple.com>
+
+ 3639321 - Harvard PIN authentication ends up sending PIN as clear text with POST action
+
+ When going back/forward to an item, if we went there originally via a POST,
+ we ask the user about rePOSTing, and if they say yes, we resend the POST.
+ This rePOST case is triggered by the form data that we saved on the b/f item.
+ In the case of this bug, the overall navigation was accomplished by a POST,
+ then a redirect, causing a GET. When a load of type redirect achieves the Committed
+ stage, we replace the current URL in the b/f item with the new URL (instead of
+ adding a new item to the b/f list).
+
+ The bug is that at the same time we should also update the form data in
+ the b/f item to match that of the new request. I think this will normally
+ mean nil'ing it out, unless there's some way for the result of the redirect
+ to be another POST.
+
+ The security leak occurred because we did not clear the form data on the item,
+ so when going back or forward to the page, we would go into the rePOSTing code,
+ even though we eventually reached that page via a GET (caused by the redirect).
+ So we would do a POST to the redirect URL containing the private data sent in
+ the original POST.
+
+ Reviewed by mjs and rjw.
+
+ * History.subproj/WebHistoryItem.m:
+ (-[WebHistoryItem _setFormInfoFromRequest:]): New method, just wraps 3 old set methods.
+ (-[WebHistoryItem formData]): Diff being dumb, no change.
+ (-[WebHistoryItem formContentType]): Ditto
+ (-[WebHistoryItem formReferrer]): Ditto
+ * History.subproj/WebHistoryItemPrivate.h:
+ * WebView.subproj/WebFrame.m:
+ (-[WebFrame _createItem:]): Call new WebHistoryItem method - no change in real behavior
+ (-[WebFrame _transitionToCommitted:]): Clear out the form data at the key time, to fix the bug.
+
2004-06-15 Chris Blumenberg <cblu at apple.com>
Fixed: <rdar://problem/3695724> WebKit plug-ins should only have to implement plugInViewWithArguments:
diff --git a/WebKit/History.subproj/WebHistoryItem.m b/WebKit/History.subproj/WebHistoryItem.m
index 8b8605a..8f99833 100644
--- a/WebKit/History.subproj/WebHistoryItem.m
+++ b/WebKit/History.subproj/WebHistoryItem.m
@@ -17,6 +17,8 @@
#import <WebKit/WebPluginController.h>
#import <Foundation/NSDictionary_NSURLExtras.h>
+#import <Foundation/NSString_NSURLExtras.h>
+#import <Foundation/NSURLRequestPrivate.h>
#import <CoreGraphics/CoreGraphicsPrivate.h>
@@ -456,28 +458,36 @@ NSString *WebHistoryItemChangedNotification = @"WebHistoryItemChangedNotificatio
}
}
-- (NSData *)formData
+- (void)_setFormInfoFromRequest:(NSURLRequest *)request
{
- return _private->formData;
-}
+ NSData *newData = nil;
+ NSString *newContentType = nil;
+ NSString *newReferrer = nil;
+ if ([[request HTTPMethod] _web_isCaseInsensitiveEqualToString:@"POST"]) {
+ // save form state iff this is a POST
+ newData = [[request HTTPBody] copy];
+ newContentType = [[request HTTPContentType] copy];
+ newReferrer = [[request HTTPReferrer] copy];
+ }
-- (void)setFormData:(NSData *)data
-{
- NSData *copy = [data copy];
[_private->formData release];
- _private->formData = copy;
+ _private->formData = newData;
+
+ [_private->formContentType release];
+ _private->formContentType = newContentType;
+
+ [_private->formReferrer release];
+ _private->formReferrer = newReferrer;
}
-- (NSString *)formContentType
+- (NSData *)formData
{
- return _private->formContentType;
+ return _private->formData;
}
-- (void)setFormContentType:(NSString *)type
+- (NSString *)formContentType
{
- NSString *copy = [type copy];
- [_private->formContentType release];
- _private->formContentType = copy;
+ return _private->formContentType;
}
- (NSString *)formReferrer
@@ -485,13 +495,6 @@ NSString *WebHistoryItemChangedNotification = @"WebHistoryItemChangedNotificatio
return _private->formReferrer;
}
-- (void)setFormReferrer:(NSString *)referrer
-{
- NSString *copy = [referrer copy];
- [_private->formReferrer release];
- _private->formReferrer = copy;
-}
-
- (NSString *)RSSFeedReferrer
{
return _private->RSSFeedReferrer;
diff --git a/WebKit/History.subproj/WebHistoryItemPrivate.h b/WebKit/History.subproj/WebHistoryItemPrivate.h
index bd4f475..5259d38 100644
--- a/WebKit/History.subproj/WebHistoryItemPrivate.h
+++ b/WebKit/History.subproj/WebHistoryItemPrivate.h
@@ -45,9 +45,7 @@
- (void)setScrollPoint:(NSPoint)p;
- (void)setDocumentState:(NSArray *)state;
- (void)setIsTargetItem:(BOOL)flag;
-- (void)setFormData:(NSData *)data;
-- (void)setFormContentType:(NSString *)type;
-- (void)setFormReferrer:(NSString *)referrer;
+- (void)_setFormInfoFromRequest:(NSURLRequest *)request;
- (void)setRSSFeedReferrer:(NSString *)referrer;
- (void)setVisitCount:(int)count;
diff --git a/WebKit/WebView.subproj/WebFrame.m b/WebKit/WebView.subproj/WebFrame.m
index 4575d5f..9ab324b 100644
--- a/WebKit/WebView.subproj/WebFrame.m
+++ b/WebKit/WebView.subproj/WebFrame.m
@@ -394,11 +394,7 @@ NSString *WebPageCacheDocumentViewKey = @"WebPageCacheDocumentViewKey";
[bfItem setOriginalURLString:[[[dataSrc _originalRequest] URL] _web_originalDataAsString]];
// save form state if this is a POST
- if ([[request HTTPMethod] _web_isCaseInsensitiveEqualToString:@"POST"]) {
- [bfItem setFormData:[request HTTPBody]];
- [bfItem setFormContentType:[request HTTPContentType]];
- [bfItem setFormReferrer:[request HTTPReferrer]];
- }
+ [bfItem _setFormInfoFromRequest:request];
// Set the item for which we will save document state
[_private setPreviousItem:[_private currentItem]];
@@ -734,6 +730,9 @@ NSString *WebPageCacheDocumentViewKey = @"WebPageCacheDocumentViewKey";
} else {
// update the URL in the BF list that we made before the redirect
[[_private currentItem] setURL:[[ds request] URL]];
+ // clear out the form data so we don't repost it to the wrong place if we
+ // ever go back/forward to this item
+ [[_private currentItem] _setFormInfoFromRequest:[ds request]];
}
[self _makeDocumentView];
break;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list