Bug 1302312 - Treat URLs with username or password but no host info as malformed. r=valentin
authorThomas Wisniewski <wisniewskit@gmail.com>
Tue, 13 Sep 2016 12:47:16 -0400
changeset 313745 32fb14de50feb0a1334c75a79ebab6fe7d9b3db5
parent 313744 e2bca303ae69caecec7d91396b8a04be9922e0fa
child 313746 afd6ad990dd40ac22dc374bed51e333c25288243
push id81700
push userryanvm@gmail.com
push dateWed, 14 Sep 2016 00:34:44 +0000
treeherdermozilla-inbound@32fb14de50fe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersvalentin
bugs1302312
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1302312 - Treat URLs with username or password but no host info as malformed. r=valentin
netwerk/base/nsURLParsers.cpp
netwerk/test/unit/test_URIs.js
netwerk/test/unit/test_standardurl.js
testing/web-platform/meta/XMLHttpRequest/open-url-bogus.htm.ini
testing/web-platform/meta/url/url-constructor.html.ini
--- a/netwerk/base/nsURLParsers.cpp
+++ b/netwerk/base/nsURLParsers.cpp
@@ -492,16 +492,22 @@ nsAuthURLParser::ParseAuthority(const ch
                            usernamePos, usernameLen,
                            passwordPos, passwordLen);
         if (NS_FAILED(rv)) return rv;
         rv = ParseServerInfo(p + 1, authLen - (p - auth + 1),
                              hostnamePos, hostnameLen,
                              port);
         if (NS_FAILED(rv)) return rv;
         OFFSET_RESULT(hostname, p + 1 - auth);
+
+        // malformed if has a username or password
+        // but no host info, such as: http://u:p@/
+        if ((usernamePos || passwordPos) && (!hostnamePos || !*hostnameLen)) {
+            return NS_ERROR_MALFORMED_URI;
+        }
     }
     else {
         // auth = <server-info>
         SET_RESULT(username, 0, -1);
         SET_RESULT(password, 0, -1);
         rv = ParseServerInfo(auth, authLen,
                              hostnamePos, hostnameLen,
                              port);
--- a/netwerk/test/unit/test_URIs.js
+++ b/netwerk/test/unit/test_URIs.js
@@ -112,24 +112,16 @@ var gTests = [
     prePath: "ftp://foo:@ftp.mozilla.org:100",
     port:    100,
     username: "foo",
     password: "",
     path:    "/pub/mozilla.org/README",
     ref:     "",
     nsIURL:  true, nsINestedURI: false },
   //Bug 706249
-  { spec:    "http:x:@",
-    scheme:  "http",
-    prePath: "http://x:@",
-    username: "x",
-    password: "",
-    path:    "",
-    ref:     "",
-    nsIURL:  true, nsINestedURI: false },
   { spec:    "gopher://mozilla.org/",
     scheme:  "gopher",
     prePath: "gopher:",
     path:    "//mozilla.org/",
     ref:     "",
     nsIURL:  false, nsINestedURI: false },
   { spec:    "http://www.example.com/",
     scheme:  "http",
--- a/netwerk/test/unit/test_standardurl.js
+++ b/netwerk/test/unit/test_standardurl.js
@@ -332,16 +332,18 @@ add_test(function test_backslashReplacem
 
   run_next_test();
 });
 
 add_test(function test_authority_host()
 {
   Assert.throws(() => { stringToURL("http:"); }, "TYPE_AUTHORITY should have host");
   Assert.throws(() => { stringToURL("http:///"); }, "TYPE_AUTHORITY should have host");
+  Assert.throws(() => { stringToURL("http://u:p@/"); }, "User or password without host is not allowed");
+  Assert.throws(() => { stringToURL("http:@/"); }, "Must have a host");
 
   run_next_test();
 });
 
 add_test(function test_trim_C0_and_space()
 {
   var url = stringToURL("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f http://example.com/ \x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f ");
   do_check_eq(url.spec, "http://example.com/");
deleted file mode 100644
--- a/testing/web-platform/meta/XMLHttpRequest/open-url-bogus.htm.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-[open-url-bogus.htm]
-  type: testharness
-  [XMLHttpRequest: open() - bogus URLs (http://u:p@/)]
-    expected: FAIL
-
--- a/testing/web-platform/meta/url/url-constructor.html.ini
+++ b/testing/web-platform/meta/url/url-constructor.html.ini
@@ -76,19 +76,16 @@
     expected: FAIL
 
   [Parsing: <http://example.com/foo/%2e> against <about:blank>]
     expected: FAIL
 
   [Parsing: <data:test# »> against <about:blank>]
     expected: FAIL
 
-  [Parsing: <http://user:pass@/> against <about:blank>]
-    expected: FAIL
-
   [Parsing: <httpa://foo:80/> against <about:blank>]
     expected: FAIL
 
   [Parsing: <gopher://foo:70/> against <about:blank>]
     expected: FAIL
 
   [Parsing: <gopher://foo:443/> against <about:blank>]
     expected: FAIL
@@ -109,40 +106,16 @@
     expected: FAIL
 
   [Parsing: <http:/:b@www.example.com> against <about:blank>]
     expected: FAIL
 
   [Parsing: <http://:b@www.example.com> against <about:blank>]
     expected: FAIL
 
-  [Parsing: <http://user@/www.example.com> against <about:blank>]
-    expected: FAIL
-
-  [Parsing: <http:@/www.example.com> against <about:blank>]
-    expected: FAIL
-
-  [Parsing: <http:/@/www.example.com> against <about:blank>]
-    expected: FAIL
-
-  [Parsing: <http://@/www.example.com> against <about:blank>]
-    expected: FAIL
-
-  [Parsing: <https:@/www.example.com> against <about:blank>]
-    expected: FAIL
-
-  [Parsing: <http:a:b@/www.example.com> against <about:blank>]
-    expected: FAIL
-
-  [Parsing: <http:/a:b@/www.example.com> against <about:blank>]
-    expected: FAIL
-
-  [Parsing: <http://a:b@/www.example.com> against <about:blank>]
-    expected: FAIL
-
   [Parsing: <http://www.@pple.com> against <about:blank>]
     expected: FAIL
 
   [Parsing: <http://:@www.example.com> against <about:blank>]
     expected: FAIL
 
   [Parsing: <http://﷐zyx.com> against <http://other.com/>]
     expected: FAIL