Closed Bug 1031372 Opened 12 years ago Closed 12 years ago

CSP parser should accept 127.0.0.1:*

Categories

(Core :: DOM: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla33

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

Attachments

(1 file)

Related to bug Bug 1031259, the parser rejects parsing 127.0.0.1:* - which ias a valid host, according to the spec: http://www.w3.org/TR/CSP11/#parsing
The ABNF for hosts is defined as followed: > host = "*" / [ "*." ] 1*host-char *( "." 1*host-char ) > host-char = ALPHA / DIGIT / "-" Currently, the parser rejected hosts that didn't start with an actual character (a-z), but in fact, the parser should accept all host-chars (ALPHA/DIGIT/"-"). The attached patch fixes the problem, which caused two testcases from the compiled code tests to be moved from bad policies, to good policies. Further, I added two testcases that verify that the parser accepts 127.0.0.1. Also, in nsCSPParser::sourceList I added resetCurValue(), which does not affect the actual outcome of parsing, but it makes PR logging more readable, because the logging was still holding the previously parsed value, which was confusing. Please note, that this patch does *not* fix 1031259,it's only one of the sub-problems for bug 1031259.
Attachment #8447272 - Flags: review?(sstamm)
Comment on attachment 8447272 [details] [diff] [review] bug_1031372.patch Review of attachment 8447272 [details] [diff] [review]: ----------------------------------------------------------------- Looks right. Did you do a pass to verify the rest of the ABNF against the implementation? r=me. ::: content/base/test/TestCSPParser.cpp @@ +401,5 @@ > + "default-src http://127.0.0.1:*" }, > + { "default-src -; ", > + "default-src http://-" }, > + { "script-src 1", > + "script-src http://1" } I don't like http://1, but the spec does appear to allow it as valid syntax so we should probably accept it as a valid source.
Attachment #8447272 - Flags: review?(sstamm) → review+
Assignee: nobody → mozilla
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #2) > Comment on attachment 8447272 [details] [diff] [review] > bug_1031372.patch > > Review of attachment 8447272 [details] [diff] [review]: > ----------------------------------------------------------------- > > Looks right. Did you do a pass to verify the rest of the ABNF against the > implementation? r=me. > > ::: content/base/test/TestCSPParser.cpp > @@ +401,5 @@ > > + "default-src http://127.0.0.1:*" }, > > + { "default-src -; ", > > + "default-src http://-" }, > > + { "script-src 1", > > + "script-src http://1" } > > I don't like http://1, but the spec does appear to allow it as valid syntax > so we should probably accept it as a valid source. I don't like that either, but that's what the spec defines :-(
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: