Closed Bug 1302312 Opened 3 years ago Closed 3 years ago

[XHR][URL] Treat URLs with username or password but no host info as malformed.

Categories

(Core :: Networking, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla51
Tracking Status
firefox51 --- fixed

People

(Reporter: wisniewskit, Assigned: wisniewskit)

References

()

Details

(Whiteboard: [necko-active])

Attachments

(1 file, 1 obsolete file)

The XMLHttpRequest web platform test open-url-bogus.htm is presently failing because xhr.open() does not throw for the URL: http://u:p@/

This patch fixes it by throwing the expected exception in nsAuthURLParser::ParseAuthority, which also fixes a bunch of web platform tests for the URL object's constructor.

A try-run for this approach seems clean as well: https://treeherder.mozilla.org/#/jobs?repo=try&revision=aecdd072d9f8
Attachment #8790561 - Flags: review?(honzab.moz)
Whiteboard: [necko-active]
Comment on attachment 8790561 [details] [diff] [review]
treat-urls-with-username-or-password-without-host-as-malformed.diff

Valentin, this more sounds like a job for you.  Feel free to bounce back, tho.
Attachment #8790561 - Flags: review?(honzab.moz) → review?(valentin.gosu)
Comment on attachment 8790561 [details] [diff] [review]
treat-urls-with-username-or-password-without-host-as-malformed.diff

Review of attachment 8790561 [details] [diff] [review]:
-----------------------------------------------------------------

Patch looks great. r=valentin

Could you please these lines to test_standardurl.js::test_authority_host so we don't regress?

Assert.throws(() => { stringToURL("http://u:p@/"); }, "User or password without host is not allowed");
Assert.throws(() => { stringToURL("http:@/"); }, "Must have a host");

Thanks!
Attachment #8790561 - Flags: review?(valentin.gosu) → review+
Sure thing. Here's an updated version of the patch with those new tests. Thanks, guys!

Carrying over r+ and requesting check-in.
Attachment #8790561 - Attachment is obsolete: true
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/32fb14de50fe
Treat URLs with username or password but no host info as malformed. r=valentin
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/32fb14de50fe
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.