Fix security bug that allowed invalid header fields to be injected by

setting the HTTP method to a multi-line string.
BUG= http://code.google.com/p/nativeclient/issues/detail?id=2024
TEST=TestShellTests, url_request_info_unittest.cc

Review URL: http://codereview.chromium.org/7645010

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@96888 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 26 insertions, 0 deletions

diff --git a/webkit/plugins/ppapi/url_request_info_unittest.cc b/webkit/plugins/ppapi/url_request_info_unittest.cc
index 3e1d84e..ef86615 100644
--- a/webkit/plugins/ppapi/url_request_info_unittest.cc
+++ b/webkit/plugins/ppapi/url_request_info_unittest.cc
@@ -215,6 +215,32 @@ TEST_F(URLRequestInfoTest, SetMethod) {
   ASSERT_TRUE(info_->SetStringProperty(
       PP_URLREQUESTPROPERTY_METHOD, "POST"));
   ASSERT_TRUE(IsExpected(GetMethod(), "POST"));
+
+  // Test that method names are converted to upper case.
+  ASSERT_TRUE(info_->SetStringProperty(
+      PP_URLREQUESTPROPERTY_METHOD, "get"));
+  ASSERT_TRUE(IsExpected(GetMethod(), "GET"));
+  ASSERT_TRUE(info_->SetStringProperty(
+      PP_URLREQUESTPROPERTY_METHOD, "post"));
+  ASSERT_TRUE(IsExpected(GetMethod(), "POST"));
+}
+
+TEST_F(URLRequestInfoTest, SetInvalidMethod) {
+  ASSERT_FALSE(info_->SetStringProperty(
+      PP_URLREQUESTPROPERTY_METHOD, "CONNECT"));
+  ASSERT_FALSE(info_->SetStringProperty(
+      PP_URLREQUESTPROPERTY_METHOD, "connect"));
+  ASSERT_FALSE(info_->SetStringProperty(
+      PP_URLREQUESTPROPERTY_METHOD, "TRACE"));
+  ASSERT_FALSE(info_->SetStringProperty(
+      PP_URLREQUESTPROPERTY_METHOD, "trace"));
+  ASSERT_FALSE(info_->SetStringProperty(
+      PP_URLREQUESTPROPERTY_METHOD, "TRACK"));
+  ASSERT_FALSE(info_->SetStringProperty(
+      PP_URLREQUESTPROPERTY_METHOD, "track"));
+
+  ASSERT_FALSE(info_->SetStringProperty(
+      PP_URLREQUESTPROPERTY_METHOD, "POST\x0d\x0ax-csrf-token:\x20test1234"));
 }
 
 TEST_F(URLRequestInfoTest, SetValidHeaders) {