From 45172e6e478a359eba9c05bc72dd0b4c241a65c8 Mon Sep 17 00:00:00 2001 From: "tsepez@chromium.org" Date: Mon, 3 Mar 2014 21:21:35 +0000 Subject: Prevent URLs with invalid schemes from resolving as relative to data: URLs. There is a missing bit of logic when the scheme is invalid that is present in the case where the scheme is empty. Either way, we can't consider this a relative URL if the base scheme isn't heirarchical. BUG=346132 Review URL: https://codereview.chromium.org/177093008 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@254565 0039d316-1c4b-4281-b951-d872f2087c98 --- url/url_canon_relative.cc | 4 ++++ url/url_canon_unittest.cc | 1 + 2 files changed, 5 insertions(+) diff --git a/url/url_canon_relative.cc b/url/url_canon_relative.cc index 33b814c..c210587 100644 --- a/url/url_canon_relative.cc +++ b/url/url_canon_relative.cc @@ -121,6 +121,10 @@ bool DoIsRelativeURL(const char* base, int scheme_end = scheme.end(); for (int i = scheme.begin; i < scheme_end; i++) { if (!CanonicalSchemeChar(url[i])) { + if (!is_base_hierarchical) { + // Don't allow relative URLs if the base scheme doesn't support it. + return false; + } *relative_component = url_parse::MakeRange(begin, url_len); *is_relative = true; return true; diff --git a/url/url_canon_unittest.cc b/url/url_canon_unittest.cc index 2275429..9997afa 100644 --- a/url/url_canon_unittest.cc +++ b/url/url_canon_unittest.cc @@ -2072,6 +2072,7 @@ TEST(URLCanonTest, ResolveRelativeURL) { {"http://foo/bar", true, false, ":foo", true, true, true, "http://foo/:foo"}, {"http://foo/bar", true, false, " hello world", true, true, true, "http://foo/hello%20world"}, {"data:asdf", false, false, ":foo", false, false, false, NULL}, + {"data:asdf", false, false, "bad(':foo')", false, false, false, NULL}, // We should treat semicolons like any other character in URL resolving {"http://host/a", true, false, ";foo", true, true, true, "http://host/;foo"}, {"http://host/a;", true, false, ";foo", true, true, true, "http://host/;foo"}, -- cgit v1.1