[Webkit-unassigned] [Bug 186535] Bad optional access in WebCore::ContentSecurityPolicySource::portMatches

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 11 14:41:55 PDT 2018


--- Comment #2 from Michael Catanzaro <mcatanzaro at igalia.com> ---
Reported bug #186536 to hopefully help surface these.

Problem is here:

    if (isDefaultPortForProtocol(m_port.value(), "http") && ((!port && url.protocolIs("https")) || isDefaultPortForProtocol(port.value(), "https")))
        return true;

which is wrong because m_port.value() is used unsafely without a call to m_port.has_value(), and port.value() is used unsafely without a call to port.has_value().

Crash occurs when url=https://pagure.io:8088/fedora-workstation/issue/42.

The CSP is on this page is:

Content-Security-Policy: default-src 'self' https:; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://apps.fedoraproject.org; style-src 'self' 'unsafe-inline' https://apps.fedoraproject.org

But that's almost irrelevant, except to note that it doesn't include a URL with port 8088. In the usual case, the function returns earlier because port == m_port and there is no crash.

Writing a layout test seems difficult because the test server listens on 8080, so the same CSP works fine under WebKitTestRunner.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180611/582749d7/attachment.html>

More information about the webkit-unassigned mailing list