[Webkit-unassigned] [Bug 186535] Bad optional access in WebCore::ContentSecurityPolicySource::portMatches
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 11 14:41:55 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=186535
--- Comment #2 from Michael Catanzaro <mcatanzaro at igalia.com> ---
Reported bug #186536 to hopefully help surface these.
Problem is here:
if (isDefaultPortForProtocol(m_port.value(), "http") && ((!port && url.protocolIs("https")) || isDefaultPortForProtocol(port.value(), "https")))
return true;
which is wrong because m_port.value() is used unsafely without a call to m_port.has_value(), and port.value() is used unsafely without a call to port.has_value().
Crash occurs when url=https://pagure.io:8088/fedora-workstation/issue/42.
The CSP is on this page is:
Content-Security-Policy: default-src 'self' https:; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://apps.fedoraproject.org; style-src 'self' 'unsafe-inline' https://apps.fedoraproject.org
But that's almost irrelevant, except to note that it doesn't include a URL with port 8088. In the usual case, the function returns earlier because port == m_port and there is no crash.
Writing a layout test seems difficult because the test server listens on 8080, so the same CSP works fine under WebKitTestRunner.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180611/582749d7/attachment.html>
More information about the webkit-unassigned
mailing list