Bug 1515298 [wpt PR 14599] - SignedExchange: Reject SXG if fallback U…

…RL has invalid UTF-8 sequence, a=testonly Automatic update from web-platform-tests SignedExchange: Reject SXG if fallback URL has invalid UTF-8 sequence GURL parser happily accepts invalid UTF-8 path, so we need to validate the fallback URL string before parsing. Spec: WICG/webpackage#346 Bug: 916390 Change-Id: Ife25621e2a41beef01cbf36a5ab523eaee1ea222 Reviewed-on: https://chromium-review.googlesource.com/c/1382724 Commit-Queue: Kunihiko Sakamoto <ksakamotochromium.org> Reviewed-by: Kinuko Yasuda <kinukochromium.org> Reviewed-by: Kouhei Ueno <kouheichromium.org> Cr-Commit-Position: refs/heads/master{#617772} -- wpt-commits: e663fa084dcdac43fea5cdd6c69b059b5ad0743f wpt-pr: 14599 UltraBlame original commit: c680ff16a9c7a3ff68ac3372ddf0c50263e55a24
marco-c · Oct 3, 2019 · eae60c0 · eae60c0
1 parent b640c22
commit eae60c0
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 0 deletions.
diff --git a/testing/web-platform/tests/signed-exchange/resources/generate-test-sxgs.sh b/testing/web-platform/tests/signed-exchange/resources/generate-test-sxgs.sh
@@ -116,6 +116,22 @@ gen-signedexchange \
   -o sxg-utf8-inner-url.sxg \
   -miRecordSize 100
 
+# Fallback URL has invalid UTF-8 sequence.
+gen-signedexchange \
+  -version 1b2 \
+  -ignoreErrors \
+  -uri "$inner_url_origin/signed-exchange/resources/$(echo -e '\xce\xce\xa9').html" \
+  -status 200 \
+  -content sxg-location.html \
+  -certificate $certfile \
+  -certUrl $cert_url_origin/signed-exchange/resources/$certfile.cbor \
+  -validityUrl $inner_url_origin/signed-exchange/resources/resource.validity.msg \
+  -privateKey $keyfile \
+  -date 2018-04-01T00:00:00Z \
+  -expire 168h \
+  -o sxg-invalid-utf8-inner-url.sxg \
+  -miRecordSize 100
+
 # Fallback URL has UTF-8 BOM.
 gen-signedexchange \
   -version 1b2 \

diff --git a/testing/web-platform/tests/signed-exchange/resources/sxg-invalid-utf8-inner-url.sxg b/testing/web-platform/tests/signed-exchange/resources/sxg-invalid-utf8-inner-url.sxg
diff --git a/testing/web-platform/tests/signed-exchange/resources/sxg-invalid-utf8-inner-url.sxg.headers b/testing/web-platform/tests/signed-exchange/resources/sxg-invalid-utf8-inner-url.sxg.headers
@@ -0,0 +1,2 @@
+Content-Type: application/signed-exchange;v=b2
+X-Content-Type-Options: nosniff
diff --git a/testing/web-platform/tests/signed-exchange/sxg-invalid-utf8-inner-url.tentative.html b/testing/web-platform/tests/signed-exchange/sxg-invalid-utf8-inner-url.tentative.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<title>SignedHTTPExchange's fallback url must not have invalid UTF-8 sequence</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="./resources/sxg-util.js"></script>
+<body>
+<script>
+promise_test(async (t) => {
+  try {
+    const sxgUrl = get_host_info().HTTPS_ORIGIN + '/signed-exchange/resources/sxg-invalid-utf8-inner-url.sxg';
+    const message = await openSXGInIframeAndWaitForMessage(t, sxgUrl);
+    if (message.is_fallback) {
+        assert_unreached('Fallback redirect should not have happened');
+    } else {
+        assert_unreached('SXG should not have loaded');
+    }
+  } catch (e) {
+    assert_equals(e, 'timeout');
+  }
+}, "SignedHTTPExchange's fallback url must not have invalid UTF-8 sequence");
+
+</script>
+</body>
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Content-Type: application/signed-exchange;v=b2
		X-Content-Type-Options: nosniff