bug 368998: when normalizing hostnames, we don't properly escape non-alphanumerics

patch: do our own escaping of hostnames
r=bryner
This commit is contained in:
tony%ponderer.org 2007-02-08 18:10:48 +00:00
Родитель ac9a21fd39
Коммит ebf6d4afa8
3 изменённых файлов: 41 добавлений и 361 удалений

Просмотреть файл

@ -1,357 +0,0 @@
<html xmlns="http://www.w3.org/1999/xhtml">
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=356355
This is a port of all the existing URLCanonicalizer and EnchashDecryptor
unittests to the mochitest framework.
-->
<head>
<title>Test for Bug 356355</title>
<script type="text/javascript" src="/MochiKit/packed.js"></script>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=356355">Mozilla Bug 356355</a>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<pre id="test">
<script class="testbody" type="text/javascript">
<![CDATA[
/** Test for Bug 356355 **/
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
var Cc = Components.classes;
var Ci = Components.interfaces;
var table = Cc["@mozilla.org/url-classifier/table;1?type=url"].createInstance();
var componentScope = table.wrappedJSObject.__parent__;
ok(!!componentScope, "unable to get wrapped js object");
////// Test PROT_URLCanonicalizer methods //////
var PROT_URLCanonicalizer = componentScope.PROT_URLCanonicalizer;
// Test hex gotcha
var hexify = PROT_URLCanonicalizer.toHex_;
var shouldHaveLeadingZeros = hexify(0) + hexify(1);
ok(shouldHaveLeadingZeros == "0001",
"Need to append leading zeros to hex rep value <= 15 !");
// Test url decoding
var dec = PROT_URLCanonicalizer.fullyDecodeURLAsString_;
// Test empty string
ok(dec("") == "", "decoding empty string");
// Test decoding of all characters
var allCharsEncoded = "";
var allCharsEncodedLowercase = "";
var allCharsAsString = "";
// Special case null
allCharsEncoded += "%01";
allCharsEncodedLowercase += "%01";
allCharsAsString += String.fromCharCode(1);
for (var i = 1; i < 256; i++) {
allCharsEncoded += "%" + PROT_URLCanonicalizer.toHex_(i);
allCharsEncodedLowercase += "%" +
PROT_URLCanonicalizer.toHex_(i).toLowerCase();
allCharsAsString += String.fromCharCode(i);
}
ok(dec(allCharsEncoded) == allCharsAsString, "decoding escaped");
ok(dec(allCharsEncodedLowercase) == allCharsAsString, "decoding lowercase");
// Test %-related edge cases
ok(dec("%") == "%", "1 percent");
ok(dec("%xx") == "%xx", "1 percent, two non-hex");
ok(dec("%%") == "%%", "2 percent");
ok(dec("%%%") == "%%%", "3 percent");
ok(dec("%%%%") == "%%%%", "4 percent");
ok(dec("%1") == "%1", "1 percent, one nonhex");
ok(dec("%1z") == "%1z", "1 percent, two nonhex");
ok(dec("a%1z") == "a%1z", "nonhex, 1 percent, two nonhex");
ok(dec("abc%d%e%fg%hij%klmno%") == "abc%d%e%fg%hij%klmno%",
"lots of percents, no hex");
// Test repeated %-decoding. Note: %25 --> %, %32 --> 2, %35 --> 5
ok(dec("%25") == "%", "single-encoded %");
ok(dec("%25%32%35") == "%", "double-encoded %");
ok(dec("asdf%25%32%35asd") == "asdf%asd", "double-encoded % 2");
ok(dec("%%%25%32%35asd%%") == "%%%asd%%", "double-encoded % 3");
ok(dec("%25%32%35%25%32%35%25%32%35") == "%%%",
"sequenctial double-encoded %");
ok(dec("%2525252525252525") == "%", "many-encoded %");
ok(dec("%257Ea%2521b%2540c%2523d%2524e%25f%255E00%252611%252A22%252833%252944_55%252B")
== "~a!b@c#d$e%f^00&11*22(33)44_55+", "4x-encoded string");
// Test encoding methods
var enc = PROT_URLCanonicalizer.specialEncodeURL_;
// Test empty string
ok(enc([]) == "", "encoding empty array");
// Test that all characters we shouldn't encode ([33-36],[38,126]) are not.
var no = [];
var noAsString = "";
for (var i = 33; i < 127; i++)
if (i != 37) { // skip %
no.push(i);
noAsString += String.fromCharCode(i);
}
ok(enc(no) == noAsString, "chars to not encode");
// Test that all the chars that we should encode [0,32],37,[127,255] are
var yes = [];
var yesAsString = "";
var yesExpectedString = "";
// Special case 0
yes.push(0);
yesAsString += String.fromCharCode(1);
yesExpectedString += "%01";
for (var i = 1; i < 256; i++)
if (i < 33 || i == 37 || i > 126) {
yes.push(i);
yesAsString += String.fromCharCode(i);
var hex = i.toString(16).toUpperCase();
yesExpectedString += "%" + ((i < 16) ? "0" : "") + hex;
}
ok(enc(yes) == yesExpectedString, "chars to encode");
// Can not use decodeURIComponent or encodeURIComponent to test b/c UTF-8
// Test composition
var c = PROT_URLCanonicalizer.canonicalizeURL_;
ok(c("http://www.google.com") == "http://www.google.com",
"http://www.google.com");
ok(c("http://%31%36%38%2e%31%38%38%2e%39%39%2e%32%36/%2E%73%65%63%75%72%65/%77%77%77%2E%65%62%61%79%2E%63%6F%6D/")
== "http://168.188.99.26/.secure/www.ebay.com/", "fully encoded ebay");
ok(c("http://195.127.0.11/uploads/%20%20%20%20/.verify/.eBaysecure=updateuserdataxplimnbqmn-xplmvalidateinfoswqpcmlx=hgplmcx/")
== "http://195.127.0.11/uploads/%20%20%20%20/.verify/.eBaysecure=updateuserdataxplimnbqmn-xplmvalidateinfoswqpcmlx=hgplmcx/",
"long url with spaces that stays same");
////// Test PROT_EnchashDecrypter methods //////
var PROT_EnchashDecrypter = componentScope.PROT_EnchashDecrypter;
var l = new PROT_EnchashDecrypter();
// Test our regular expressions. Make sure they are handled the same as on
// the server that handles remote look ups.
// Yes this defies our naming convention, but we copy verbatim from
// the C++ unittest, so lets just keep things clear.
var no_dots = "abcd123;[]";
var one_dot = "abc.123";
var two_dots = "two..dots";
var lots_o_dots = "I have a lovely .... bunch of dots";
var multi_dots = "dots ... and ... more .... dots";
var leading_dot = ".leading";
var trailing_dot = "trailing.";
var trailing_dots = "I love trailing dots....";
var end_dots = ".dots.";
var decimal = "1234567890";
var hex = "0x123452FAf";
var bad_hex = "0xFF0xGG";
var octal = "012034056";
var bad_octal = "012034089";
var garbage = "lk,.:asdfa-=";
var mixed = "1230x78034";
var spaces = "123 0xFA 045";
var r = PROT_EnchashDecrypter.REs;
// Test regular expressions
function testRE(re, inputValPairs) {
for (var i = 0; i < inputValPairs.length; i += 2)
ok(re.test(inputValPairs[i]) == inputValPairs[i + 1],
"RegExp broken: " + re + " (input: " + inputValPairs[i] + ")");
};
tests =
[no_dots, false,
one_dot, false,
two_dots, true,
lots_o_dots, true,
multi_dots, true];
testRE(r.FIND_MULTIPLE_DOTS_GLOBAL, tests);
tests =
["random junk", false,
"123.45.6-7.89", false,
"012.12.123", true,
"0x12.0xff.123", true,
"225.0.0.1", true];
testRE(r.POSSIBLE_IP, tests);
tests =
[decimal, false,
hex, false,
octal, false,
bad_octal, true];
testRE(r.FIND_BAD_OCTAL, tests);
tests =
[decimal, false,
hex, false,
bad_octal, false,
garbage, false,
mixed, false,
spaces, false,
octal, true];
testRE(r.IS_OCTAL, tests);
tests =
[hex, false,
garbage, false,
mixed, false,
spaces, false,
octal, true,
bad_octal, true,
decimal, true];
testRE(r.IS_DECIMAL, tests);
tests =
[decimal, false,
octal, false,
bad_octal, false,
garbage, false,
mixed, false,
spaces, false,
bad_hex, false,
hex, true];
testRE(r.IS_HEX, tests);
// Test find last N
var longstr = "";
for(var k = 0; k < 100; k++) {
longstr += "a";
}
var shortstr = "short";
var val = l.lastNChars_(longstr, 8);
ok(val.length == 8, "find last eight broken on long str");
val = l.lastNChars_(shortstr, 8);
ok(val.length == 5, "find last eight broken on short str");
// Test canonical num
var tests =
["", "", 1, true,
"", "10", 0, true,
"", "0x45", -1, true,
"45", "45", 1, true,
"16", "0x10", 1, true,
"1.111", "367", 2, true,
"0.20.229", "012345", 3, true,
"123", "0173", 1, true,
"9", "09", 1, false,
"", "0x120x34", 2, true,
"18.252", "0x12fc", 2, true];
for (var i = 0; i < tests.length; i+= 4) {
ok(tests[i] === l.canonicalNum_(tests[i + 1], tests[i + 2], tests[i + 3]),
"canonicalNum broken on: " + tests[i + 1]);
}
// Test parseIPAddress (these are all verifiable using ping)
var testing = {};
testing["123.123.0.0.1"] = "";
testing["255.0.0.1"] = "255.0.0.1";
testing["12.0x12.01234"] = "12.18.2.156";
testing["012.034.01.055"] = "10.28.1.45";
testing["0x12.0x43.0x44.0x01"] = "18.67.68.1";
testing["0x12434401"] = "18.67.68.1";
testing["413960661"] = "24.172.137.213";
testing["03053104725"] = "24.172.137.213";
testing["030.0254.0x89d5"] = "24.172.137.213";
testing["1.234.4.0377"] = "1.234.4.255";
for (var key in testing) {
ok(l.parseIPAddress_(key) === testing[key],
"parseIPAddress broken on " + key + "(got: " + l.parseIPAddress_(key));
}
// Test getCanonicalHost
var testing = {};
testing["http://completely.bogus.url.with.a.whole.lot.of.dots"] =
"with.a.whole.lot.of.dots";
testing["http://poseidon.marinet.gr/~elani"] = "poseidon.marinet.gr";
testing["http://www.google.com.."] = "www.google.com";
testing["https://www.yaho%6F.com"] = "www.yahoo.com";
testing["http://012.034.01.0xa"] = "10.28.1.10";
testing["ftp://wierd..chars...%0f,%fa"] = "wierd.chars.,";
testing["http://0x18ac89d5/http.www.paypal.com/"] = "24.172.137.213";
testing["http://413960661/http.www.paypal.com/"] = "24.172.137.213";
testing["http://03053104725/http.www.paypal.com/"] = "24.172.137.213";
testing["http://www.barclays.co.uk.brccontrol.assruspede.org.bz/"
+ "detailsconfirm"] = "co.uk.brccontrol.assruspede.org.bz";
for (var key in testing) {
ok(l.getCanonicalHost(key, PROT_EnchashDecrypter.MAX_DOTS) == testing[key],
"getCanonicalHost broken on: " + key + "(got: " + l.getCanonicalHost(key) + ")");
}
// Test getCanonicalUrl
testing = {};
testing["http://0x18.0xac.0x89.0xd5/http.www.paypal.com/"] =
"http://24.172.137.213/http.www.paypal.com/";
testing["http://0x18ac89d5/http.www.paypal.com/"] =
"http://24.172.137.213/http.www.paypal.com/";
testing["http://413960661/http.www.paypal.com/"] =
"http://24.172.137.213/http.www.paypal.com/";
testing["http://03053104725/http.www.paypal.com/"] =
"http://24.172.137.213/http.www.paypal.com/";
testing["http://03053104725/%68t%74p.www.paypal.c%6fm/"] =
"http://24.172.137.213/http.www.paypal.com/";
testing["http://www.barclays.co.uk.brccontrol.assruspede.org.bz/detailsconfirm"] =
"http://www.barclays.co.uk.brccontrol.assruspede.org.bz/detailsconfirm";
for (var key in testing)
ok(l.getCanonicalUrl(key) == testing[key],
"getCanonicalUrl broken on: " + key + "(got: " + l.getCanonicalUrl(key) + ")");
// Test getlookupkey
var testing = {};
testing["www.google.com"] = "AF5638A09FDDDAFF5B7A6013B1BE69A9";
testing["poseidon.marinet.gr"] = "01844755C8143C4579BB28DD59C23747";
testing["80.53.164.26"] = "B775DDC22DEBF8BEBFEAC24CE40A1FBF";
for (var key in testing)
ok(l.getLookupKey(key) === testing[key],
"getlookupkey broken on " + key + " (got: " +
l.getLookupKey(key) + ", expected: " +
testing[key] + ")");
// Test decryptdata
var tests =
[ "bGtEQWJuMl/z2ZxSBB2hsuWI8geMAwfSh3YBfYPejQ1O+wyRAJeJ1UW3V56zm" +
"EpUvnaEiECN1pndxW5rEMNzE+gppPeel7PvH+OuabL3NXlspcP0xnpK8rzNgB1" +
"JT1KcajQ9K3CCl24T9r8VGb0M3w==",
"80.53.164.26",
"^(?i)http\\:\\/\\/80\\.53\\.164\\.26(?:\\:80)?\\/\\.PayPal" +
"\\.com\\/webscr\\-id\\/secure\\-SSL\\/cmd\\-run\\=\\/login\\.htm$",
"ZTMzZjVnb3WW1Yc2ABorgQGAwYfcaCb/BG3sMFLTMDvOQxH8LkdGGWqp2tI5SK" +
"uNrXIHNf2cyzcVocTqUIUkt1Ud1GKieINcp4tWcU53I0VZ0ZZHCjGObDCbv9Wb" +
"CPSx1eS8vMREDv8Jj+UVL1yaZQ==",
"80.53.164.26",
"^(?i)http\\:\\/\\/80\\.53\\.164\\.26(?:\\:80)?\\/\\.PayPal\\.com" +
"\\/webscr\\-id\\/secure\\-SSL\\/cmd\\-run\\=\\/login\\.htm$",
"ZTMzZjVnb3WVb6VqoJ44hVo4V77XjDRcXTxOc2Zpn4yIHcpS0AQ0nn1TVlX4MY" +
"IeNL/6ggzCmcJSWOOkj06Mpo56LNLrbxNxTBuoy9GF+xcm",
"poseidon.marinet.gr",
"^(?i)http\\:\\/\\/poseidon\\.marinet\\.gr(?:\\:80)?\\/\\~eleni" +
"\\/eBay\\/index\\.php$",
"bGtEQWJuMl9FA3Kl5RiXMpgFU8nDJl9J0hXjUck9+mMUQwAN6llf0gJeY5DIPP" +
"c2f+a8MSBFJN17ANGJZl5oZVsQfSW4i12rlScsx4tweZAE",
"poseidon.marinet.gr",
"^(?i)http\\:\\/\\/poseidon\\.marinet\\.gr(?:\\:80)?\\/\\~eleni" +
"\\/eBay\\/index\\.php$"];
for (var i = 0; i < tests.length; i += 3) {
var dec = l.decryptData(tests[i], tests[i + 1]);
ok(dec === tests[i + 2],
"decryptdata broken on " + tests[i] + " (got: " + dec + ", expected: "
+ tests[i + 2] + ")");
}
]]>
</script>
</pre>
</body>
</html>

Просмотреть файл

Просмотреть файл

@ -51,9 +51,37 @@
//
// This code should not change, except to fix bugs.
//
// TODO: verify that using encodeURI() in getCanonicalHost is OK
// TODO: accommodate other kinds of perl-but-not-javascript qualifiers
/**
* A fast, bit-vector map for ascii characters.
*
* Internally stores 256 bits in an array of 8 ints.
* Does quick bit-flicking to lookup needed characters.
*/
/**
* @param Takes 8 ints to initialize the character map
*/
function Charmap() {
if (arguments.length != 8) {
throw G_Error("charmap ctor requires 8 int args");
}
this.map_ = [];
for (var i = 0; i < 8; ++i) {
this.map_.push(arguments[i]);
}
}
/**
* Do a quick lookup to see if the letter is in the map.
* @param chr String of length 1 (ascii)
* @return Boolean true if the letter is in the map
*/
Charmap.prototype.contains = function(chr) {
var val = chr.charCodeAt(0);
return !!(this.map_[val >> 5] & (1 << (val & 31)));
}
/**
* This thing knows how to generate lookup keys and decrypt values found in
@ -66,6 +94,9 @@ function PROT_EnchashDecrypter() {
this.base64_ = new G_Base64();
this.streamCipher_ = Cc["@mozilla.org/security/streamcipher;1"]
.createInstance(Ci.nsIStreamCipher);
this.escapeCharmap_ = new Charmap(
0xffffffff, 0xfc009fff, 0xf8000001, 0xf8000001,
0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff);
}
PROT_EnchashDecrypter.DATABASE_SALT = "oU3q.72p";
@ -211,9 +242,15 @@ PROT_EnchashDecrypter.prototype.getCanonicalHost = function(str, opt_maxDots) {
if (temp)
unescaped = temp;
// TODO: what, exactly is it supposed to escape? This doesn't esecape
// ":", "/", ";", and "?"
var escaped = encodeURI(unescaped);
// Escape everything that's not alphanumeric, hyphen, or dot.
var escaped = '';
for (var i = 0; i < unescaped.length; ++i) {
if (this.escapeCharmap_.contains(unescaped[i])) {
escaped += '%' + unescaped.charCodeAt(i).toString(16);
} else {
escaped += unescaped[i];
}
}
if (opt_maxDots) {
// Limit the number of dots