From 02d625294910fcdc4ff3ba834998c004ec16ac3a Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sat, 7 Nov 2020 15:57:37 +0000 Subject: [PATCH] LibWeb: Restrict HTML form submissions to permitted URL protocols Form submissions to file:// URLs are now permitted only if the submitting document is also a file:// URL and the form method is "get". Form submissions to URLs with a http(s):// URL protocol are permitted. Form submissions for all other URL protocols are rejected. --- Libraries/LibWeb/HTML/HTMLFormElement.cpp | 31 ++++++++++++++++++----- 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/Libraries/LibWeb/HTML/HTMLFormElement.cpp b/Libraries/LibWeb/HTML/HTMLFormElement.cpp index d026ea6a20..ebafd9a465 100644 --- a/Libraries/LibWeb/HTML/HTMLFormElement.cpp +++ b/Libraries/LibWeb/HTML/HTMLFormElement.cpp @@ -50,16 +50,37 @@ void HTMLFormElement::submit(RefPtr submitter) } auto effective_method = method().to_lowercase(); + + if (effective_method == "dialog") { + dbg() << "Failed to submit form: Unsupported form method '" << method() << "'"; + return; + } + if (effective_method != "get" && effective_method != "post") { - if (effective_method == "dialog") { - dbg() << "Unsupported form method '" << method() << "'"; - return; - } effective_method = "get"; } URL url(document().complete_url(action())); + if (!url.is_valid()) { + dbg() << "Failed to submit form: Invalid URL: " << action(); + return; + } + + if (url.protocol() == "file") { + if (document().url().protocol() != "file") { + dbg() << "Failed to submit form: Security violation: " << document().url() << " may not submit to " << url; + return; + } + if (effective_method != "get") { + dbg() << "Failed to submit form: Unsupported form method '" << method() << "' for URL: " << url; + return; + } + } else if (url.protocol() != "http" && url.protocol() != "https") { + dbg() << "Failed to submit form: Unsupported protocol for URL: " << url; + return; + } + Vector parameters; for_each_in_subtree_of_type([&](auto& node) { @@ -73,8 +94,6 @@ void HTMLFormElement::submit(RefPtr submitter) url.set_query(urlencode(parameters)); } - // FIXME: We shouldn't let the form just do this willy-nilly. - LoadRequest request; request.set_url(url);