RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-16 14:15:01 +00:00
Code Issues Activity Actions

LibWeb: Do not discard String returned from url_encode() to avoid UAF

Browse source 
This caused UAF since the string returned from url_encode() was
immediately discarded.

Co-authored-by: Luke Wilde <lukew@serenityos.org>
This commit is contained in:
Kenneth Myhra 2023-03-08 06:53:10 +01:00 committed by Linus Groh
parent 736f9f38ae
commit b78ee64415
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Userland/Libraries/LibWeb/HTML/HTMLFormElement.cpp
View file

@ -139,8 +139,8 @@ ErrorOr<void> HTMLFormElement::submit_form(JS::GCPtr<HTMLElement> submitter, boo
LoadRequest request = LoadRequest::create_for_url_on_page(url, document().page());
if (effective_method == "post") {
auto url_encoded_parameters_as_bytes = TRY(url_encode(parameters, AK::URL::PercentEncodeSet::ApplicationXWWWFormUrlencoded)).bytes();
auto body = TRY(ByteBuffer::copy(url_encoded_parameters_as_bytes));
auto url_encoded_parameters = TRY(url_encode(parameters, AK::URL::PercentEncodeSet::ApplicationXWWWFormUrlencoded));
auto body = TRY(ByteBuffer::copy(url_encoded_parameters.bytes()));
request.set_method("POST");
request.set_header("Content-Type", "application/x-www-form-urlencoded");
request.set_body(move(body));