[prev in list] [next in list] [prev in thread] [next in thread]
List: kfm-devel
Subject: Re: Fwd: [Bug 22558] referrer leaks through to non-referring site
From: Waldo Bastian <bastian () kde ! org>
Date: 2003-07-08 12:46:23
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Monday 07 July 2003 15:52, Waldo Bastian wrote:
> On Sunday 06 July 2003 18:03, Waldo Bastian wrote:
> > On Saturday 05 July 2003 22:39, George Staikos wrote:
> > > Now the question is, did my changes expose this?
> >
> > With my build from the 3.1 branch (without your partial fix for 60479) I
> > notice the problem when entering the URL in the location bar and when
> > pasting the URL with MMB. I can't reproduce it by selecting the url as
> > bookmark.
> >
> > The bad part is that the referrer here includes username and password as
> > well, so I guess the khtml fix is needed after all.
>
> Attached are two patches as a partial fix to the referrer problem. It
> changes the way how d->m_pageReferrer is set within KHTMLPart: It is now
> set according to the information that it gets back from the io-slave (http
> slave). This ensures that the document.referrer is better synced to the
> actual referrer send by the http-slave. It also makes it possible to have
> all referrer logic in kio_http instead of having it to duplicate in
> multiple places.
>
> Also attached is a test-case. They should be installed on a php-enabled
> webserver and accessed via http. The following tests should be done with
> the test-case:
>
> (1) Browse from referrer.php to referrer2.php to referrer3.php via the
> links on the pages.
> - The referrer should point to the previous page in each instance.
>
> (2) Use the back button to go back.
> - The referrers should not have changed, both referrers on referrer2.php
> should still point to referrer.php.
>
> (3) Reload the page.
> - The referrers should not change, both referrers on referrer2.php should
> still point to referrer.php.
>
> (4) Browse to referrer3.php via the link on the referrer2.php page. Then
> visit 15 other pages (To flush the page-cache for referrer2.php) and clear
> the cache. Now go back to referrer2.php using the history.
> - The referrers should not change, both referrers on referrer2.php should
> still point to referrer.php.
>
> (5) Go to referrer3.php and then enter referrer2.php in the location bar.
> - Both referrers should be empty.
>
> (6) Go to referrer.php and browse to referrer2.php. Now enter referrer2.php
> in the location bar.
> - Both referrers should be empty.
>
> (7) Go to referrer.php and browse to referrer2.php. Now enter
> referrer2.php#bla in the location bar.
> - Both referrers should not change, both referrers on referrer2.php should
> still point to referrer.php.
>
> (8) Go to referrer.php and browse to referrer2.php. Now click on
> "Javascript reload".
> - Both referrers should not change, both referrers on referrer2.php should
> still point to referrer.php.
>
> (9) Go to referrer.php and browse to referrer2.php and bookmark it. Go to
> referrer3.php and then go to referrer2.php using the bookmark.
> - Both referrers should be empty.
>
> (10) While still on referrer2.php select the referrer2.php bookmark again.
> - Both referrers should be empty.
>
> (11) Go to referrer2.php and select "Redirection to referrer3.php". You
> should end up on referrer3.php.
> - Both referrers should point to referrer2.php
>
> (12) Go to http://foo:bar@<host>/<path>/referrer.php (Fill in <host> and
> <path> accordingly) and browse to referrer2.php
> - Neither referrer should contain either foo or bar.
>
> With the patches below applied, Konqueror still fails on test (3) and (8).
> After applying the patches and installing make sure that your konqueror is
> actually using the new khtml and the new kio_http. You may need to kill any
> existing kio_http process first and you may wish to flush the kio_http
> cache with "kio_http_cache_cleaner --clear-all".
>
> I have tested Netscape 4.x which breaks on (12)
>
> Open issues:
> A) What should the behavior be when accessing the files via file:/ instead
> of http? NS 4.x sets document.referrer in that case. (Note that Konqueror
> doesn't the file at all unless renamed it to .html) Konqueror leaves
> document.referrer empty.
> B) What should the behavior be when accessing a file via http:// but linked
> from a file:/ URL? NS 4.x sets document.referrer to the file:/ url in that
> case. Konqueror leaves document.referrer empty.
>
> I would appreciate it if people could verify the behavior of other browsers
> wrt 1-12 and A & B.
>
> Additional test-cases are welcome.
>
> Cheers,
> Waldo
The attached konqueror patch takes care of (3) but (8) is still broken. I
would appreciate it if someone could verify the above tests with other
browsers so that we know that we pursue the correct semantics.
Cheers,
Waldo
- --
bastian@kde.org -=|[ SuSE, The Linux Desktop Experts ]|=- bastian@suse.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE/Cr0fN4pvrENfboIRAtFMAJ4qo5HB3Ep/jWQPrtDOmbvgKaSOdQCdHqvv
wr+pndZohtAAcXZdAt5hMQE=
=dC2o
-----END PGP SIGNATURE-----
["HEAD-kdebase-konqueror.patch" (text/x-diff)]
Index: konq_mainwindow.cc
===================================================================
RCS file: /home/kde/kdebase/konqueror/konq_mainwindow.cc,v
retrieving revision 1.1198
diff -u -r1.1198 konq_mainwindow.cc
--- konq_mainwindow.cc 7 Jul 2003 13:18:43 -0000 1.1198
+++ konq_mainwindow.cc 8 Jul 2003 12:38:26 -0000
@@ -562,7 +562,7 @@
else // no known serviceType, use KonqRun
{
kdDebug(1202) << "Creating new konqrun for " << url.url() << " req.typedURL=" \
<< req.typedURL << endl;
- if (currentURL().startsWith("http")) {
+ if (currentURL().startsWith("http") && \
!req.args.metaData().contains("referrer")) { KURL tmp = currentURL();
tmp.setRef(QString::null);
tmp.setUser(QString::null);
@@ -610,7 +610,7 @@
kdDebug(1202) << "req.openAfterCurrentPage= " << req.openAfterCurrentPage << endl;
bool bOthersFollowed = false;
- if (currentURL().startsWith("http")) {
+ if (currentURL().startsWith("http") && !req.args.metaData().contains("referrer")) \
{ KURL tmp = currentURL();
tmp.setRef(QString::null);
tmp.setUser(QString::null);
Index: konq_view.cc
===================================================================
RCS file: /home/kde/kdebase/konqueror/konq_view.cc,v
retrieving revision 1.335
diff -u -r1.335 konq_view.cc
--- konq_view.cc 7 Jul 2003 15:50:05 -0000 1.335
+++ konq_view.cc 8 Jul 2003 12:38:26 -0000
@@ -191,6 +191,8 @@
m_doPost = args.doPost();
m_postContentType = args.contentType();
m_postData = args.postData;
+ // Save the referrer
+ m_pageReferrer = args.metaData()["referrer"];
}
m_bAborted = false;
@@ -687,6 +689,7 @@
current->doPost = m_doPost;
current->postData = m_doPost ? m_postData : QByteArray();
current->postContentType = m_doPost ? m_postContentType : QString::null;
+ current->pageReferrer = m_pageReferrer;
}
void KonqView::goHistory( int steps )
@@ -763,6 +766,7 @@
m_doPost = h.doPost;
m_postContentType = h.postContentType;
m_postData = h.postData;
+ m_pageReferrer = h.pageReferrer;
}
else
m_pPart->openURL( h.url );
@@ -1192,6 +1196,10 @@
else
return false;
}
+ // Re-set referrer
+ args.metaData()["referrer"] = m_pageReferrer;
+qWarning("### KonqView::prepareReload referrer = %s", m_pageReferrer.latin1());
+
return true;
}
Index: konq_view.h
===================================================================
RCS file: /home/kde/kdebase/konqueror/konq_view.h,v
retrieving revision 1.162
diff -u -r1.162 konq_view.h
--- konq_view.h 26 Jun 2003 22:40:36 -0000 1.162
+++ konq_view.h 8 Jul 2003 12:38:26 -0000
@@ -55,6 +55,7 @@
QByteArray postData;
QString postContentType;
bool doPost;
+ QString pageReferrer;
};
/* This class represents a child of the main view. The main view maintains
@@ -393,6 +394,11 @@
QByteArray m_postData;
QString m_postContentType;
bool m_doPost;
+
+ /**
+ * The referrer that was used to obtain this page.
+ */
+ QString m_pageReferrer;
KonqMainWindow *m_pMainWindow;
KonqRun *m_pRun;
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic