Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Python 3: Decode HEX value back to single quote #25141

Closed
wants to merge 1 commit into from
Closed

[WIP] Python 3: Decode HEX value back to single quote #25141

wants to merge 1 commit into from

Conversation

ziransun
Copy link
Member

No description provided.

@ziransun ziransun assigned Hexcles and unassigned andypaicu Aug 20, 2020
@ziransun
Copy link
Member Author

@Hexcles: I'm not sure this CL gives a good solution. Just try to find out why the escaping character in policy value ('self') has been converted Hex value in python 3 case. Anything obvious to you?

@Hexcles
Copy link
Member

Hexcles commented Aug 24, 2020

Where is policy coming from? Something like {{GET[...]}}?

Looks like we are getting the URL-encoded version of the string.

@ziransun
Copy link
Member Author

Where is policy coming from? Something like {{GET[...]}}?

It should come from this line

Looks like we are getting the URL-encoded version of the string.

That's what I suspected as well. I couldn't see any direct calls of .py file in these test scripts. Could it be something at wpt core part?

@Hexcles
Copy link
Member

Hexcles commented Aug 28, 2020
edited

@ziransun yeah I'm looking at wptserve.

Meanwhile, could you provide some concrete examples (comparison of strings in Py2 and 3, as well as the test that triggers it)?

@Hexcles
Copy link
Member

Hexcles commented Aug 28, 2020

I'm guessing this is https://github.com/web-platform-tests/wpt/blob/7c50c216081d6ea3c9afe553ee7b64534020a1b2/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html

@Hexcles Hexcles mentioned this pull request Aug 28, 2020
Merged
@Hexcles
Copy link
Member

Hexcles commented Aug 28, 2020

Hmm, I also see

var window_url = decodeURIComponent("javascript:&#x27;&lt;iframe src=/content-security-policy/support/fail.js /&gt;&#x27;").replace('&lt;', '<').replace('&gt;', '>');

in Python 2. In other words, this doesn't seem to happen in Python 3 only.

Reading the source code, I think this is the expected behaviour:

wpt/tools/wptserve/wptserve/handlers.py

Lines 143 to 150 in 0f986ae

def wrap_pipeline(path, request, response):
query = parse_qs(request.url_parts.query)
pipe_string = ""
if ".sub." in path:
ml_extensions = {".html", ".htm", ".xht", ".xhtml", ".xml", ".svg"}
escape_type = "html" if os.path.splitext(path)[1] in ml_extensions else "none"
pipe_string = "sub(%s)" % escape_type

sets escape_type to html, which leads to content to be percent-encoded in the output. And this test is hence a bit problematic... I think we'd need something like #25275 (just a PoC for now).

@Hexcles
Copy link
Member

Hexcles commented Sep 16, 2020

#25275 landed, so let's close this PR.

@Hexcles Hexcles closed this Sep 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andypaicu andypaicu Awaiting requested review from andypaicu

@hillbrad hillbrad Awaiting requested review from hillbrad

Assignees

@Hexcles Hexcles

Labels
content-security-policy python3
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ziransun @Hexcles @wpt-pr-bot @andypaicu