beenull/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-09-30 08:41:15 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

LibWeb: Do not discard String returned from url_encode() to avoid UAF

Browse source 
This caused UAF since the string returned from url_encode() was
immediately discarded.

Co-authored-by: Luke Wilde <lukew@serenityos.org>
This commit is contained in:
Kenneth Myhra 2023-03-08 06:53:10 +01:00 committed by Linus Groh
parent 736f9f38ae
commit b78ee64415
Notes: sideshowbarker 2024-07-17 03:51:15 +09:00 
Author: https://github.com/kennethmyhra
Commit: https://github.com/SerenityOS/serenity/commit/b78ee64415
Pull-request: https://github.com/SerenityOS/serenity/pull/17764
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Userland/Libraries/LibWeb/HTML/HTMLFormElement.cpp
View file

@ -139,8 +139,8 @@ ErrorOr<void> HTMLFormElement::submit_form(JS::GCPtr<HTMLElement> submitter, boo
LoadRequest request = LoadRequest::create_for_url_on_page(url, document().page());
if (effective_method == "post") {
auto url_encoded_parameters_as_bytes = TRY(url_encode(parameters, AK::URL::PercentEncodeSet::ApplicationXWWWFormUrlencoded)).bytes();
auto body = TRY(ByteBuffer::copy(url_encoded_parameters_as_bytes));
auto url_encoded_parameters = TRY(url_encode(parameters, AK::URL::PercentEncodeSet::ApplicationXWWWFormUrlencoded));
auto body = TRY(ByteBuffer::copy(url_encoded_parameters.bytes()));
request.set_method("POST");
request.set_header("Content-Type", "application/x-www-form-urlencoded");
request.set_body(move(body));