diff options
8 files changed, 1 insertions, 134 deletions
diff --git a/src/declarative/graphicsitems/qdeclarativeloader.cpp b/src/declarative/graphicsitems/qdeclarativeloader.cpp index c06b006..0d62afa 100644 --- a/src/declarative/graphicsitems/qdeclarativeloader.cpp +++ b/src/declarative/graphicsitems/qdeclarativeloader.cpp @@ -187,11 +187,6 @@ void QDeclarativeLoader::setSource(const QUrl &url) if (d->source == url) return; - if (!qmlContext(this)->isSafeOrigin(url)) { - qmlInfo(this) << tr("\"%1\" is not a safe origin from \"%2\"").arg(url.toString()).arg(qmlContext(this)->baseUrl().toString()); - return; - } - d->clear(); d->source = url; diff --git a/src/declarative/qml/qdeclarativecompositetypemanager.cpp b/src/declarative/qml/qdeclarativecompositetypemanager.cpp index 5160514..c59e5e2 100644 --- a/src/declarative/qml/qdeclarativecompositetypemanager.cpp +++ b/src/declarative/qml/qdeclarativecompositetypemanager.cpp @@ -539,19 +539,6 @@ int QDeclarativeCompositeTypeManager::resolveTypes(QDeclarativeCompositeTypeData foreach (QDeclarativeScriptParser::Import imp, unit->data.imports()) { - if (imp.type != QDeclarativeScriptParser::Import::Library && !engine->isSafeOrigin(QUrl(imp.uri), unit->imports.baseUrl())) { - QDeclarativeError error; - error.setUrl(unit->imports.baseUrl()); - error.setDescription(tr("\"%1\" is not a safe origin").arg(imp.uri)); - error.setLine(imp.location.start.line); - error.setColumn(imp.location.start.column); - unit->status = QDeclarativeCompositeTypeData::Error; - unit->errorType = QDeclarativeCompositeTypeData::GeneralError; - unit->errors << error; - doComplete(unit); - return 0; - } - QDeclarativeDirComponents qmldircomponentsnetwork; if (imp.type == QDeclarativeScriptParser::Import::Script) continue; diff --git a/src/declarative/qml/qdeclarativecontext.cpp b/src/declarative/qml/qdeclarativecontext.cpp index f801a88..85896c4 100644 --- a/src/declarative/qml/qdeclarativecontext.cpp +++ b/src/declarative/qml/qdeclarativecontext.cpp @@ -361,12 +361,6 @@ QVariant QDeclarativeContext::contextProperty(const QString &name) const return value; } -bool QDeclarativeContext::isSafeOrigin(const QUrl &src) const -{ - Q_D(const QDeclarativeContext); - return !d->data->engine || d->data->engine->isSafeOrigin(src, baseUrl()); -} - /*! Resolves the URL \a src relative to the URL of the containing component. diff --git a/src/declarative/qml/qdeclarativecontext.h b/src/declarative/qml/qdeclarativecontext.h index 959af8b..a349628 100644 --- a/src/declarative/qml/qdeclarativecontext.h +++ b/src/declarative/qml/qdeclarativecontext.h @@ -85,8 +85,6 @@ public: void setBaseUrl(const QUrl &); QUrl baseUrl() const; - bool isSafeOrigin(const QUrl &src) const; - private: friend class QDeclarativeVME; friend class QDeclarativeEngine; diff --git a/src/declarative/qml/qdeclarativeengine.cpp b/src/declarative/qml/qdeclarativeengine.cpp index d7f30d7..d4872e2 100644 --- a/src/declarative/qml/qdeclarativeengine.cpp +++ b/src/declarative/qml/qdeclarativeengine.cpp @@ -1883,33 +1883,6 @@ QString QDeclarativeEngine::offlineStoragePath() const } /*! - Returns whether \a to_url is considered safe content when reference by - content at \a from_url. - - The default implementation implements: - - \list - \i Relative URLs are safe - \i https content is safe - \i URLs from the same host and port are safe (including no-host) - \endlist - - You should consider whether this convention is adequate for your pareticular application. -*/ -bool QDeclarativeEngine::isSafeOrigin(const QUrl& to_url, const QUrl& from_url) const -{ - if (to_url.isRelative()) - return true; - if (to_url.scheme()==QLatin1String("https")) - return true; - - if (to_url.host() == from_url.host() && to_url.port() == from_url.port()) // including files (with no host) - return true; - - return false; -} - -/*! \internal Returns the result of the merge of \a baseName with \a dir, \a suffixes, and \a prefix. diff --git a/src/declarative/qml/qdeclarativeengine.h b/src/declarative/qml/qdeclarativeengine.h index 5c70b18..19e81b6 100644 --- a/src/declarative/qml/qdeclarativeengine.h +++ b/src/declarative/qml/qdeclarativeengine.h @@ -102,8 +102,6 @@ public: static void setObjectOwnership(QObject *, ObjectOwnership); static ObjectOwnership objectOwnership(QObject *); - virtual bool isSafeOrigin(const QUrl& to_url, const QUrl& from_url) const; - Q_SIGNALS: void quit (); diff --git a/tests/auto/declarative/qdeclarativelanguage/tst_qdeclarativelanguage.cpp b/tests/auto/declarative/qdeclarativelanguage/tst_qdeclarativelanguage.cpp index b6bd3f8..72b6b28 100644 --- a/tests/auto/declarative/qdeclarativelanguage/tst_qdeclarativelanguage.cpp +++ b/tests/auto/declarative/qdeclarativelanguage/tst_qdeclarativelanguage.cpp @@ -53,19 +53,6 @@ #include "../../../shared/util.h" -class SafeLocalhostDeclarativeEngine : public QDeclarativeEngine { -public: - SafeLocalhostDeclarativeEngine() : QDeclarativeEngine() {} - - virtual bool isSafeOrigin(const QUrl& to_url, const QUrl& from_url) const - { - if (to_url.host() == "127.0.0.1") - return true; - else - return QDeclarativeEngine::isSafeOrigin(to_url,from_url); - } -}; - /* This test case covers QML language issues. This covers everything that does not involve evaluating ECMAScript expressions and bindings. @@ -134,7 +121,6 @@ private slots: void importsLocal(); void importsRemote_data(); void importsRemote(); - void importsUnsafe(); void importsInstalled_data(); void importsInstalled(); void importsOrder_data(); @@ -149,7 +135,7 @@ private slots: void crash2(); private: - SafeLocalhostDeclarativeEngine engine; + QDeclarativeEngine engine; void testType(const QString& qml, const QString& type); }; @@ -1276,33 +1262,6 @@ void tst_qdeclarativelanguage::importsRemote() testType(qml,type); } -void tst_qdeclarativelanguage::importsUnsafe() -{ - TestHTTPServer server(14445); - server.serveDirectory(SRCDIR); - - QString qml = "import \"http://127.0.0.1:14445/qtest/declarative/qmllanguage\"\n\nTest {}"; - - { - QDeclarativeEngine engine; // plain engine without special localhost handling - QDeclarativeComponent component(&engine); - component.setData(qml.toUtf8(), TEST_FILE("empty.qml")); // just a file for relative local imports - - QTRY_VERIFY(!component.isLoading()); - - QVERIFY(component.isError()); - } - - { - QDeclarativeComponent component(&engine); // engine special localhost handling - component.setData(qml.toUtf8(), TEST_FILE("empty.qml")); // just a file for relative local imports - - QTRY_VERIFY(!component.isLoading()); - - QVERIFY(!component.isError()); - } -} - void tst_qdeclarativelanguage::importsInstalled_data() { // QT-610 diff --git a/tests/auto/declarative/qdeclarativeloader/tst_qdeclarativeloader.cpp b/tests/auto/declarative/qdeclarativeloader/tst_qdeclarativeloader.cpp index 506e1ee..c3be943 100644 --- a/tests/auto/declarative/qdeclarativeloader/tst_qdeclarativeloader.cpp +++ b/tests/auto/declarative/qdeclarativeloader/tst_qdeclarativeloader.cpp @@ -86,8 +86,6 @@ private slots: void noResizeGraphicsWidget(); void networkRequestUrl(); void failNetworkRequest(); - void networkSafety(); - void networkSafety_data(); // void networkComponent(); void deleteComponentCrash(); @@ -508,41 +506,6 @@ void tst_QDeclarativeLoader::vmeErrors() delete loader; } -void tst_QDeclarativeLoader::networkSafety_data() -{ - QTest::addColumn<QUrl>("url"); - QTest::addColumn<QString>("message"); - - QTest::newRow("same origin") << QUrl("http://127.0.0.1:14445/sameorigin.qml") << QString(); - QTest::newRow("different origin") << QUrl("http://127.0.0.1:14445/differentorigin.qml") << QString("QML Loader (http://127.0.0.1:14445/differentorigin.qml:3:1) \"http://evil.place/evil.qml\" is not a safe origin from \"http://127.0.0.1:14445/differentorigin.qml\""); -} - -void tst_QDeclarativeLoader::networkSafety() -{ - TestHTTPServer server(SERVER_PORT); - QVERIFY(server.isValid()); - server.serveDirectory(SRCDIR "/data"); - - QFETCH(QUrl, url); - QFETCH(QString, message); - - if (!message.isEmpty()) - QTest::ignoreMessage(QtWarningMsg, message.toLatin1()); - - QDeclarativeComponent component(&engine, url); - TRY_WAIT(component.status() == QDeclarativeComponent::Ready); - QDeclarativeLoader *loader = qobject_cast<QDeclarativeLoader*>(component.create()); - QVERIFY(loader != 0); - - if (message.isEmpty()) { - TRY_WAIT(loader->status() == QDeclarativeLoader::Ready); - } else { - TRY_WAIT(loader->status() == QDeclarativeLoader::Null); - } - - delete loader; -} - QTEST_MAIN(tst_QDeclarativeLoader) #include "tst_qdeclarativeloader.moc" |