Trim headers considered unsafe from the WASM net requests

Some headers cannot be sent via XMLHttpRequest. In case one of those is assigned to a network request, the header will now be trimmed on WASM so that the request continues. Qt will print a warning on each request that had its headers trimmed. The list seems stable so it is not a lot of burden to sync Qt with it on potential (unlikely) changes. Fixes: QTBUG-95585 Change-Id: Id504ef43ad7e466ab567d4646d7ca00d6b7920d7 Reviewed-by: Aleksandr Reviakin <[email protected]> Reviewed-by: Morten Johan Sørvig <[email protected]>
author: Mikolaj Boc <[email protected]> 2022-10-21 16:30:19 +0200
committer: Mikolaj Boc <[email protected]> 2022-10-29 15:27:30 +0200
commit: 0b382080c2914e5129ede19c8ca9a871e7d3bf38 (patch)
tree: 0de7f8a8a0169e786730c1a6818e68e33c12e9cb
parent: f4b028114a9040147fa98ca8c8cfc58dcb2f6102 (diff)
1 files changed, 49 insertions, 6 deletions
diff --git a/src/network/access/qnetworkreplywasmimpl.cpp b/src/network/access/qnetworkreplywasmimpl.cpp
index 44541bb501a..70d2a6be440 100644
--- a/src/network/access/qnetworkreplywasmimpl.cpp
+++ b/src/network/access/qnetworkreplywasmimpl.cpp
@@ -17,6 +17,42 @@
 #include <emscripten/fetch.h>
 
 QT_BEGIN_NAMESPACE
+namespace {
+constexpr const char *BannedHeaders[] = {
+    "accept-charset",
+    "accept-encoding",
+    "access-control-request-headers",
+    "access-control-request-method",
+    "connection",
+    "content-length",
+    "cookie",
+    "cookie2",
+    "date",
+    "dnt",
+    "expect",
+    "host",
+    "keep-alive",
+    "origin",
+    "referer",
+    "te",
+    "trailer",
+    "transfer-encoding",
+    "upgrade",
+    "via",
+};
+
+bool isUnsafeHeader(QLatin1StringView header)
+{
+    return header.startsWith(QStringLiteral("proxy-"), Qt::CaseInsensitive)
+            || header.startsWith(QStringLiteral("sec-"), Qt::CaseInsensitive)
+            || std::any_of(std::begin(BannedHeaders), std::end(BannedHeaders),
+                           [&header](const char *bannedHeader) {
+                               return 0
+                                       == header.compare(QLatin1StringView(bannedHeader),
+                                                         Qt::CaseInsensitive);
+                           });
+}
+} // namespace
 
 QNetworkReplyWasmImplPrivate::QNetworkReplyWasmImplPrivate()
     : QNetworkReplyPrivate()
@@ -190,15 +226,22 @@ void QNetworkReplyWasmImplPrivate::doSendRequest()
 
     QList<QByteArray> headersData = request.rawHeaderList();
     int arrayLength = getArraySize(headersData.count());
-    const char* customHeaders[arrayLength];
+    const char *customHeaders[arrayLength];
+    QStringList trimmedHeaders;
 
     if (headersData.count() > 0) {
         int i = 0;
-        for (int j = 0; j < headersData.count(); j++) {
-            customHeaders[i] = headersData[j].constData();
-            i += 1;
-            customHeaders[i] = request.rawHeader(headersData[j]).constData();
-            i += 1;
+        for (const auto &headerName : headersData) {
+            if (isUnsafeHeader(QLatin1StringView(headerName.constData()))) {
+                trimmedHeaders.push_back(QString::fromLatin1(headerName));
+            } else {
+                customHeaders[i++] = headerName.constData();
+                customHeaders[i++] = request.rawHeader(headerName).constData();
+            }
+        }
+        if (!trimmedHeaders.isEmpty()) {
+            qWarning() << "Qt has trimmed the following forbidden headers from the request:"
+                       << trimmedHeaders.join(QLatin1StringView(", "));
         }
         customHeaders[i] = nullptr;
         attr.requestHeaders = customHeaders;
author	Mikolaj Boc <[email protected]>	2022-10-21 16:30:19 +0200
committer	Mikolaj Boc <[email protected]>	2022-10-29 15:27:30 +0200
commit	0b382080c2914e5129ede19c8ca9a871e7d3bf38 (patch)
tree	0de7f8a8a0169e786730c1a6818e68e33c12e9cb
parent	f4b028114a9040147fa98ca8c8cfc58dcb2f6102 (diff)