This rule attempts to flag invisible Unicode characters which would
potentially be used by an attacker to hide code that humans can't see.
https://pvs-studio.com/en/docs/warnings/v1076/
AKA the "Trojan Source" attack: https://arxiv.org/abs/2111.00169
Unfortunately our `LibUnicode` source code contains these hidden
characters as they are part of the Unicode character set that the
library exposes. So we have, and will always have 100s of false
positives.
Since we were previously relying on Document::set_cookie in order to
set cookies received as a 'Set-Cookie' response header, we would ignore
any response header cookies in redirect (status code 3xx) responses.
While this behaviour is not strictly enforced in the specification,
most major browsers do set cookies in redirect responses, and some
sites (e.g. Cookie Clicker) rely on this behaviour.
Since cookies are stored per-site and not per-document, this behaviour
is achieved by simply decoupling the cookie set mechanism from it.
As per RFC7231 the Location header field has different meanings for
different response status codes:
For 201 (Created) responses, the Location value refers to the primary
resource created by the request.
For 3xx (Redirection) responses, the Location value refers to the
preferred target resource for automatically redirecting the request.
The MIME type can come from either the Content-Type header in the
response header list, or the overridden MIME type passed into
overrideMimeType()
This is required by Google Maps, which downloads blobs encoded
in x-user-defined format.
It's a pretty simple charset: the bottom 128 bytes (0x00-0x7F) are
standard ASCII, while the top 128 bytes (0x80-0xFF) are mapped to a
portion of the Unicode Private Use Area, specifically 0xF780-0xF7FF.
This is used by Google Maps for certain blobs.
This functions takes a user-provided decoder and will only use it if no
BOM is in the input.
If there is a BOM, it will ignore the given decoder and instead decode
the input with the appropriate Unicode decoder for the detected BOM.
This is only to be used where it's specifically needed, for example XHR
uses this for compatibility with deployed content. As such, it has an
obnoxious name to discourage usage.
This takes the input and sniffs it for a BOM. If it has the UTF-8 or
UTF-16BE BOM, it will return their respective decoder. Currently we
don't have a UTF-16LE decoder, so it will assert TODO if it detects
a UTF-16LE BOM. If there is no recognisable BOM, it will return no
decoder.
This allows you to ignore the Content-Type returned by the server and
always parse the content as if it's the given MIME type.
This will currently be used for allowing you to override the charset
of text responses.
This is a small utility that updates the target tests results for the
LibCpp parser and preprocessor regression tests.
It's handy to run after changing something in the output of either the
parser or the preprocessor.
Apparently on VirtualBox the keyboard device refused to complete the
reset sequence. With longer delays and more attempts before giving up,
it seems like the problem is gone.
Previously, the build directory for building serenity components was a
temporary directory in /tmp which was generated whenever a different
serenity component was built.
Instead of doing that, Hack Studio now simply uses the Build/ directory
inside the Serenity repository, similar to what is done in host builds.
This makes it so we don't re-build when switching back and forth between
different components.
It also makes it easier to inspect the build products.
According to RFC 6455 sections 5.5.2-5.5.3 Ping and Pong frames
can have empty "Application data" that means payload can be of size 0.
This change fixes failed "buffer.size()" assertion inside
of Core::Stream::write_or_error by not trying to send empty payload
in WebSocket::send_frame.
According to rfc2616 section 6.1 the text of reason phrase is not
defined and can be replaced by server.
Some servers (for example http://linux.org.ru) leave it empty.
This change fixes parsing of HTTP responses with empty reason phrase.
When entering the InBody state LibHTTP performs a
can_read_without_blocking check, which is duplicated immediately
afterwards. This initial call is removed.
When LibHTTP encountered the blank line between the headers and the body
in a HTTP response it made a call the m_socket->can_read_line(). This
ultimately tried to find a newline in the stream. If the response body
was small and did not contain a new line then the request would hang.
The call to m_socket->can_read_line() is removed so that the code is
able to progress into the body reading loop.
