mirror/browser
1
0
Fork 0
mirror of https://github.com/lightpanda-io/browser.git synced 2026-06-11 01:25:53 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix a user-after-free on an empty (and invalid) empty location

Browse Source 
Improves WPT: /fetch/api/redirect/redirect-empty-location.any.html
This commit is contained in:
Karl Seguin
2026-04-24 18:19:12 +08:00
parent 3f0cc7a0df
commit 7b50dff956
1 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/browser/HttpClient.zig
View File

@@ -1564,10 +1564,18 @@ pub const Transfer = struct {
return error.LocationNotFound;
};
const base_url = try conn.getEffectiveUrl();
const url = try URL.resolve(arena, std.mem.span(base_url), location.value, .{});
try transfer.updateURL(url);
const url: [:0]const u8 = blk: {
if (location.value.len == 0) {
// Might seem silly, but URL.resovle will return location.value as-is
// if empty, and location.value is memory owned by libcurl.
break :blk "";
}
const base_url = try conn.getEffectiveUrl();
break :blk try URL.resolve(arena, std.mem.span(base_url), location.value, .{});
};
try transfer.updateURL(url);
// 301, 302, 303 → change to GET, drop body.
// 307, 308 → keep method and body.
const status = try conn.getResponseCode();