From 789f375411b542db3ac3be79cbe0a6153720abf1 Mon Sep 17 00:00:00 2001
From: Peter Varga <pvarga@inf.u-szeged.hu>
Date: Wed, 7 Mar 2018 11:48:14 +0100
Subject: Remove credentials from view-source URLs

Task-number: QTBUG-65997
Change-Id: Icb55326c51f1dfff77e8e862e9ced619be17ead1
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 tests/auto/quick/qmltests/data/tst_viewSource.qml  | 28 ++++++++++++++++++
 .../widgets/qwebenginepage/tst_qwebenginepage.cpp  | 34 ++++++++++++++++++++++
 2 files changed, 62 insertions(+)

(limited to 'tests')

diff --git a/tests/auto/quick/qmltests/data/tst_viewSource.qml b/tests/auto/quick/qmltests/data/tst_viewSource.qml
index a9cf11f34..d0bc0529d 100644
--- a/tests/auto/quick/qmltests/data/tst_viewSource.qml
+++ b/tests/auto/quick/qmltests/data/tst_viewSource.qml
@@ -124,6 +124,34 @@ TestWebEngineView {
             // FIXME(pvarga): Reintroduce this check in the fix for QTBUG-56117
             //verify(!webEngineView.canViewSource);
         }
+
+        function test_viewSourceCredentials() {
+            var url = "http://user:passwd@httpbin.org/basic-auth/user/passwd";
+
+            // Test explicit view-source URL with credentials
+            webEngineView.url = Qt.resolvedUrl("view-source:" + url);
+            if (!webEngineView.waitForLoadSucceeded(12000))
+                skip("Couldn't load page from network, skipping test.");
+
+            compare(webEngineView.url, "view-source:" + url.replace("user:passwd@", ""));
+            compare(webEngineView.title, "view-source:" + url.replace("http://user:passwd@", ""));
+            titleChangedSpy.clear();
+
+            // Test ViewSource web action on URL with credentials
+            webEngineView.url = Qt.resolvedUrl(url);
+            if (!webEngineView.waitForLoadSucceeded(12000))
+                skip("Couldn't load page from network, skipping test.");
+            webEngineView.triggerWebAction(WebEngineView.ViewSource);
+            tryCompare(newViewRequestedSpy, "count", 1);
+
+            // The first titleChanged signal is emitted by adoptWebContents()
+            tryVerify(function() { return titleChangedSpy.count >= 2; });
+            compare(viewRequest.destination, WebEngineView.NewViewInTab);
+            verify(viewRequest.userInitiated);
+
+            tryCompare(webEngineView, "url", "view-source:" + url.replace("user:passwd@", ""));
+            tryCompare(webEngineView, "title", "view-source:" + url.replace("http://user:passwd@", ""));
+        }
     }
 }
 
diff --git a/tests/auto/widgets/qwebenginepage/tst_qwebenginepage.cpp b/tests/auto/widgets/qwebenginepage/tst_qwebenginepage.cpp
index 7b9cc31e9..e67636378 100644
--- a/tests/auto/widgets/qwebenginepage/tst_qwebenginepage.cpp
+++ b/tests/auto/widgets/qwebenginepage/tst_qwebenginepage.cpp
@@ -211,6 +211,7 @@ private Q_SLOTS:
     void viewSource();
     void viewSourceURL_data();
     void viewSourceURL();
+    void viewSourceCredentials();
     void proxyConfigWithUnexpectedHostPortPair();
     void registerProtocolHandler_data();
     void registerProtocolHandler();
@@ -4190,6 +4191,39 @@ void tst_QWebEnginePage::viewSourceURL()
     QVERIFY(!page.action(QWebEnginePage::ViewSource)->isEnabled());
 }
 
+void tst_QWebEnginePage::viewSourceCredentials()
+{
+    TestPage page;
+    QSignalSpy loadFinishedSpy(&page, SIGNAL(loadFinished(bool)));
+    QSignalSpy windowCreatedSpy(&page, SIGNAL(windowCreated()));
+    QUrl url("http://user:passwd@httpbin.org/basic-auth/user/passwd");
+
+    // Test explicit view-source URL with credentials
+    page.load(QUrl(QString("view-source:" + url.toString())));
+    if (!loadFinishedSpy.wait(10000) || !loadFinishedSpy.at(0).at(0).toBool())
+        QSKIP("Couldn't load page from network, skipping test.");
+
+    QCOMPARE(page.url().toString(), QString("view-source:" + url.toDisplayString(QUrl::RemoveUserInfo)));
+    QCOMPARE(page.requestedUrl(), url);
+    QCOMPARE(page.title(), QString("view-source:" + url.toDisplayString(QUrl::RemoveScheme | QUrl::RemoveUserInfo).remove(0, 2)));
+    loadFinishedSpy.clear();
+    windowCreatedSpy.clear();
+
+    // Test ViewSource web action on URL with credentials
+    page.load(url);
+    if (!loadFinishedSpy.wait(10000) || !loadFinishedSpy.at(0).at(0).toBool())
+        QSKIP("Couldn't load page from network, skipping test.");
+    QVERIFY(page.action(QWebEnginePage::ViewSource)->isEnabled());
+
+    page.triggerAction(QWebEnginePage::ViewSource);
+    QTRY_COMPARE(windowCreatedSpy.count(), 1);
+    QCOMPARE(page.createdWindows.size(), 1);
+
+    QTRY_COMPARE(page.createdWindows[0]->url().toString(), QString("view-source:" + url.toDisplayString(QUrl::RemoveUserInfo)));
+    QTRY_COMPARE(page.createdWindows[0]->requestedUrl(), url);
+    QTRY_COMPARE(page.createdWindows[0]->title(), QString("view-source:" + url.toDisplayString(QUrl::RemoveScheme | QUrl::RemoveUserInfo).remove(0, 2)));
+}
+
 Q_DECLARE_METATYPE(QNetworkProxy::ProxyType);
 
 void tst_QWebEnginePage::proxyConfigWithUnexpectedHostPortPair()
-- 
cgit v1.2.3