From 47169db4529d1310d8802b3b60bb97cf926374a7 Mon Sep 17 00:00:00 2001
From: Andreas Kling <andreas@ladybird.org>
Date: Sat, 22 Jun 2024 18:28:40 +0200
Subject: [PATCH] LibWeb: Make HTTP response directive parsing more robust

---
 .../Fetch/Infrastructure/HTTP/Responses.cpp   | 30 +++++++++++++++----
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Responses.cpp b/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Responses.cpp
index ea525c7988b..a38760e724f 100644
--- a/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Responses.cpp
+++ b/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Responses.cpp
@@ -278,9 +278,18 @@ u64 Response::freshness_lifetime() const
     // If the max-age response directive (Section 5.2.2.1) is present, use its value, or
     for (auto const& directive : *elem) {
         if (directive.starts_with_bytes("max-age"sv)) {
-            auto equal_offset = directive.find_byte_offset('=').value();
-            auto const value = directive.bytes_as_string_view().substring_view(equal_offset);
-            return value.to_number<u64>().value();
+            auto equal_offset = directive.find_byte_offset('=');
+            if (!equal_offset.has_value()) {
+                dbgln("Bogus directive: '{}'", directive);
+                continue;
+            }
+            auto const value_string = directive.bytes_as_string_view().substring_view(equal_offset.value() + 1);
+            auto maybe_value = value_string.to_number<u64>();
+            if (!maybe_value.has_value()) {
+                dbgln("Bogus directive: '{}'", directive);
+                continue;
+            }
+            return maybe_value.value();
         }
     }
 
@@ -299,9 +308,18 @@ u64 Response::stale_while_revalidate_lifetime() const
 
     for (auto const& directive : *elem) {
         if (directive.starts_with_bytes("stale-while-revalidate"sv)) {
-            auto equal_offset = directive.find_byte_offset('=').value();
-            auto const value = directive.bytes_as_string_view().substring_view(equal_offset);
-            return value.to_number<u64>().value();
+            auto equal_offset = directive.find_byte_offset('=');
+            if (!equal_offset.has_value()) {
+                dbgln("Bogus directive: '{}'", directive);
+                continue;
+            }
+            auto const value_string = directive.bytes_as_string_view().substring_view(equal_offset.value() + 1);
+            auto maybe_value = value_string.to_number<u64>();
+            if (!maybe_value.has_value()) {
+                dbgln("Bogus directive: '{}'", directive);
+                continue;
+            }
+            return maybe_value.value();
         }
     }