[Pkg-chromium-commit] chromium-browser/chromium-browser.squeeze: 704 Low Browser crash with extension with missing key. Credit to Brian Kirchoff.
Giuseppe Iuculano
iuculano at debian.org
Sun Feb 6 11:44:32 UTC 2011
Branch name: chromium-browser/chromium-browser.squeeze
Branch location : bzr+ssh://bzr.debian.org/bzr/pkg-chromium/chromium-browser/chromium-browser.squeeze
Browse location: http://bzr.debian.org/loggerhead/pkg-chromium
Revision No: 704
Revision Id: iuculano at debian.org-20110206114432-wv02hmmxj3ay7wxq
Committer: Giuseppe Iuculano <iuculano at debian.org>
Message : Low Browser crash with extension with missing key. Credit to Brian Kirchoff.
--------------------------------------------------------
** Added :
- debian/patches/59081.patch
** Modified :
- debian/changelog
- debian/patches/series
-------------- next part --------------
=== modified file 'debian/changelog'
--- a/debian/changelog 2011-02-06 11:34:53 +0000
+++ b/debian/changelog 2011-02-06 11:44:32 +0000
@@ -2,8 +2,9 @@
* Backported security patches from stable:
- High Use-after-free in image loading. Credit to Aki Helin of OUSPG
+ - Low Browser crash with extension with missing key. Credit to Brian Kirchoff.
- -- Giuseppe Iuculano <iuculano at debian.org> Sun, 06 Feb 2011 12:33:22 +0100
+ -- Giuseppe Iuculano <iuculano at debian.org> Sun, 06 Feb 2011 12:43:46 +0100
chromium-browser (6.0.472.63~r59945-5) unstable; urgency=high
=== added file 'debian/patches/59081.patch'
--- a/debian/patches/59081.patch 1970-01-01 00:00:00 +0000
+++ b/debian/patches/59081.patch 2011-02-06 11:44:32 +0000
@@ -0,0 +1,47 @@
+--- a/src/third_party/WebKit/WebCore/page/DragController.cpp
++++ b/src/third_party/WebKit/WebCore/page/DragController.cpp
+@@ -294,6 +294,9 @@ bool DragController::tryDocumentDrag(Dra
+ if (!m_documentUnderMouse)
+ return false;
+
++ if (m_dragInitiator && !m_documentUnderMouse->securityOrigin()->canReceiveDragData(m_dragInitiator->securityOrigin()))
++ return false;
++
+ m_isHandlingDrag = false;
+ if (actionMask & DragDestinationActionDHTML) {
+ m_isHandlingDrag = tryDHTMLDrag(dragData, operation);
+--- a/src/third_party/WebKit/WebCore/page/SecurityOrigin.cpp
++++ b/src/third_party/WebKit/WebCore/page/SecurityOrigin.cpp
+@@ -302,6 +302,18 @@ bool SecurityOrigin::taintsCanvas(const
+ return true;
+ }
+
++bool SecurityOrigin::canReceiveDragData(const SecurityOrigin* dragInitiator) const
++{
++ // FIXME: Currently we treat data URLs as having a unique origin, contrary to the
++ // current (9/19/2009) draft of the HTML5 specification. We still want to allow
++ // drop across data URLs, so we special case data URLs below. If we change to
++ // match HTML5 w.r.t. data URL security, then we can remove this check.
++ if (m_protocol == "data")
++ return true;
++
++ return canAccess(dragInitiator);
++}
++
+ bool SecurityOrigin::isAccessWhiteListed(const SecurityOrigin* targetOrigin) const
+ {
+ if (OriginAccessWhiteList* list = originAccessMap().get(toString())) {
+--- a/src/third_party/WebKit/WebCore/page/SecurityOrigin.h
++++ b/src/third_party/WebKit/WebCore/page/SecurityOrigin.h
+@@ -84,6 +84,11 @@ public:
+ // Returns true if drawing an image from this URL taints a canvas from
+ // this security origin. For example, call this function before
+ // drawing an image onto an HTML canvas element with the drawImage API.
++ // Returns true if this SecurityOrigin can receive drag content from the
++ // initiator. For example, call this function before allowing content to be
++ // dropped onto a target.
++ bool canReceiveDragData(const SecurityOrigin* dragInitiator) const;
++
+ bool taintsCanvas(const KURL&) const;
+
+ // Returns true for any non-local URL. If document parameter is supplied,
=== modified file 'debian/patches/series'
--- a/debian/patches/series 2011-02-06 11:34:53 +0000
+++ b/debian/patches/series 2011-02-06 11:44:32 +0000
@@ -50,3 +50,4 @@
68181.patch
68439.patch
55831.patch
+59081.patch
More information about the Pkg-chromium-commit
mailing list