[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.1.15-1-40151-g37bb677
mjs
mjs at 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Sat Sep 26 07:22:08 UTC 2009
The following commit has been merged in the debian/unstable branch:
commit db607f08f6cf6b4c89634b4bfb963ebbf11947a0
Author: mjs <mjs at 268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Jan 27 22:59:58 2003 +0000
Reviewed by Darin.
- fixed 3156461 - SECURITY: contentDocument of iframe from other domain can be accessed
- fixed 3156462 - SECURITY: can invoke setTimeout on other window
- fixed 3156469 - SECURITY: can add an event listener on another protected window
- fixed 3156527 - SECURITY: Can access HTML document from different domain in another frame
- fixed 3156535 - SECURITY: Can access XML document from different domain in another frame
These fixes are merged from or inspired by security fixes in upstream khtml.
* khtml/ecma/kjs_dom.h:
* khtml/ecma/kjs_dom.cpp:
(KJS::checkNodeSecurity): Prototype new method used to check whether a document
is allowed to access the contents of a node.
* khtml/ecma/kjs_html.cpp:
(KJS::HTMLElement::getValueProperty): Apply security check to
getting the contentDocument of an iframe or object.
* khtml/ecma/kjs_window.cpp:
(Window::get): Make sure addEventListener/removeEventListener, and
all timer related functions are protocted from cross-domain calls.
(WindowFunc::tryCall): Make sure this is true even if they are
detached from one window and called on another.
* khtml/khtml_part.cpp:
(KHTMLPart::checkEmitLoadEvent): When setting frames to the domain
of the parent document, don't force it, so the usual suffix check
rule will apply.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@3467 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog-2003-10-25 b/WebCore/ChangeLog-2003-10-25
index 31ed197..8d50bf0 100644
--- a/WebCore/ChangeLog-2003-10-25
+++ b/WebCore/ChangeLog-2003-10-25
@@ -1,3 +1,32 @@
+2003-01-26 Maciej Stachowiak <mjs at apple.com>
+
+ Reviewed by Darin.
+
+ - fixed 3156461 - SECURITY: contentDocument of iframe from other domain can be accessed
+ - fixed 3156462 - SECURITY: can invoke setTimeout on other window
+ - fixed 3156469 - SECURITY: can add an event listener on another protected window
+ - fixed 3156527 - SECURITY: Can access HTML document from different domain in another frame
+ - fixed 3156535 - SECURITY: Can access XML document from different domain in another frame
+
+ These fixes are merged from or inspired by security fixes in upstream khtml.
+
+ * khtml/ecma/kjs_dom.h:
+ * khtml/ecma/kjs_dom.cpp:
+ (KJS::checkNodeSecurity): Prototype new method used to check whether a document
+ is allowed to access the contents of a node.
+ * khtml/ecma/kjs_html.cpp:
+ (KJS::HTMLElement::getValueProperty): Apply security check to
+ getting the contentDocument of an iframe or object.
+ * khtml/ecma/kjs_window.cpp:
+ (Window::get): Make sure addEventListener/removeEventListener, and
+ all timer related functions are protocted from cross-domain calls.
+ (WindowFunc::tryCall): Make sure this is true even if they are
+ detached from one window and called on another.
+ * khtml/khtml_part.cpp:
+ (KHTMLPart::checkEmitLoadEvent): When setting frames to the domain
+ of the parent document, don't force it, so the usual suffix check
+ rule will apply.
+
2003-01-27 Richard Williamson <rjw at apple.com>
Reviewed by trey.
diff --git a/WebCore/ChangeLog-2005-08-23 b/WebCore/ChangeLog-2005-08-23
index 31ed197..8d50bf0 100644
--- a/WebCore/ChangeLog-2005-08-23
+++ b/WebCore/ChangeLog-2005-08-23
@@ -1,3 +1,32 @@
+2003-01-26 Maciej Stachowiak <mjs at apple.com>
+
+ Reviewed by Darin.
+
+ - fixed 3156461 - SECURITY: contentDocument of iframe from other domain can be accessed
+ - fixed 3156462 - SECURITY: can invoke setTimeout on other window
+ - fixed 3156469 - SECURITY: can add an event listener on another protected window
+ - fixed 3156527 - SECURITY: Can access HTML document from different domain in another frame
+ - fixed 3156535 - SECURITY: Can access XML document from different domain in another frame
+
+ These fixes are merged from or inspired by security fixes in upstream khtml.
+
+ * khtml/ecma/kjs_dom.h:
+ * khtml/ecma/kjs_dom.cpp:
+ (KJS::checkNodeSecurity): Prototype new method used to check whether a document
+ is allowed to access the contents of a node.
+ * khtml/ecma/kjs_html.cpp:
+ (KJS::HTMLElement::getValueProperty): Apply security check to
+ getting the contentDocument of an iframe or object.
+ * khtml/ecma/kjs_window.cpp:
+ (Window::get): Make sure addEventListener/removeEventListener, and
+ all timer related functions are protocted from cross-domain calls.
+ (WindowFunc::tryCall): Make sure this is true even if they are
+ detached from one window and called on another.
+ * khtml/khtml_part.cpp:
+ (KHTMLPart::checkEmitLoadEvent): When setting frames to the domain
+ of the parent document, don't force it, so the usual suffix check
+ rule will apply.
+
2003-01-27 Richard Williamson <rjw at apple.com>
Reviewed by trey.
diff --git a/WebCore/khtml/ecma/kjs_dom.cpp b/WebCore/khtml/ecma/kjs_dom.cpp
index 3118eb9..0d17a4b 100644
--- a/WebCore/khtml/ecma/kjs_dom.cpp
+++ b/WebCore/khtml/ecma/kjs_dom.cpp
@@ -1277,6 +1277,20 @@ Value KJS::getDOMDocumentNode(ExecState *exec, const DOM::Document &n)
return val;
}
+bool KJS::checkNodeSecurity(ExecState *exec, const DOM::Node& n)
+{
+ if (!n.handle())
+ return false;
+
+ // Check to see if the currently executing interpreter is allowed to access the specified node
+ KHTMLView *view = n.handle()->getDocument()->view();
+ Window* win = view && view->part() ? Window::retrieveWindow(view->part()) : 0L;
+ if ( !win || !win->isSafeScript(exec) )
+ return false;
+ return true;
+}
+
+
Value KJS::getDOMNode(ExecState *exec, const DOM::Node &n)
{
DOMObject *ret = 0;
diff --git a/WebCore/khtml/ecma/kjs_dom.h b/WebCore/khtml/ecma/kjs_dom.h
index dc201b6..a0c118e 100644
--- a/WebCore/khtml/ecma/kjs_dom.h
+++ b/WebCore/khtml/ecma/kjs_dom.h
@@ -251,6 +251,7 @@ namespace KJS {
};
Value getDOMDocumentNode(ExecState *exec, const DOM::Document &n);
+ bool checkNodeSecurity(ExecState *exec, const DOM::Node& n);
Value getDOMNode(ExecState *exec, const DOM::Node &n);
Value getDOMNamedNodeMap(ExecState *exec, const DOM::NamedNodeMap &m);
Value getDOMNodeList(ExecState *exec, const DOM::NodeList &l);
diff --git a/WebCore/khtml/ecma/kjs_html.cpp b/WebCore/khtml/ecma/kjs_html.cpp
index 4ab4490..aac1f71 100644
--- a/WebCore/khtml/ecma/kjs_html.cpp
+++ b/WebCore/khtml/ecma/kjs_html.cpp
@@ -1519,7 +1519,8 @@ Value KJS::HTMLElement::getValueProperty(ExecState *exec, int token) const
case ObjectBorder: return getString(object.border());
case ObjectCodeBase: return getString(object.codeBase());
case ObjectCodeType: return getString(object.codeType());
- case ObjectContentDocument: return getDOMNode(exec, object.contentDocument());
+ case ObjectContentDocument: return checkNodeSecurity(exec,object.contentDocument()) ?
+ getDOMNode(exec, object.contentDocument()) : Undefined();
case ObjectData: return getString(object.data());
case ObjectDeclare: return Boolean(object.declare());
case ObjectHeight: return getString(object.height());
@@ -1709,7 +1710,8 @@ Value KJS::HTMLElement::getValueProperty(ExecState *exec, int token) const
case ID_FRAME: {
DOM::HTMLFrameElement frameElement = element;
switch (token) {
- case FrameContentDocument: return getDOMNode(exec, frameElement.contentDocument());
+ case FrameContentDocument: return checkNodeSecurity(exec,frameElement.contentDocument()) ?
+ getDOMNode(exec, frameElement.contentDocument()) : Undefined();
case FrameFrameBorder: return getString(frameElement.frameBorder());
case FrameLongDesc: return getString(frameElement.longDesc());
case FrameMarginHeight: return getString(frameElement.marginHeight());
@@ -1728,7 +1730,8 @@ Value KJS::HTMLElement::getValueProperty(ExecState *exec, int token) const
case IFrameAlign: return getString(iFrame.align());
// ### security check ?
case IFrameDocument: // non-standard, mapped to contentDocument
- case IFrameContentDocument: return getDOMNode(exec, iFrame.contentDocument());
+ case IFrameContentDocument: return checkNodeSecurity(exec,iFrame.contentDocument()) ?
+ getDOMNode(exec, iFrame.contentDocument()) : Undefined();
case IFrameFrameBorder: return getString(iFrame.frameBorder());
case IFrameHeight: return getString(iFrame.height());
case IFrameLongDesc: return getString(iFrame.longDesc());
diff --git a/WebCore/khtml/ecma/kjs_window.cpp b/WebCore/khtml/ecma/kjs_window.cpp
index 70bf3db..5568232 100644
--- a/WebCore/khtml/ecma/kjs_window.cpp
+++ b/WebCore/khtml/ecma/kjs_window.cpp
@@ -548,11 +548,11 @@ Value Window::get(ExecState *exec, const Identifier &p) const
case MoveTo:
case ResizeBy:
case ResizeTo:
+ return lookupOrCreateFunction<WindowFunc>(exec,p,this,entry->value,entry->params,entry->attr);
case CaptureEvents:
case ReleaseEvents:
case AddEventListener:
case RemoveEventListener:
- return lookupOrCreateFunction<WindowFunc>(exec,p,this,entry->value,entry->params,entry->attr);
case SetTimeout:
case ClearTimeout:
case SetInterval:
@@ -1325,6 +1325,8 @@ Value WindowFunc::tryCall(ExecState *exec, Object &thisObj, const List &args)
}
return Undefined();
case Window::SetTimeout:
+ if (!window->isSafeScript(exec))
+ return Undefined();
if (args.size() == 2 && v.isA(StringType)) {
int i = args[1].toInt32(exec);
int r = (const_cast<Window*>(window))->installTimeout(Identifier(s), i, true /*single shot*/);
@@ -1345,6 +1347,8 @@ Value WindowFunc::tryCall(ExecState *exec, Object &thisObj, const List &args)
else
return Undefined();
case Window::SetInterval:
+ if (!window->isSafeScript(exec))
+ return Undefined();
if (args.size() >= 2 && v.isA(StringType)) {
int i = args[1].toInt32(exec);
int r = (const_cast<Window*>(window))->installTimeout(Identifier(s), i, false);
@@ -1367,6 +1371,8 @@ Value WindowFunc::tryCall(ExecState *exec, Object &thisObj, const List &args)
return Undefined();
case Window::ClearTimeout:
case Window::ClearInterval:
+ if (!window->isSafeScript(exec))
+ return Undefined();
(const_cast<Window*>(window))->clearTimeout(v.toInt32(exec));
return Undefined();
case Window::Focus:
@@ -1418,9 +1424,16 @@ Value WindowFunc::tryCall(ExecState *exec, Object &thisObj, const List &args)
return Undefined();
case Window::CaptureEvents:
case Window::ReleaseEvents:
+ // If anyone implements these, they need the safescript security check.
+ if (!window->isSafeScript(exec))
+ return Undefined();
+
// Do nothing for now. These are NS-specific legacy calls.
break;
case Window::AddEventListener: {
+ if (!window->isSafeScript(exec))
+ return Undefined();
+
JSEventListener *listener = Window::retrieveActive(exec)->getJSEventListener(args[1]);
DOM::Document doc = part->document();
if (doc.isHTMLDocument()) {
@@ -1432,6 +1445,8 @@ Value WindowFunc::tryCall(ExecState *exec, Object &thisObj, const List &args)
return Undefined();
}
case Window::RemoveEventListener: {
+ if (!window->isSafeScript(exec))
+ return Undefined();
JSEventListener *listener = Window::retrieveActive(exec)->getJSEventListener(args[1]);
DOM::Document doc = part->document();
if (doc.isHTMLDocument()) {
diff --git a/WebCore/khtml/khtml_part.cpp b/WebCore/khtml/khtml_part.cpp
index 50698e1..d76c970 100644
--- a/WebCore/khtml/khtml_part.cpp
+++ b/WebCore/khtml/khtml_part.cpp
@@ -1711,7 +1711,7 @@ void KHTMLPart::checkEmitLoadEvent()
if (htmlFrame->d->m_doc && htmlFrame->d->m_doc->isHTMLDocument() )
{
kdDebug() << "KHTMLPart::checkCompleted setting frame domain to " << domain.string() << endl;
- static_cast<HTMLDocumentImpl*>(htmlFrame->d->m_doc)->setDomain( domain, true );
+ static_cast<HTMLDocumentImpl*>(htmlFrame->d->m_doc)->setDomain( domain );
}
}
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list