[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
abarth at webkit.org
abarth at webkit.org
Wed Dec 22 12:07:23 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 37e1f5a4de1a10ec5ff70bc8670e49c41215add3
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sun Aug 15 15:34:25 2010 +0000
2010-08-15 Adam Barth <abarth at webkit.org>
Reviewed by Eric Seidel.
Don't try to replace a non-existent document after executing JavaScript URLs
https://bugs.webkit.org/show_bug.cgi?id=44024
Test what happens if a JavaScript URL returns a value after deleting
the frame it was supposed to operate on.
* fast/frames/javascript-url-for-deleted-frame-expected.txt: Added.
* fast/frames/javascript-url-for-deleted-frame.html: Added.
2010-08-15 Adam Barth <abarth at webkit.org>
Reviewed by Eric Seidel.
Don't try to replace a non-existent document after executing JavaScript URLs
https://bugs.webkit.org/show_bug.cgi?id=44024
Synchronous JavaScript execution is evil. Previously, the frame was
deleted after executing the JavaScript URL, so we'd get confused when
we tried to replace its document.
Test: fast/frames/javascript-url-for-deleted-frame.html
* bindings/ScriptControllerBase.cpp:
(WebCore::ScriptController::executeIfJavaScriptURL):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65381 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index f13a0a5..3bf0c73 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2010-08-15 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Eric Seidel.
+
+ Don't try to replace a non-existent document after executing JavaScript URLs
+ https://bugs.webkit.org/show_bug.cgi?id=44024
+
+ Test what happens if a JavaScript URL returns a value after deleting
+ the frame it was supposed to operate on.
+
+ * fast/frames/javascript-url-for-deleted-frame-expected.txt: Added.
+ * fast/frames/javascript-url-for-deleted-frame.html: Added.
+
2010-08-14 Martin Robinson <mrobinson at igalia.com>
[GTK] Some test results are one pixel different between the x86_64 and i386 bots
diff --git a/LayoutTests/fast/frames/javascript-url-for-deleted-frame-expected.txt b/LayoutTests/fast/frames/javascript-url-for-deleted-frame-expected.txt
new file mode 100644
index 0000000..730ebf6
--- /dev/null
+++ b/LayoutTests/fast/frames/javascript-url-for-deleted-frame-expected.txt
@@ -0,0 +1 @@
+This test passes if it doesn't crash.
diff --git a/LayoutTests/fast/frames/javascript-url-for-deleted-frame.html b/LayoutTests/fast/frames/javascript-url-for-deleted-frame.html
new file mode 100644
index 0000000..d827463
--- /dev/null
+++ b/LayoutTests/fast/frames/javascript-url-for-deleted-frame.html
@@ -0,0 +1,14 @@
+<body>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+var ifr = document.createElement('iframe');
+ifr.setAttribute('src', 'javascript:parent.boom(), "<div>Crash?</div>"');
+document.body.appendChild(ifr);
+
+function boom() {
+ document.body.removeChild(ifr);
+}
+</script>
+This test passes if it doesn't crash.
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index b474357..a4da24f 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2010-08-15 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Eric Seidel.
+
+ Don't try to replace a non-existent document after executing JavaScript URLs
+ https://bugs.webkit.org/show_bug.cgi?id=44024
+
+ Synchronous JavaScript execution is evil. Previously, the frame was
+ deleted after executing the JavaScript URL, so we'd get confused when
+ we tried to replace its document.
+
+ Test: fast/frames/javascript-url-for-deleted-frame.html
+
+ * bindings/ScriptControllerBase.cpp:
+ (WebCore::ScriptController::executeIfJavaScriptURL):
+
2010-08-14 Sheriff Bot <webkit.review.bot at gmail.com>
Unreviewed, rolling out r65374.
diff --git a/WebCore/bindings/ScriptControllerBase.cpp b/WebCore/bindings/ScriptControllerBase.cpp
index 9bea8ae..01911d8 100644
--- a/WebCore/bindings/ScriptControllerBase.cpp
+++ b/WebCore/bindings/ScriptControllerBase.cpp
@@ -72,12 +72,19 @@ bool ScriptController::executeIfJavaScriptURL(const KURL& url, bool userGesture,
if (!protocolIsJavaScript(url))
return false;
- if (m_frame->page() && !m_frame->page()->javaScriptURLsAreAllowed())
+ if (!m_frame->page())
+ return true;
+
+ if (!m_frame->page()->javaScriptURLsAreAllowed())
return true;
if (m_frame->inViewSourceMode())
return true;
+ // We need to hold onto the Frame here because executing script can
+ // destroy the frame.
+ RefPtr<Frame> protector(m_frame);
+
const int javascriptSchemeLength = sizeof("javascript:") - 1;
String decodedURL = decodeURLEscapeSequences(url.string());
@@ -85,6 +92,11 @@ bool ScriptController::executeIfJavaScriptURL(const KURL& url, bool userGesture,
if (xssAuditor()->canEvaluateJavaScriptURL(decodedURL))
result = executeScript(decodedURL.substring(javascriptSchemeLength), userGesture, AllowXSS);
+ // If executing script caused this frame to be removed from the page, we
+ // don't want to try to replace its document!
+ if (!m_frame->page())
+ return true;
+
String scriptResult;
#if USE(JSC)
JSDOMWindowShell* shell = windowShell(mainThreadNormalWorld());
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list