[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
inferno at chromium.org
inferno at chromium.org
Wed Dec 22 12:26:23 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit b3d034a723aea41f089d5e5aa38285ff0fafe2db
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Aug 23 20:03:36 2010 +0000
2010-08-23 Abhishek Arya <inferno at chromium.org>
Reviewed by Dimitri Glazkov.
Fix security origin calculation in createPattern. Need to use
cachedImage->response().url() instead of cachedImage->url().
https://bugs.webkit.org/show_bug.cgi?id=44399.
Test: http/tests/security/canvas-remote-read-remote-image-redirect.html
* html/canvas/CanvasRenderingContext2D.cpp:
(WebCore::CanvasRenderingContext2D::createPattern):
2010-08-23 Abhishek Arya <inferno at chromium.org>
Reviewed by Dimitri Glazkov.
Tests that calling getImageData(), toDataURL() on a canvas tainted by
a createPattern of a different origin image using redirects from same origin
is not allowed.
https://bugs.webkit.org/show_bug.cgi?id=44399
* http/tests/security/canvas-remote-read-remote-image-redirect-expected.txt: Added.
* http/tests/security/canvas-remote-read-remote-image-redirect.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65826 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 8609530..f035b72 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-08-23 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ Tests that calling getImageData(), toDataURL() on a canvas tainted by
+ a createPattern of a different origin image using redirects from same origin
+ is not allowed.
+ https://bugs.webkit.org/show_bug.cgi?id=44399
+
+ * http/tests/security/canvas-remote-read-remote-image-redirect-expected.txt: Added.
+ * http/tests/security/canvas-remote-read-remote-image-redirect.html: Added.
+
2010-08-23 Simon Fraser <simon.fraser at apple.com>
Add missing test result.
diff --git a/LayoutTests/http/tests/security/canvas-remote-read-remote-image-expected.txt b/LayoutTests/http/tests/security/canvas-remote-read-remote-image-redirect-expected.txt
similarity index 100%
copy from LayoutTests/http/tests/security/canvas-remote-read-remote-image-expected.txt
copy to LayoutTests/http/tests/security/canvas-remote-read-remote-image-redirect-expected.txt
diff --git a/LayoutTests/http/tests/security/canvas-remote-read-remote-image-redirect.html b/LayoutTests/http/tests/security/canvas-remote-read-remote-image-redirect.html
new file mode 100644
index 0000000..c661093
--- /dev/null
+++ b/LayoutTests/http/tests/security/canvas-remote-read-remote-image-redirect.html
@@ -0,0 +1,107 @@
+<pre id="console"></pre>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+log = function(msg)
+{
+ document.getElementById('console').appendChild(document.createTextNode(msg + "\n"));
+}
+
+testGetImageData = function(context, description)
+{
+ description = "Calling getImageData() from a canvas tainted by a " + description;
+ try {
+ var imageData = context.getImageData(0,0,100,100);
+ log("FAIL: " + description + " was allowed.");
+ } catch (e) {
+ log("PASS: " + description + " was not allowed - Threw error: " + e + ".");
+ }
+}
+
+testToDataURL = function(canvas, description)
+{
+ description = "Calling toDataURL() on a canvas tainted by a " + description;
+ try {
+ var dataURL = canvas.toDataURL();
+ log("FAIL: " + description + " was allowed.");
+ } catch (e) {
+ log("PASS: " + description + " was not allowed - Threw error: " + e + ".");
+ }
+}
+
+test = function(canvas, description)
+{
+ testGetImageData(canvas.getContext("2d"), description);
+ testToDataURL(canvas, description);
+}
+
+var image = new Image();
+image.onload = function() {
+ var canvas = document.createElement("canvas");
+ canvas.width = 100;
+ canvas.height = 100;
+ var context = canvas.getContext("2d");
+
+ // Control tests
+ log("Untainted canvas:");
+ try {
+ var imageData = context.getImageData(0, 0, 100, 100);
+ log("PASS: Calling getImageData() from an untainted canvas was allowed.");
+ } catch (e) {
+ log("FAIL: Calling getImageData() from an untainted canvas was not allowed: Threw error: " + e + ".");
+ }
+ try {
+ var dataURL = canvas.toDataURL();
+ log("PASS: Calling toDataURL() on an untainted canvas was allowed.");
+ } catch (e) {
+ log("FAIL: Calling toDataURL() on an untainted canvas was not allowed: Threw error: " + e + ".");
+ }
+
+ log("\n");
+ log("Tainted canvas:");
+ // Test reading from a canvas after drawing a remote image onto it
+ context.drawImage(image, 0, 0, 100, 100);
+
+ test(canvas, "remote image");
+
+ var dirtyCanvas = canvas;
+
+ // Now test reading from a canvas after drawing a tainted canvas onto it
+ canvas = document.createElement("canvas");
+ canvas.width = 100;
+ canvas.height = 100;
+ var context = canvas.getContext("2d");
+ context.drawImage(dirtyCanvas, 0, 0, 100, 100);
+
+ test(canvas, "tainted canvas");
+
+ // Test reading after using a tainted pattern
+ canvas = document.createElement("canvas");
+ canvas.width = 100;
+ canvas.height = 100;
+ var context = canvas.getContext("2d");
+ var remoteImagePattern = context.createPattern(image, "repeat");
+ context.fillStyle = remoteImagePattern;
+ context.fillRect(0, 0, 100, 100);
+
+ test(canvas, "remote image tainted pattern");
+
+ // Test reading after using a tainted pattern
+ canvas = document.createElement("canvas");
+ canvas.width = 100;
+ canvas.height = 100;
+ var context = canvas.getContext("2d");
+ var taintedCanvasPattern = context.createPattern(dirtyCanvas, "repeat");
+ context.fillStyle = taintedCanvasPattern;
+ context.fillRect(0, 0, 100, 100);
+
+ test(canvas, "tainted canvas pattern");
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+image.src = "resources/redir.php?url=http://localhost:8000/security/resources/abe.png";
+</script>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 87cb914..62d62a9 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,16 @@
+2010-08-23 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ Fix security origin calculation in createPattern. Need to use
+ cachedImage->response().url() instead of cachedImage->url().
+ https://bugs.webkit.org/show_bug.cgi?id=44399.
+
+ Test: http/tests/security/canvas-remote-read-remote-image-redirect.html
+
+ * html/canvas/CanvasRenderingContext2D.cpp:
+ (WebCore::CanvasRenderingContext2D::createPattern):
+
2010-08-23 Simon Fraser <simon.fraser at apple.com>
Reviewed by Alexey Proskuryakov.
diff --git a/WebCore/html/canvas/CanvasRenderingContext2D.cpp b/WebCore/html/canvas/CanvasRenderingContext2D.cpp
index 485a22b..08b38a9 100644
--- a/WebCore/html/canvas/CanvasRenderingContext2D.cpp
+++ b/WebCore/html/canvas/CanvasRenderingContext2D.cpp
@@ -1451,7 +1451,7 @@ PassRefPtr<CanvasPattern> CanvasRenderingContext2D::createPattern(HTMLImageEleme
if (!cachedImage || !image->cachedImage()->image())
return CanvasPattern::create(Image::nullImage(), repeatX, repeatY, true);
- bool originClean = !canvas()->securityOrigin().taintsCanvas(KURL(KURL(), cachedImage->url())) && cachedImage->image()->hasSingleSecurityOrigin();
+ bool originClean = !canvas()->securityOrigin().taintsCanvas(KURL(KURL(), cachedImage->response().url())) && cachedImage->image()->hasSingleSecurityOrigin();
return CanvasPattern::create(cachedImage->image(), repeatX, repeatY, originClean);
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list