[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.19-706-ge5415e9
ap at apple.com
ap at apple.com
Thu Feb 4 21:22:28 UTC 2010
The following commit has been merged in the webkit-1.1 branch:
commit ff06073c07cf42bca3f1b17c4e9af1eafa10a4af
Author: ap at apple.com <ap at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Jan 21 01:46:45 2010 +0000
Reviewed by Sam Weinig.
https://bugs.webkit.org/show_bug.cgi?id=33930
Crash in JSDOMWindowBase::crossDomainAccessErrorMessage when accessing a detached sandboxed frame
Test: http/tests/security/detached-sandboxed-frame-access.html
* bindings/js/JSDOMWindowBase.cpp: (WebCore::JSDOMWindowBase::crossDomainAccessErrorMessage):
Changed the way we discover the url to match what the actual check does. Both old and new
code correctly fetch the URL of the current window displayed in frame, but going via
DOMWindowShell avoids crashing on null DOMWindow::m_frame pointer.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53587 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 55f9ce7..1e986a2 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-01-20 Alexey Proskuryakov <ap at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ https://bugs.webkit.org/show_bug.cgi?id=33930
+ Crash in JSDOMWindowBase::crossDomainAccessErrorMessage when accessing a detached sandboxed frame
+
+ * http/tests/security/detached-sandboxed-frame-access-expected.txt: Added.
+ * http/tests/security/detached-sandboxed-frame-access.html: Added.
+
2010-01-20 Nikolas Zimmermann <nzimmermann at rim.com>
Not reviewed. Re-skip svg/custom/use-instanceRoot-event-bubbling.xhtml on Gtk bot, still fails. Though the other platforms are fixed.
diff --git a/LayoutTests/fast/dom/beforeload/video-before-load-expected.txt b/LayoutTests/http/tests/security/detached-sandboxed-frame-access-expected.txt
similarity index 100%
copy from LayoutTests/fast/dom/beforeload/video-before-load-expected.txt
copy to LayoutTests/http/tests/security/detached-sandboxed-frame-access-expected.txt
diff --git a/LayoutTests/http/tests/security/detached-sandboxed-frame-access.html b/LayoutTests/http/tests/security/detached-sandboxed-frame-access.html
new file mode 100644
index 0000000..4564196
--- /dev/null
+++ b/LayoutTests/http/tests/security/detached-sandboxed-frame-access.html
@@ -0,0 +1,37 @@
+<body onload="test()">
+<p></p>
+<div id=result>Testing...</div>
+<iframe src="does-not-exist.html" sandbox=""></iframe>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function gc()
+{
+ if (window.GCController)
+ return GCController.collect();
+
+ for (var i = 0; i < 10000; i++) { // > force garbage collection (FF requires about 9K allocations before a collect)
+ var s = new String("abc");
+ }
+}
+
+var w;
+function test()
+{
+ w = frames[0];
+ document.body.removeChild(document.getElementsByTagName("iframe")[0]);
+ setTimeout(function() {
+ gc();
+ for (i in w) { }
+ try { w.XMLHttpRequest; } catch (ex) { }
+ try { w.top; } catch (ex) { }
+ document.getElementById("result").innerHTML = "PASS";
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }, 0);
+}
+
+</script>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index e8d1d4b..ccca00a 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2010-01-20 Alexey Proskuryakov <ap at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ https://bugs.webkit.org/show_bug.cgi?id=33930
+ Crash in JSDOMWindowBase::crossDomainAccessErrorMessage when accessing a detached sandboxed frame
+
+ Test: http/tests/security/detached-sandboxed-frame-access.html
+
+ * bindings/js/JSDOMWindowBase.cpp: (WebCore::JSDOMWindowBase::crossDomainAccessErrorMessage):
+ Changed the way we discover the url to match what the actual check does. Both old and new
+ code correctly fetch the URL of the current window displayed in frame, but going via
+ DOMWindowShell avoids crashing on null DOMWindow::m_frame pointer.
+
2010-01-20 Vitaly Repeshko <vitalyr at chromium.org>
Reviewed by Pavel Feldman.
diff --git a/WebCore/bindings/js/JSDOMWindowBase.cpp b/WebCore/bindings/js/JSDOMWindowBase.cpp
index b886b52..176066e 100644
--- a/WebCore/bindings/js/JSDOMWindowBase.cpp
+++ b/WebCore/bindings/js/JSDOMWindowBase.cpp
@@ -76,7 +76,7 @@ ScriptExecutionContext* JSDOMWindowBase::scriptExecutionContext() const
String JSDOMWindowBase::crossDomainAccessErrorMessage(const JSGlobalObject* other) const
{
KURL originURL = asJSDOMWindow(other)->impl()->url();
- KURL targetURL = impl()->frame()->document()->url();
+ KURL targetURL = d()->shell->window()->impl()->url();
if (originURL.isNull() || targetURL.isNull())
return String();
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list