[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.19-706-ge5415e9

ap at apple.com ap at apple.com
Thu Feb 4 21:22:28 UTC 2010 

The following commit has been merged in the webkit-1.1 branch:
commit ff06073c07cf42bca3f1b17c4e9af1eafa10a4af
Author: ap at apple.com <ap at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Jan 21 01:46:45 2010 +0000

            Reviewed by Sam Weinig.
    
            https://bugs.webkit.org/show_bug.cgi?id=33930
            Crash in JSDOMWindowBase::crossDomainAccessErrorMessage when accessing a detached sandboxed frame
    
            Test: http/tests/security/detached-sandboxed-frame-access.html
    
            * bindings/js/JSDOMWindowBase.cpp: (WebCore::JSDOMWindowBase::crossDomainAccessErrorMessage):
            Changed the way we discover the url to match what the actual check does. Both old and new
            code correctly fetch the URL of the current window displayed in frame, but going via
            DOMWindowShell avoids crashing on null DOMWindow::m_frame pointer.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53587 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 55f9ce7..1e986a2 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-01-20  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Sam Weinig.
+
+        https://bugs.webkit.org/show_bug.cgi?id=33930
+        Crash in JSDOMWindowBase::crossDomainAccessErrorMessage when accessing a detached sandboxed frame
+
+        * http/tests/security/detached-sandboxed-frame-access-expected.txt: Added.
+        * http/tests/security/detached-sandboxed-frame-access.html: Added.
+
 2010-01-20  Nikolas Zimmermann  <nzimmermann at rim.com>
 
         Not reviewed. Re-skip svg/custom/use-instanceRoot-event-bubbling.xhtml on Gtk bot, still fails. Though the other platforms are fixed.
diff --git a/LayoutTests/fast/dom/beforeload/video-before-load-expected.txt b/LayoutTests/http/tests/security/detached-sandboxed-frame-access-expected.txt
similarity index 100%
copy from LayoutTests/fast/dom/beforeload/video-before-load-expected.txt
copy to LayoutTests/http/tests/security/detached-sandboxed-frame-access-expected.txt
diff --git a/LayoutTests/http/tests/security/detached-sandboxed-frame-access.html b/LayoutTests/http/tests/security/detached-sandboxed-frame-access.html
new file mode 100644
index 0000000..4564196
--- /dev/null
+++ b/LayoutTests/http/tests/security/detached-sandboxed-frame-access.html
@@ -0,0 +1,37 @@
+<body onload="test()">
+<p></p>
+<div id=result>Testing...</div>
+<iframe src="does-not-exist.html" sandbox=""></iframe>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function gc()
+{
+    if (window.GCController)
+        return GCController.collect();
+
+    for (var i = 0; i < 10000; i++) { // > force garbage collection (FF requires about 9K allocations before a collect)
+        var s = new String("abc");
+    }
+}
+
+var w;
+function test()
+{
+    w = frames[0];
+    document.body.removeChild(document.getElementsByTagName("iframe")[0]);
+    setTimeout(function() {
+        gc();
+        for (i in w) { }
+        try { w.XMLHttpRequest; } catch (ex) { }
+        try { w.top; } catch (ex) { }
+        document.getElementById("result").innerHTML = "PASS";
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }, 0);
+}
+
+</script>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index e8d1d4b..ccca00a 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2010-01-20  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Sam Weinig.
+
+        https://bugs.webkit.org/show_bug.cgi?id=33930
+        Crash in JSDOMWindowBase::crossDomainAccessErrorMessage when accessing a detached sandboxed frame
+
+        Test: http/tests/security/detached-sandboxed-frame-access.html
+
+        * bindings/js/JSDOMWindowBase.cpp: (WebCore::JSDOMWindowBase::crossDomainAccessErrorMessage):
+        Changed the way we discover the url to match what the actual check does. Both old and new
+        code correctly fetch the URL of the current window displayed in frame, but going via
+        DOMWindowShell avoids crashing on null DOMWindow::m_frame pointer.
+
 2010-01-20  Vitaly Repeshko  <vitalyr at chromium.org>
 
         Reviewed by Pavel Feldman.
diff --git a/WebCore/bindings/js/JSDOMWindowBase.cpp b/WebCore/bindings/js/JSDOMWindowBase.cpp
index b886b52..176066e 100644
--- a/WebCore/bindings/js/JSDOMWindowBase.cpp
+++ b/WebCore/bindings/js/JSDOMWindowBase.cpp
@@ -76,7 +76,7 @@ ScriptExecutionContext* JSDOMWindowBase::scriptExecutionContext() const
 String JSDOMWindowBase::crossDomainAccessErrorMessage(const JSGlobalObject* other) const
 {
     KURL originURL = asJSDOMWindow(other)->impl()->url();
-    KURL targetURL = impl()->frame()->document()->url();
+    KURL targetURL = d()->shell->window()->impl()->url();
     if (originURL.isNull() || targetURL.isNull())
         return String();
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list