[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.21-584-g1e41756
eric at webkit.org
eric at webkit.org
Fri Feb 26 22:19:45 UTC 2010
The following commit has been merged in the webkit-1.1 branch:
commit d9b9a827298cadad0fe4e13f50e8b8692aadb5db
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Feb 15 06:05:27 2010 +0000
2010-02-14 Adam Barth <abarth at webkit.org>
Reviewed by Darin Adler.
HTML5 iframe sandbox bypass of window.top.location navigation via <form target="_top">
https://bugs.webkit.org/show_bug.cgi?id=33277
Add a test that _top is covered by @sandbox.
* http/tests/security/resources/fail.html: Added.
* http/tests/security/resources/sandboxed-iframe-form-top.html: Added.
* http/tests/security/sandboxed-iframe-form-top-expected.txt: Added.
* http/tests/security/sandboxed-iframe-form-top.html: Added.
2010-02-14 Adam Barth <abarth at webkit.org>
Reviewed by Darin Adler.
HTML5 iframe sandbox bypass of window.top.location navigation via <form target="_top">
https://bugs.webkit.org/show_bug.cgi?id=33277
submitForm wasn't respecting shouldAllowNavigation. Instead of calling
the wrapper function, we need to call shouldAllowNavigation because we
need to handle the "frame not found" case differently than the
"navigation denied" case.
Test: http/tests/security/sandboxed-iframe-form-top.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::submitForm):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@54764 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index e0c67b1..ca89bf0 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2010-02-14 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Darin Adler.
+
+ HTML5 iframe sandbox bypass of window.top.location navigation via <form target="_top">
+ https://bugs.webkit.org/show_bug.cgi?id=33277
+
+ Add a test that _top is covered by @sandbox.
+
+ * http/tests/security/resources/fail.html: Added.
+ * http/tests/security/resources/sandboxed-iframe-form-top.html: Added.
+ * http/tests/security/sandboxed-iframe-form-top-expected.txt: Added.
+ * http/tests/security/sandboxed-iframe-form-top.html: Added.
+
2010-02-14 Shu Chang <Chang.Shu at nokia.com>
Reviewed by Adam Barth.
diff --git a/LayoutTests/http/tests/security/resources/fail.html b/LayoutTests/http/tests/security/resources/fail.html
new file mode 100644
index 0000000..eea2384
--- /dev/null
+++ b/LayoutTests/http/tests/security/resources/fail.html
@@ -0,0 +1,5 @@
+<html>
+<body>
+FAIL
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/resources/sandboxed-iframe-form-top.html b/LayoutTests/http/tests/security/resources/sandboxed-iframe-form-top.html
new file mode 100644
index 0000000..c6cb6f6
--- /dev/null
+++ b/LayoutTests/http/tests/security/resources/sandboxed-iframe-form-top.html
@@ -0,0 +1,12 @@
+<html>
+<body>
+<form id="theForm" action="fail.html" method="GET" target="_top">
+<input type="submit" value="Submit"/>
+</form>
+<script>
+var f = document.getElementById('theForm');
+f.submit();
+</script>
+</body>
+</html>
+
diff --git a/LayoutTests/http/tests/security/sandboxed-iframe-form-top-expected.txt b/LayoutTests/http/tests/security/sandboxed-iframe-form-top-expected.txt
new file mode 100644
index 0000000..d942c75
--- /dev/null
+++ b/LayoutTests/http/tests/security/sandboxed-iframe-form-top-expected.txt
@@ -0,0 +1,5 @@
+This tests passes if the sandboxed frame cannot navigate the top frame.
+
+PASS
+
+
diff --git a/LayoutTests/http/tests/security/sandboxed-iframe-form-top.html b/LayoutTests/http/tests/security/sandboxed-iframe-form-top.html
new file mode 100644
index 0000000..0dc3663
--- /dev/null
+++ b/LayoutTests/http/tests/security/sandboxed-iframe-form-top.html
@@ -0,0 +1,15 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+ window.layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<p>This tests passes if the sandboxed frame cannot navigate the top frame.</p>
+<p>PASS</p>
+<iframe sandbox="allow-forms allow-scripts"
+ src="resources/sandboxed-iframe-form-top.html">
+</iframe>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 3ae86ee..26415f9 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2010-02-14 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Darin Adler.
+
+ HTML5 iframe sandbox bypass of window.top.location navigation via <form target="_top">
+ https://bugs.webkit.org/show_bug.cgi?id=33277
+
+ submitForm wasn't respecting shouldAllowNavigation. Instead of calling
+ the wrapper function, we need to call shouldAllowNavigation because we
+ need to handle the "frame not found" case differently than the
+ "navigation denied" case.
+
+ Test: http/tests/security/sandboxed-iframe-form-top.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::submitForm):
+
2010-02-14 Kent Tamura <tkent at chromium.org>
No review. Touch RenderRuny*.cpp to fix Chromium/Windows build bot.
diff --git a/WebCore/loader/FrameLoader.cpp b/WebCore/loader/FrameLoader.cpp
index a21ff93..47f32c9 100644
--- a/WebCore/loader/FrameLoader.cpp
+++ b/WebCore/loader/FrameLoader.cpp
@@ -463,7 +463,9 @@ void FrameLoader::submitForm(const char* action, const String& url, PassRefPtr<F
FrameLoadRequest frameRequest;
String targetOrBaseTarget = target.isEmpty() ? m_frame->document()->baseTarget() : target;
- Frame* targetFrame = findFrameForNavigation(targetOrBaseTarget);
+ Frame* targetFrame = m_frame->tree()->find(targetOrBaseTarget);
+ if (!shouldAllowNavigation(targetFrame))
+ return;
if (!targetFrame) {
targetFrame = m_frame;
frameRequest.setFrameName(targetOrBaseTarget);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list