[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.2.2-27-g91dab87
Gustavo Noronha Silva
gns at gnome.org
Thu Jul 15 21:13:17 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit 5c7c2ff886f3091440103870b9c0fb4a978fb618
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Mar 30 21:51:52 2010 +0000
2010-03-30 Chris Evans <cevans at chromium.org>
Reviewed by Adam Barth.
Add test for SVG pattern canvas tainting.
https://bugs.webkit.org/show_bug.cgi?id=36838
* fast/canvas/svg-taint.html: Added
* fast/canvas/svg-taint-expected.txt: Added
* fast/canvas/resources/empty.svg: Added
2010-03-30 Chris Evans <cevans at chromium.org>
Reviewed by Adam Barth.
Taint the canvas if an SVG-derived pattern is rendered into it.
https://bugs.webkit.org/show_bug.cgi?id=36838
Test: fast/canvas/svg-taint.html
* html/canvas/CanvasRenderingContext2D.cpp:
(WebCore::CanvasRenderingContext2D::createPattern):
Take into account the image's hasSingleSecurityOrigin() property.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56810 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 30bf972..b25888d 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-03-30 Chris Evans <cevans at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Add test for SVG pattern canvas tainting.
+
+ https://bugs.webkit.org/show_bug.cgi?id=36838
+
+ * fast/canvas/svg-taint.html: Added
+ * fast/canvas/svg-taint-expected.txt: Added
+ * fast/canvas/resources/empty.svg: Added
+
2010-03-22 Darin Fisher <darin at chromium.org>
Reviewed by Brady Eidson.
diff --git a/LayoutTests/fast/canvas/resources/empty.svg b/LayoutTests/fast/canvas/resources/empty.svg
new file mode 100644
index 0000000..9e42af2
--- /dev/null
+++ b/LayoutTests/fast/canvas/resources/empty.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg">
+</svg>
diff --git a/LayoutTests/fast/canvas/svg-taint-expected.txt b/LayoutTests/fast/canvas/svg-taint-expected.txt
new file mode 100644
index 0000000..2c4a90c
--- /dev/null
+++ b/LayoutTests/fast/canvas/svg-taint-expected.txt
@@ -0,0 +1,6 @@
+Let's check that rendering an SVG pattern to a canvas taints it!
+See https://bugs.webkit.org/show_bug.cgi?id=36838
+
+Starting...
+Exception: SECURITY_ERR
+
diff --git a/LayoutTests/fast/canvas/svg-taint.html b/LayoutTests/fast/canvas/svg-taint.html
new file mode 100644
index 0000000..4ce479a
--- /dev/null
+++ b/LayoutTests/fast/canvas/svg-taint.html
@@ -0,0 +1,46 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function log(message) {
+ var console = document.getElementById('log');
+ console.appendChild(document.createTextNode(message));
+ console.appendChild(document.createElement('br'));
+}
+
+function loaded() {
+ var canvas = document.getElementById('canvas');
+ var ctx = canvas.getContext("2d");
+ var img = document.getElementById('img');
+ log('Starting...');
+
+ // This should taint the canvas by rendering an SVG on to it via the pattern
+ // route.
+ var p = ctx.createPattern(img, 'repeat');
+ ctx.fillStyle = p;
+ ctx.fillRect(0, 0, 100, 100);
+
+ try {
+ // This should fail as the canvas should be tainted.
+ var data = ctx.getImageData(0, 0, 10, 10);
+ log('Oh dear -- missing exception!');
+ } catch (e) {
+ log('Exception: ' + e.name);
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+}
+</script>
+</head>
+<body>
+Let's check that rendering an SVG pattern to a canvas taints it!
+<p>
+See https://bugs.webkit.org/show_bug.cgi?id=36838
+<div id="log"></div>
+<canvas id="canvas" width="100" height="100"></canvas>
+<img id="img" onload="loaded()" src="resources/empty.svg"></img>
+</body>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 78b332d..e849c07 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2010-03-30 Chris Evans <cevans at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Taint the canvas if an SVG-derived pattern is rendered into it.
+
+ https://bugs.webkit.org/show_bug.cgi?id=36838
+
+ Test: fast/canvas/svg-taint.html
+
+ * html/canvas/CanvasRenderingContext2D.cpp:
+ (WebCore::CanvasRenderingContext2D::createPattern):
+ Take into account the image's hasSingleSecurityOrigin() property.
+
2010-03-22 Darin Fisher <darin at chromium.org>
Reviewed by Brady Eidson.
diff --git a/WebCore/html/canvas/CanvasRenderingContext2D.cpp b/WebCore/html/canvas/CanvasRenderingContext2D.cpp
index 8add19c..6fe74f9 100644
--- a/WebCore/html/canvas/CanvasRenderingContext2D.cpp
+++ b/WebCore/html/canvas/CanvasRenderingContext2D.cpp
@@ -1211,7 +1211,7 @@ PassRefPtr<CanvasPattern> CanvasRenderingContext2D::createPattern(HTMLImageEleme
if (!cachedImage || !image->cachedImage()->image())
return CanvasPattern::create(Image::nullImage(), repeatX, repeatY, true);
- bool originClean = !canvas()->document()->securityOrigin()->taintsCanvas(KURL(KURL(), cachedImage->url()));
+ bool originClean = !canvas()->document()->securityOrigin()->taintsCanvas(KURL(KURL(), cachedImage->url())) && cachedImage->image()->hasSingleSecurityOrigin();
return CanvasPattern::create(cachedImage->image(), repeatX, repeatY, originClean);
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list