[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.1-2-29-g5dbcb1c
Michael Gilbert
michael.s.gilbert at gmail.com
Tue Jun 29 04:11:19 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit 63f0b3fb221d9bf36d27b5db03ae3e801df70d5f
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date: Mon Jun 28 21:27:48 2010 -0400
fix cve-2010-1418
diff --git a/WebCore/bindings/js/JSAttrCustom.cpp b/WebCore/bindings/js/JSAttrCustom.cpp
index 3c01535..4cd40ac 100644
--- a/WebCore/bindings/js/JSAttrCustom.cpp
+++ b/WebCore/bindings/js/JSAttrCustom.cpp
@@ -33,6 +33,7 @@
#include "Document.h"
#include "HTMLFrameElementBase.h"
#include "HTMLNames.h"
+#include "JSDOMBinding.h"
using namespace JSC;
@@ -46,13 +47,8 @@ void JSAttr::setValue(ExecState* exec, JSValue value)
String attrValue = valueToStringWithNullCheck(exec, value);
Element* ownerElement = imp->ownerElement();
- if (ownerElement && (ownerElement->hasTagName(iframeTag) || ownerElement->hasTagName(frameTag))) {
- if (equalIgnoringCase(imp->name(), "src") && protocolIsJavaScript(deprecatedParseURL(attrValue))) {
- Document* contentDocument = static_cast<HTMLFrameElementBase*>(ownerElement)->contentDocument();
- if (contentDocument && !checkNodeSecurity(exec, contentDocument))
- return;
- }
- }
+ if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->name(), attrValue))
+ return;
ExceptionCode ec = 0;
imp->setValue(attrValue, ec);
diff --git a/WebCore/bindings/js/JSDOMBinding.cpp b/WebCore/bindings/js/JSDOMBinding.cpp
index f294dad..393c1ee 100644
--- a/WebCore/bindings/js/JSDOMBinding.cpp
+++ b/WebCore/bindings/js/JSDOMBinding.cpp
@@ -24,6 +24,7 @@
#include "debugger/DebuggerCallFrame.h"
#include "ActiveDOMObject.h"
+#include "CSSHelper.h"
#include "DOMCoreException.h"
#include "DOMObjectHashTableMap.h"
#include "Document.h"
@@ -33,6 +34,7 @@
#include "Frame.h"
#include "HTMLAudioElement.h"
#include "HTMLCanvasElement.h"
+#include "HTMLFrameElementBase.h"
#include "HTMLImageElement.h"
#include "HTMLNames.h"
#include "HTMLScriptElement.h"
@@ -630,6 +632,16 @@ bool shouldAllowNavigation(ExecState* exec, Frame* frame)
return lexicalFrame && lexicalFrame->loader()->shouldAllowNavigation(frame);
}
+bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value)
+{
+ if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) {
+ Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument();
+ if (contentDocument && !checkNodeSecurity(exec, contentDocument))
+ return false;
+ }
+ return true;
+}
+
void printErrorMessageForFrame(Frame* frame, const String& message)
{
if (!frame)
diff --git a/WebCore/bindings/js/JSDOMBinding.h b/WebCore/bindings/js/JSDOMBinding.h
index 219472b..40f7e40 100644
--- a/WebCore/bindings/js/JSDOMBinding.h
+++ b/WebCore/bindings/js/JSDOMBinding.h
@@ -301,6 +301,8 @@ namespace WebCore {
bool allowsAccessFromFrame(JSC::ExecState*, Frame*);
bool allowsAccessFromFrame(JSC::ExecState*, Frame*, String& message);
bool shouldAllowNavigation(JSC::ExecState*, Frame*);
+ bool allowSettingSrcToJavascriptURL(JSC::ExecState*, Element*, const String&, const String&);
+
void printErrorMessageForFrame(Frame*, const String& message);
JSC::JSValue objectToStringFunctionGetter(JSC::ExecState*, JSC::JSValue, const JSC::Identifier& propertyName);
diff --git a/WebCore/bindings/js/JSElementCustom.cpp b/WebCore/bindings/js/JSElementCustom.cpp
index c725290..94012fd 100644
--- a/WebCore/bindings/js/JSElementCustom.cpp
+++ b/WebCore/bindings/js/JSElementCustom.cpp
@@ -36,6 +36,7 @@
#include "HTMLFrameElementBase.h"
#include "HTMLNames.h"
#include "JSAttr.h"
+#include "JSDOMBinding.h"
#include "JSHTMLElementWrapperFactory.h"
#include "JSNodeList.h"
#include "NodeList.h"
@@ -63,16 +64,6 @@ void JSElement::markChildren(MarkStack& markStack)
markDOMObjectWrapper(markStack, globalData, static_cast<StyledElement*>(element)->inlineStyleDecl());
}
-static inline bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value)
-{
- if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) {
- Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument();
- if (contentDocument && !checkNodeSecurity(exec, contentDocument))
- return false;
- }
- return true;
-}
-
JSValue JSElement::setAttribute(ExecState* exec, const ArgList& args)
{
ExceptionCode ec = 0;
diff --git a/WebCore/bindings/js/JSNamedNodeMapCustom.cpp b/WebCore/bindings/js/JSNamedNodeMapCustom.cpp
index 13f3628..965498a 100644
--- a/WebCore/bindings/js/JSNamedNodeMapCustom.cpp
+++ b/WebCore/bindings/js/JSNamedNodeMapCustom.cpp
@@ -35,6 +35,38 @@ using namespace JSC;
namespace WebCore {
+JSValue JSNamedNodeMap::setNamedItem(ExecState* exec, const ArgList& args)
+{
+ NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl());
+ ExceptionCode ec = 0;
+ Node* newNode = toNode(args.at(0));
+
+ if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
+ if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue()))
+ return jsNull();
+ }
+
+ JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItem(newNode, ec)));
+ setDOMException(exec, ec);
+ return result;
+}
+
+JSValue JSNamedNodeMap::setNamedItemNS(ExecState* exec, const ArgList& args)
+{
+ NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl());
+ ExceptionCode ec = 0;
+ Node* newNode = toNode(args.at(0));
+
+ if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
+ if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue()))
+ return jsNull();
+ }
+
+ JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItemNS(newNode, ec)));
+ setDOMException(exec, ec);
+ return result;
+}
+
bool JSNamedNodeMap::canGetItemsForName(ExecState*, NamedNodeMap* impl, const Identifier& propertyName)
{
return impl->getNamedItem(propertyName);
diff --git a/WebCore/bindings/js/JSNodeCustom.cpp b/WebCore/bindings/js/JSNodeCustom.cpp
index 39bdf0c..06022a2 100644
--- a/WebCore/bindings/js/JSNodeCustom.cpp
+++ b/WebCore/bindings/js/JSNodeCustom.cpp
@@ -38,6 +38,7 @@
#include "JSAttr.h"
#include "JSCDATASection.h"
#include "JSComment.h"
+#include "JSDOMBinding.h"
#include "JSDocument.h"
#include "JSDocumentFragment.h"
#include "JSDocumentType.h"
@@ -66,12 +67,53 @@ using namespace JSC;
namespace WebCore {
-typedef int ExpectionCode;
+static inline bool isAttrFrameSrc(Element *element, const String& name)
+{
+ return element && (element->hasTagName(HTMLNames::iframeTag) || element->hasTagName(HTMLNames::frameTag)) && equalIgnoringCase(name, "src");
+}
+
+void JSNode::setNodeValue(JSC::ExecState* exec, JSC::JSValue value)
+{
+ Node* imp = static_cast<Node*>(impl());
+ String nodeValue = valueToStringWithNullCheck(exec, value);
+
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
+ Element* ownerElement = static_cast<Attr*>(impl())->ownerElement();
+ if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue))
+ return;
+ }
+
+ ExceptionCode ec = 0;
+ imp->setNodeValue(nodeValue, ec);
+ setDOMException(exec, ec);
+}
+
+void JSNode::setTextContent(JSC::ExecState* exec, JSC::JSValue value)
+{
+ Node* imp = static_cast<Node*>(impl());
+ String nodeValue = valueToStringWithNullCheck(exec, value);
+
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
+ Element* ownerElement = static_cast<Attr*>(impl())->ownerElement();
+ if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue))
+ return;
+ }
+
+ ExceptionCode ec = 0;
+ imp->setTextContent(nodeValue, ec);
+ setDOMException(exec, ec);
+}
JSValue JSNode::insertBefore(ExecState* exec, const ArgList& args)
{
+ Node* imp = static_cast<Node*>(impl());
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+ setDOMException(exec, NOT_SUPPORTED_ERR);
+ return jsNull();
+ }
+
ExceptionCode ec = 0;
- bool ok = impl()->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true);
+ bool ok = imp->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true);
setDOMException(exec, ec);
if (ok)
return args.at(0);
@@ -80,8 +122,14 @@ JSValue JSNode::insertBefore(ExecState* exec, const ArgList& args)
JSValue JSNode::replaceChild(ExecState* exec, const ArgList& args)
{
+ Node* imp = static_cast<Node*>(impl());
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+ setDOMException(exec, NOT_SUPPORTED_ERR);
+ return jsNull();
+ }
+
ExceptionCode ec = 0;
- bool ok = impl()->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true);
+ bool ok = imp->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true);
setDOMException(exec, ec);
if (ok)
return args.at(1);
@@ -90,8 +138,14 @@ JSValue JSNode::replaceChild(ExecState* exec, const ArgList& args)
JSValue JSNode::removeChild(ExecState* exec, const ArgList& args)
{
+ Node* imp = static_cast<Node*>(impl());
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+ setDOMException(exec, NOT_SUPPORTED_ERR);
+ return jsNull();
+ }
+
ExceptionCode ec = 0;
- bool ok = impl()->removeChild(toNode(args.at(0)), ec);
+ bool ok = imp->removeChild(toNode(args.at(0)), ec);
setDOMException(exec, ec);
if (ok)
return args.at(0);
@@ -100,8 +154,14 @@ JSValue JSNode::removeChild(ExecState* exec, const ArgList& args)
JSValue JSNode::appendChild(ExecState* exec, const ArgList& args)
{
+ Node* imp = static_cast<Node*>(impl());
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+ setDOMException(exec, NOT_SUPPORTED_ERR);
+ return jsNull();
+ }
+
ExceptionCode ec = 0;
- bool ok = impl()->appendChild(toNode(args.at(0)), ec, true);
+ bool ok = imp->appendChild(toNode(args.at(0)), ec, true);
setDOMException(exec, ec);
if (ok)
return args.at(0);
diff --git a/WebCore/css/CSSHelper.cpp b/WebCore/css/CSSHelper.cpp
index 8e6f3a0..c3418b4 100644
--- a/WebCore/css/CSSHelper.cpp
+++ b/WebCore/css/CSSHelper.cpp
@@ -36,7 +36,7 @@ String deprecatedParseURL(const String& url)
int o = 0;
int l = i->length();
- while (o < l && (*i)[o] <= ' ') {
+ while (0 < l && (*i)[o] <= ' ') {
++o;
--l;
}
@@ -53,7 +53,7 @@ String deprecatedParseURL(const String& url)
l -= 5;
}
- while (o < l && (*i)[o] <= ' ') {
+ while (0 < l && (*i)[o] <= ' ') {
++o;
--l;
}
@@ -65,7 +65,7 @@ String deprecatedParseURL(const String& url)
l -= 2;
}
- while (o < l && (*i)[o] <= ' ') {
+ while (0 < l && (*i)[o] <= ' ') {
++o;
--l;
}
diff --git a/WebCore/dom/Attr.idl b/WebCore/dom/Attr.idl
index af84478..3c73bc0 100644
--- a/WebCore/dom/Attr.idl
+++ b/WebCore/dom/Attr.idl
@@ -28,7 +28,9 @@ module core {
// DOM Level 1
readonly attribute [ConvertNullStringTo=Null] DOMString name;
+
readonly attribute boolean specified;
+
attribute [ConvertNullStringTo=Null, ConvertNullToNullString, CustomSetter] DOMString value
setter raises(DOMException);
diff --git a/WebCore/dom/NamedNodeMap.idl b/WebCore/dom/NamedNodeMap.idl
index 4d36577..7bfbf23 100644
--- a/WebCore/dom/NamedNodeMap.idl
+++ b/WebCore/dom/NamedNodeMap.idl
@@ -28,7 +28,7 @@ module core {
Node getNamedItem(in DOMString name);
- Node setNamedItem(in Node node)
+ [Custom] Node setNamedItem(in Node node)
raises(DOMException);
Node removeNamedItem(in DOMString name)
@@ -46,7 +46,7 @@ module core {
// FIXME: the implementation does take an exceptioncode parameter.
/*raises(DOMException)*/;
- Node setNamedItemNS(in Node node)
+ [Custom] Node setNamedItemNS(in Node node)
raises(DOMException);
[OldStyleObjC] Node removeNamedItemNS(in [ConvertNullToNullString] DOMString namespaceURI,
diff --git a/WebCore/dom/Node.idl b/WebCore/dom/Node.idl
index 0489316..22d9a85 100644
--- a/WebCore/dom/Node.idl
+++ b/WebCore/dom/Node.idl
@@ -51,7 +51,7 @@ module core {
readonly attribute [ConvertNullStringTo=Null] DOMString nodeName;
// FIXME: the spec says this can also raise on retrieval.
- attribute [ConvertNullStringTo=Null, ConvertNullToNullString] DOMString nodeValue
+ attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString nodeValue
setter raises(DOMException);
readonly attribute unsigned short nodeType;
@@ -96,7 +96,7 @@ module core {
readonly attribute [ConvertNullStringTo=Null] DOMString baseURI;
// FIXME: the spec says this can also raise on retrieval.
- attribute [ConvertNullStringTo=Null, ConvertNullToNullString] DOMString textContent
+ attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString textContent
setter raises(DOMException);
boolean isSameNode(in Node other);
diff --git a/debian/changelog b/debian/changelog
index e6bef7e..f665caf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ webkit (1.2.1-3) UNRELEASED; urgency=low
* Fix cve-2010-1416: svg cross-site information disclosure.
* Fix cve-2010-1417: possible code execution in the css implementation (this
currently duplicated as cve-2010-1665 in the cve tracker).
+ * Fix cve-2010-1418: remote web script and/or html injection.
-- Michael Gilbert <michael.s.gilbert at gmail.com> Thu, 27 May 2010 20:36:41 -0400
diff --git a/debian/patches/cve-2010-1418-part1.patch b/debian/patches/cve-2010-1418-part1.patch
new file mode 100644
index 0000000..1080836
--- /dev/null
+++ b/debian/patches/cve-2010-1418-part1.patch
@@ -0,0 +1,69 @@
+description: fix cve-2010-1418 part 1
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/56651
+Index: webkit-1.2.1/WebCore/dom/Attr.idl
+===================================================================
+--- webkit-1.2.1.orig/WebCore/dom/Attr.idl 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/dom/Attr.idl 2010-06-28 21:26:29.000000000 -0400
+@@ -28,10 +28,17 @@
+ // DOM Level 1
+
+ readonly attribute [ConvertNullStringTo=Null] DOMString name;
++
+ readonly attribute boolean specified;
++
+ attribute [ConvertNullStringTo=Null, ConvertNullToNullString, CustomSetter] DOMString value
+ setter raises(DOMException);
+
++#if defined(LANGUAGE_JAVASCRIPT) && LANGUAGE_JAVASCRIPT // Used for JavaScript iFrame src check.
++ attribute [ConvertNullStringTo=Null, ConvertNullToNullString, Custom] DOMString nodeValue
++ setter raises(DOMException);
++#endif
++
+ // DOM Level 2
+
+ readonly attribute Element ownerElement;
+@@ -40,6 +47,11 @@
+
+ readonly attribute boolean isId;
+
++#if defined(LANGUAGE_JAVASCRIPT) && LANGUAGE_JAVASCRIPT // Used for JavaScript iFrame src check.
++ attribute [ConvertNullStringTo=Null, ConvertNullToNullString, Custom] DOMString textContent
++ setter raises(DOMException);
++#endif
++
+ // extensions
+ readonly attribute CSSStyleDeclaration style;
+ };
+Index: webkit-1.2.1/WebCore/bindings/js/JSAttrCustom.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/bindings/js/JSAttrCustom.cpp 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/bindings/js/JSAttrCustom.cpp 2010-06-28 21:26:29.000000000 -0400
+@@ -59,6 +59,27 @@
+ setDOMException(exec, ec);
+ }
+
++JSC::JSValue JSAttr::nodeValue(JSC::ExecState* exec) const
++{
++ Attr* imp = this->impl();
++ return jsStringOrNull(exec, imp->value());
++}
++
++void JSAttr::setNodeValue(JSC::ExecState* exec, JSC::JSValue value)
++{
++ setValue(exec, value);
++}
++
++JSC::JSValue JSAttr::textContent(JSC::ExecState* exec) const
++{
++ return nodeValue(exec);
++}
++
++void JSAttr::setTextContent(JSC::ExecState* exec, JSC::JSValue value)
++{
++ setValue(exec, value);
++}
++
+ void JSAttr::markChildren(MarkStack& markStack)
+ {
+ Base::markChildren(markStack);
diff --git a/debian/patches/cve-2010-1418-part2.patch b/debian/patches/cve-2010-1418-part2.patch
new file mode 100644
index 0000000..73db6c8
--- /dev/null
+++ b/debian/patches/cve-2010-1418-part2.patch
@@ -0,0 +1,368 @@
+description: fix cve-2010-1418 part 2
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/57627
+Index: webkit-1.2.1/WebCore/dom/NamedNodeMap.idl
+===================================================================
+--- webkit-1.2.1.orig/WebCore/dom/NamedNodeMap.idl 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/dom/NamedNodeMap.idl 2010-06-28 21:26:40.000000000 -0400
+@@ -28,7 +28,7 @@
+
+ Node getNamedItem(in DOMString name);
+
+- Node setNamedItem(in Node node)
++ [Custom] Node setNamedItem(in Node node)
+ raises(DOMException);
+
+ Node removeNamedItem(in DOMString name)
+@@ -46,7 +46,7 @@
+ // FIXME: the implementation does take an exceptioncode parameter.
+ /*raises(DOMException)*/;
+
+- Node setNamedItemNS(in Node node)
++ [Custom] Node setNamedItemNS(in Node node)
+ raises(DOMException);
+
+ [OldStyleObjC] Node removeNamedItemNS(in [ConvertNullToNullString] DOMString namespaceURI,
+Index: webkit-1.2.1/WebCore/dom/Attr.idl
+===================================================================
+--- webkit-1.2.1.orig/WebCore/dom/Attr.idl 2010-06-28 21:26:29.000000000 -0400
++++ webkit-1.2.1/WebCore/dom/Attr.idl 2010-06-28 21:26:40.000000000 -0400
+@@ -34,11 +34,6 @@
+ attribute [ConvertNullStringTo=Null, ConvertNullToNullString, CustomSetter] DOMString value
+ setter raises(DOMException);
+
+-#if defined(LANGUAGE_JAVASCRIPT) && LANGUAGE_JAVASCRIPT // Used for JavaScript iFrame src check.
+- attribute [ConvertNullStringTo=Null, ConvertNullToNullString, Custom] DOMString nodeValue
+- setter raises(DOMException);
+-#endif
+-
+ // DOM Level 2
+
+ readonly attribute Element ownerElement;
+@@ -47,11 +42,6 @@
+
+ readonly attribute boolean isId;
+
+-#if defined(LANGUAGE_JAVASCRIPT) && LANGUAGE_JAVASCRIPT // Used for JavaScript iFrame src check.
+- attribute [ConvertNullStringTo=Null, ConvertNullToNullString, Custom] DOMString textContent
+- setter raises(DOMException);
+-#endif
+-
+ // extensions
+ readonly attribute CSSStyleDeclaration style;
+ };
+Index: webkit-1.2.1/WebCore/dom/Node.idl
+===================================================================
+--- webkit-1.2.1.orig/WebCore/dom/Node.idl 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/dom/Node.idl 2010-06-28 21:26:40.000000000 -0400
+@@ -51,7 +51,7 @@
+ readonly attribute [ConvertNullStringTo=Null] DOMString nodeName;
+
+ // FIXME: the spec says this can also raise on retrieval.
+- attribute [ConvertNullStringTo=Null, ConvertNullToNullString] DOMString nodeValue
++ attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString nodeValue
+ setter raises(DOMException);
+
+ readonly attribute unsigned short nodeType;
+@@ -96,7 +96,7 @@
+ readonly attribute [ConvertNullStringTo=Null] DOMString baseURI;
+
+ // FIXME: the spec says this can also raise on retrieval.
+- attribute [ConvertNullStringTo=Null, ConvertNullToNullString] DOMString textContent
++ attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString textContent
+ setter raises(DOMException);
+
+ boolean isSameNode(in Node other);
+Index: webkit-1.2.1/WebCore/bindings/js/JSElementCustom.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/bindings/js/JSElementCustom.cpp 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/bindings/js/JSElementCustom.cpp 2010-06-28 21:26:40.000000000 -0400
+@@ -36,6 +36,7 @@
+ #include "HTMLFrameElementBase.h"
+ #include "HTMLNames.h"
+ #include "JSAttr.h"
++#include "JSDOMBinding.h"
+ #include "JSHTMLElementWrapperFactory.h"
+ #include "JSNodeList.h"
+ #include "NodeList.h"
+@@ -63,16 +64,6 @@
+ markDOMObjectWrapper(markStack, globalData, static_cast<StyledElement*>(element)->inlineStyleDecl());
+ }
+
+-static inline bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value)
+-{
+- if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) {
+- Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument();
+- if (contentDocument && !checkNodeSecurity(exec, contentDocument))
+- return false;
+- }
+- return true;
+-}
+-
+ JSValue JSElement::setAttribute(ExecState* exec, const ArgList& args)
+ {
+ ExceptionCode ec = 0;
+Index: webkit-1.2.1/WebCore/bindings/js/JSDOMBinding.h
+===================================================================
+--- webkit-1.2.1.orig/WebCore/bindings/js/JSDOMBinding.h 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/bindings/js/JSDOMBinding.h 2010-06-28 21:26:40.000000000 -0400
+@@ -301,6 +301,8 @@
+ bool allowsAccessFromFrame(JSC::ExecState*, Frame*);
+ bool allowsAccessFromFrame(JSC::ExecState*, Frame*, String& message);
+ bool shouldAllowNavigation(JSC::ExecState*, Frame*);
++ bool allowSettingSrcToJavascriptURL(JSC::ExecState*, Element*, const String&, const String&);
++
+ void printErrorMessageForFrame(Frame*, const String& message);
+ JSC::JSValue objectToStringFunctionGetter(JSC::ExecState*, JSC::JSValue, const JSC::Identifier& propertyName);
+
+Index: webkit-1.2.1/WebCore/bindings/js/JSAttrCustom.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/bindings/js/JSAttrCustom.cpp 2010-06-28 21:26:29.000000000 -0400
++++ webkit-1.2.1/WebCore/bindings/js/JSAttrCustom.cpp 2010-06-28 21:26:40.000000000 -0400
+@@ -33,6 +33,7 @@
+ #include "Document.h"
+ #include "HTMLFrameElementBase.h"
+ #include "HTMLNames.h"
++#include "JSDOMBinding.h"
+
+ using namespace JSC;
+
+@@ -46,40 +47,14 @@
+ String attrValue = valueToStringWithNullCheck(exec, value);
+
+ Element* ownerElement = imp->ownerElement();
+- if (ownerElement && (ownerElement->hasTagName(iframeTag) || ownerElement->hasTagName(frameTag))) {
+- if (equalIgnoringCase(imp->name(), "src") && protocolIsJavaScript(deprecatedParseURL(attrValue))) {
+- Document* contentDocument = static_cast<HTMLFrameElementBase*>(ownerElement)->contentDocument();
+- if (contentDocument && !checkNodeSecurity(exec, contentDocument))
+- return;
+- }
+- }
++ if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->name(), attrValue))
++ return;
+
+ ExceptionCode ec = 0;
+ imp->setValue(attrValue, ec);
+ setDOMException(exec, ec);
+ }
+
+-JSC::JSValue JSAttr::nodeValue(JSC::ExecState* exec) const
+-{
+- Attr* imp = this->impl();
+- return jsStringOrNull(exec, imp->value());
+-}
+-
+-void JSAttr::setNodeValue(JSC::ExecState* exec, JSC::JSValue value)
+-{
+- setValue(exec, value);
+-}
+-
+-JSC::JSValue JSAttr::textContent(JSC::ExecState* exec) const
+-{
+- return nodeValue(exec);
+-}
+-
+-void JSAttr::setTextContent(JSC::ExecState* exec, JSC::JSValue value)
+-{
+- setValue(exec, value);
+-}
+-
+ void JSAttr::markChildren(MarkStack& markStack)
+ {
+ Base::markChildren(markStack);
+Index: webkit-1.2.1/WebCore/bindings/js/JSDOMBinding.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/bindings/js/JSDOMBinding.cpp 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/bindings/js/JSDOMBinding.cpp 2010-06-28 21:26:40.000000000 -0400
+@@ -24,6 +24,7 @@
+ #include "debugger/DebuggerCallFrame.h"
+
+ #include "ActiveDOMObject.h"
++#include "CSSHelper.h"
+ #include "DOMCoreException.h"
+ #include "DOMObjectHashTableMap.h"
+ #include "Document.h"
+@@ -33,6 +34,7 @@
+ #include "Frame.h"
+ #include "HTMLAudioElement.h"
+ #include "HTMLCanvasElement.h"
++#include "HTMLFrameElementBase.h"
+ #include "HTMLImageElement.h"
+ #include "HTMLNames.h"
+ #include "HTMLScriptElement.h"
+@@ -630,6 +632,16 @@
+ return lexicalFrame && lexicalFrame->loader()->shouldAllowNavigation(frame);
+ }
+
++bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value)
++{
++ if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) {
++ Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument();
++ if (contentDocument && !checkNodeSecurity(exec, contentDocument))
++ return false;
++ }
++ return true;
++}
++
+ void printErrorMessageForFrame(Frame* frame, const String& message)
+ {
+ if (!frame)
+Index: webkit-1.2.1/WebCore/bindings/js/JSNodeCustom.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/bindings/js/JSNodeCustom.cpp 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/bindings/js/JSNodeCustom.cpp 2010-06-28 21:26:40.000000000 -0400
+@@ -38,6 +38,7 @@
+ #include "JSAttr.h"
+ #include "JSCDATASection.h"
+ #include "JSComment.h"
++#include "JSDOMBinding.h"
+ #include "JSDocument.h"
+ #include "JSDocumentFragment.h"
+ #include "JSDocumentType.h"
+@@ -66,12 +67,53 @@
+
+ namespace WebCore {
+
+-typedef int ExpectionCode;
++static inline bool isAttrFrameSrc(Element *element, const String& name)
++{
++ return element && (element->hasTagName(HTMLNames::iframeTag) || element->hasTagName(HTMLNames::frameTag)) && equalIgnoringCase(name, "src");
++}
++
++void JSNode::setNodeValue(JSC::ExecState* exec, JSC::JSValue value)
++{
++ Node* imp = static_cast<Node*>(impl());
++ String nodeValue = valueToStringWithNullCheck(exec, value);
++
++ if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
++ Element* ownerElement = static_cast<Attr*>(impl())->ownerElement();
++ if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue))
++ return;
++ }
++
++ ExceptionCode ec = 0;
++ imp->setNodeValue(nodeValue, ec);
++ setDOMException(exec, ec);
++}
++
++void JSNode::setTextContent(JSC::ExecState* exec, JSC::JSValue value)
++{
++ Node* imp = static_cast<Node*>(impl());
++ String nodeValue = valueToStringWithNullCheck(exec, value);
++
++ if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
++ Element* ownerElement = static_cast<Attr*>(impl())->ownerElement();
++ if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue))
++ return;
++ }
++
++ ExceptionCode ec = 0;
++ imp->setTextContent(nodeValue, ec);
++ setDOMException(exec, ec);
++}
+
+ JSValue JSNode::insertBefore(ExecState* exec, const ArgList& args)
+ {
++ Node* imp = static_cast<Node*>(impl());
++ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
++ setDOMException(exec, NOT_SUPPORTED_ERR);
++ return jsNull();
++ }
++
+ ExceptionCode ec = 0;
+- bool ok = impl()->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true);
++ bool ok = imp->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true);
+ setDOMException(exec, ec);
+ if (ok)
+ return args.at(0);
+@@ -80,8 +122,14 @@
+
+ JSValue JSNode::replaceChild(ExecState* exec, const ArgList& args)
+ {
++ Node* imp = static_cast<Node*>(impl());
++ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
++ setDOMException(exec, NOT_SUPPORTED_ERR);
++ return jsNull();
++ }
++
+ ExceptionCode ec = 0;
+- bool ok = impl()->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true);
++ bool ok = imp->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true);
+ setDOMException(exec, ec);
+ if (ok)
+ return args.at(1);
+@@ -90,8 +138,14 @@
+
+ JSValue JSNode::removeChild(ExecState* exec, const ArgList& args)
+ {
++ Node* imp = static_cast<Node*>(impl());
++ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
++ setDOMException(exec, NOT_SUPPORTED_ERR);
++ return jsNull();
++ }
++
+ ExceptionCode ec = 0;
+- bool ok = impl()->removeChild(toNode(args.at(0)), ec);
++ bool ok = imp->removeChild(toNode(args.at(0)), ec);
+ setDOMException(exec, ec);
+ if (ok)
+ return args.at(0);
+@@ -100,8 +154,14 @@
+
+ JSValue JSNode::appendChild(ExecState* exec, const ArgList& args)
+ {
++ Node* imp = static_cast<Node*>(impl());
++ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
++ setDOMException(exec, NOT_SUPPORTED_ERR);
++ return jsNull();
++ }
++
+ ExceptionCode ec = 0;
+- bool ok = impl()->appendChild(toNode(args.at(0)), ec, true);
++ bool ok = imp->appendChild(toNode(args.at(0)), ec, true);
+ setDOMException(exec, ec);
+ if (ok)
+ return args.at(0);
+Index: webkit-1.2.1/WebCore/bindings/js/JSNamedNodeMapCustom.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/bindings/js/JSNamedNodeMapCustom.cpp 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/bindings/js/JSNamedNodeMapCustom.cpp 2010-06-28 21:26:40.000000000 -0400
+@@ -35,6 +35,38 @@
+
+ namespace WebCore {
+
++JSValue JSNamedNodeMap::setNamedItem(ExecState* exec, const ArgList& args)
++{
++ NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl());
++ ExceptionCode ec = 0;
++ Node* newNode = toNode(args.at(0));
++
++ if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
++ if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue()))
++ return jsNull();
++ }
++
++ JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItem(newNode, ec)));
++ setDOMException(exec, ec);
++ return result;
++}
++
++JSValue JSNamedNodeMap::setNamedItemNS(ExecState* exec, const ArgList& args)
++{
++ NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl());
++ ExceptionCode ec = 0;
++ Node* newNode = toNode(args.at(0));
++
++ if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
++ if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue()))
++ return jsNull();
++ }
++
++ JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItemNS(newNode, ec)));
++ setDOMException(exec, ec);
++ return result;
++}
++
+ bool JSNamedNodeMap::canGetItemsForName(ExecState*, NamedNodeMap* impl, const Identifier& propertyName)
+ {
+ return impl->getNamedItem(propertyName);
diff --git a/debian/patches/cve-2010-1418-part3.patch b/debian/patches/cve-2010-1418-part3.patch
new file mode 100644
index 0000000..ed03d8f
--- /dev/null
+++ b/debian/patches/cve-2010-1418-part3.patch
@@ -0,0 +1,34 @@
+description: fix cve-2010-1418 part 3
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/58844
+Index: webkit-1.2.1/WebCore/css/CSSHelper.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/css/CSSHelper.cpp 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/css/CSSHelper.cpp 2010-06-28 21:27:00.000000000 -0400
+@@ -36,7 +36,7 @@
+ int o = 0;
+ int l = i->length();
+
+- while (o < l && (*i)[o] <= ' ') {
++ while (0 < l && (*i)[o] <= ' ') {
+ ++o;
+ --l;
+ }
+@@ -53,7 +53,7 @@
+ l -= 5;
+ }
+
+- while (o < l && (*i)[o] <= ' ') {
++ while (0 < l && (*i)[o] <= ' ') {
+ ++o;
+ --l;
+ }
+@@ -65,7 +65,7 @@
+ l -= 2;
+ }
+
+- while (o < l && (*i)[o] <= ' ') {
++ while (0 < l && (*i)[o] <= ' ') {
+ ++o;
+ --l;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 42c3b73..d156010 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,6 @@ cve-2010-1405.patch
cve-2010-1407.patch
cve-2010-1416.patch
cve-2010-1417+1665.patch
+cve-2010-1418-part1.patch
+cve-2010-1418-part2.patch
+cve-2010-1418-part3.patch
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list