[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.1-2-29-g5dbcb1c
Michael Gilbert
michael.s.gilbert at gmail.com
Tue Jun 29 04:11:34 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit 4a0e0cd7fb45dcabc4bd87ed5db294d8dc933001
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date: Mon Jun 28 21:57:26 2010 -0400
fix cve-2010-1760
diff --git a/WebCore/loader/DocumentThreadableLoader.cpp b/WebCore/loader/DocumentThreadableLoader.cpp
index d0f6c04..55f51ac 100644
--- a/WebCore/loader/DocumentThreadableLoader.cpp
+++ b/WebCore/loader/DocumentThreadableLoader.cpp
@@ -81,16 +81,19 @@ DocumentThreadableLoader::DocumentThreadableLoader(Document* document, Threadabl
ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
- if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields()))
- makeSimpleCrossOriginAccessRequest(request);
+ OwnPtr<ResourceRequest> crossOriginRequest(new ResourceRequest(request));
+ crossOriginRequest->removeCredentials();
+ crossOriginRequest->setAllowCookies(m_options.allowCredentials);
+
+ if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields()))
+ makeSimpleCrossOriginAccessRequest(*crossOriginRequest);
else {
- m_actualRequest.set(new ResourceRequest(request));
- m_actualRequest->setAllowCookies(m_options.allowCredentials);
+ m_actualRequest.set(crossOriginRequest.release());
- if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), request.url(), m_options.allowCredentials, request.httpMethod(), request.httpHeaderFields()))
+ if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields()))
preflightSuccess();
else
- makeCrossOriginAccessRequestWithPreflight(request);
+ makeCrossOriginAccessRequestWithPreflight(*m_actualRequest);
}
}
@@ -106,8 +109,6 @@ void DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest(const Resource
// Make a copy of the passed request so that we can modify some details.
ResourceRequest crossOriginRequest(request);
- crossOriginRequest.removeCredentials();
- crossOriginRequest.setAllowCookies(m_options.allowCredentials);
crossOriginRequest.setHTTPOrigin(m_document->securityOrigin()->toString());
loadRequest(crossOriginRequest, DoSecurityCheck);
@@ -293,6 +294,11 @@ void DocumentThreadableLoader::preflightFailure()
void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, SecurityCheckPolicy securityCheck)
{
+ // Any credential should have been removed from the cross-site requests.
+ const KURL& requestURL = request.url();
+ ASSERT(m_sameOriginRequest || requestURL.user().isEmpty());
+ ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty());
+
if (m_async) {
// Don't sniff content or send load callbacks for the preflight request.
bool sendLoadCallbacks = m_options.sendLoadCallbacks && !m_actualRequest;
@@ -316,15 +322,15 @@ void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, Secur
// No exception for file:/// resources, see <rdar://problem/4962298>.
// Also, if we have an HTTP response, then it wasn't a network error in fact.
- if (!error.isNull() && !request.url().isLocalFile() && response.httpStatusCode() <= 0) {
+ if (!error.isNull() && !requestURL.isLocalFile() && response.httpStatusCode() <= 0) {
m_client->didFail(error);
return;
}
// FIXME: FrameLoader::loadSynchronously() does not tell us whether a redirect happened or not, so we guess by comparing the
// request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was
- // requested.
- if (request.url() != response.url() && !isAllowedRedirect(response.url())) {
+ // requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials.
+ if (requestURL != response.url() && !isAllowedRedirect(response.url())) {
m_client->didFailRedirectCheck();
return;
}
diff --git a/debian/changelog b/debian/changelog
index acc4a83..8240aff 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -19,6 +19,7 @@ webkit (1.2.1-3) UNRELEASED; urgency=low
* Fix cve-2010-1758: possible code execution in xml dom processor.
* Fix cve-2010-1759: another possible code execution issue in the xml dom
processor.
+ * Fix cve-2010-1760: user credential information disclosure.
-- Michael Gilbert <michael.s.gilbert at gmail.com> Thu, 27 May 2010 20:36:41 -0400
diff --git a/debian/patches/cve-2010-1760.patch b/debian/patches/cve-2010-1760.patch
new file mode 100644
index 0000000..c4ede23
--- /dev/null
+++ b/debian/patches/cve-2010-1760.patch
@@ -0,0 +1,73 @@
+description: fix cve-2010-1760
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/58409
+Index: webkit-1.2.1/WebCore/loader/DocumentThreadableLoader.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/loader/DocumentThreadableLoader.cpp 2010-06-28 21:40:03.000000000 -0400
++++ webkit-1.2.1/WebCore/loader/DocumentThreadableLoader.cpp 2010-06-28 21:54:00.000000000 -0400
+@@ -81,16 +81,19 @@
+
+ ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
+
+- if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields()))
+- makeSimpleCrossOriginAccessRequest(request);
++ OwnPtr<ResourceRequest> crossOriginRequest(new ResourceRequest(request));
++ crossOriginRequest->removeCredentials();
++ crossOriginRequest->setAllowCookies(m_options.allowCredentials);
++
++ if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields()))
++ makeSimpleCrossOriginAccessRequest(*crossOriginRequest);
+ else {
+- m_actualRequest.set(new ResourceRequest(request));
+- m_actualRequest->setAllowCookies(m_options.allowCredentials);
++ m_actualRequest.set(crossOriginRequest.release());
+
+- if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), request.url(), m_options.allowCredentials, request.httpMethod(), request.httpHeaderFields()))
++ if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields()))
+ preflightSuccess();
+ else
+- makeCrossOriginAccessRequestWithPreflight(request);
++ makeCrossOriginAccessRequestWithPreflight(*m_actualRequest);
+ }
+ }
+
+@@ -106,8 +109,6 @@
+
+ // Make a copy of the passed request so that we can modify some details.
+ ResourceRequest crossOriginRequest(request);
+- crossOriginRequest.removeCredentials();
+- crossOriginRequest.setAllowCookies(m_options.allowCredentials);
+ crossOriginRequest.setHTTPOrigin(m_document->securityOrigin()->toString());
+
+ loadRequest(crossOriginRequest, DoSecurityCheck);
+@@ -293,6 +294,11 @@
+
+ void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, SecurityCheckPolicy securityCheck)
+ {
++ // Any credential should have been removed from the cross-site requests.
++ const KURL& requestURL = request.url();
++ ASSERT(m_sameOriginRequest || requestURL.user().isEmpty());
++ ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty());
++
+ if (m_async) {
+ // Don't sniff content or send load callbacks for the preflight request.
+ bool sendLoadCallbacks = m_options.sendLoadCallbacks && !m_actualRequest;
+@@ -316,15 +322,15 @@
+
+ // No exception for file:/// resources, see <rdar://problem/4962298>.
+ // Also, if we have an HTTP response, then it wasn't a network error in fact.
+- if (!error.isNull() && !request.url().isLocalFile() && response.httpStatusCode() <= 0) {
++ if (!error.isNull() && !requestURL.isLocalFile() && response.httpStatusCode() <= 0) {
+ m_client->didFail(error);
+ return;
+ }
+
+ // FIXME: FrameLoader::loadSynchronously() does not tell us whether a redirect happened or not, so we guess by comparing the
+ // request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was
+- // requested.
+- if (request.url() != response.url() && !isAllowedRedirect(response.url())) {
++ // requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials.
++ if (requestURL != response.url() && !isAllowedRedirect(response.url())) {
+ m_client->didFailRedirectCheck();
+ return;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index aa4aa24..91b7bc9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -18,3 +18,4 @@ cve-2010-1501+1767.patch
cve-2010-1664.patch
cve-2010-1758.patch
cve-2010-1759.patch
+cve-2010-1760.patch
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list