[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.3-2-60-g76add97

Gustavo Noronha Silva gns at gnome.org
Sun Oct 17 22:27:53 UTC 2010


The following commit has been merged in the debian/unstable branch:
commit 9e68ec73617f743079b20d3d31cda0625b8c1297
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Aug 23 20:03:36 2010 +0000

    2010-08-23  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Dimitri Glazkov.
    
            Fix security origin calculation in createPattern. Need to use
            cachedImage->response().url() instead of cachedImage->url().
            https://bugs.webkit.org/show_bug.cgi?id=44399.
    
            Test: http/tests/security/canvas-remote-read-remote-image-redirect.html
    
            * html/canvas/CanvasRenderingContext2D.cpp:
            (WebCore::CanvasRenderingContext2D::createPattern):
    2010-08-23  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Dimitri Glazkov.
    
            Tests that calling getImageData(), toDataURL() on a canvas tainted by
            a createPattern of a different origin image using redirects from same origin
            is not allowed.
            https://bugs.webkit.org/show_bug.cgi?id=44399
    
            * http/tests/security/canvas-remote-read-remote-image-redirect-expected.txt: Added.
            * http/tests/security/canvas-remote-read-remote-image-redirect.html: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65826 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index f5c36b0..2ab61ce 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-08-23  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        Tests that calling getImageData(), toDataURL() on a canvas tainted by
+        a createPattern of a different origin image using redirects from same origin
+        is not allowed.
+        https://bugs.webkit.org/show_bug.cgi?id=44399
+
+        * http/tests/security/canvas-remote-read-remote-image-redirect-expected.txt: Added.
+        * http/tests/security/canvas-remote-read-remote-image-redirect.html: Added.
+
 2010-08-20  Tony Chang  <tony at chromium.org>
 
         Reviewed by Adam Barth.
diff --git a/LayoutTests/http/tests/security/canvas-remote-read-remote-image-expected.txt b/LayoutTests/http/tests/security/canvas-remote-read-remote-image-redirect-expected.txt
similarity index 100%
copy from LayoutTests/http/tests/security/canvas-remote-read-remote-image-expected.txt
copy to LayoutTests/http/tests/security/canvas-remote-read-remote-image-redirect-expected.txt
diff --git a/LayoutTests/http/tests/security/canvas-remote-read-remote-image-redirect.html b/LayoutTests/http/tests/security/canvas-remote-read-remote-image-redirect.html
new file mode 100644
index 0000000..c661093
--- /dev/null
+++ b/LayoutTests/http/tests/security/canvas-remote-read-remote-image-redirect.html
@@ -0,0 +1,107 @@
+<pre id="console"></pre>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+log = function(msg)
+{
+    document.getElementById('console').appendChild(document.createTextNode(msg + "\n"));
+}
+
+testGetImageData = function(context, description)
+{
+    description = "Calling getImageData() from a canvas tainted by a " + description;
+    try {
+        var imageData = context.getImageData(0,0,100,100);
+        log("FAIL: " + description + " was allowed.");
+    } catch (e) {
+        log("PASS: " + description + " was not allowed - Threw error: " + e + ".");
+    }
+}
+
+testToDataURL = function(canvas, description)
+{
+    description = "Calling toDataURL() on a canvas tainted by a " + description;
+    try {
+        var dataURL = canvas.toDataURL();
+        log("FAIL: " + description + " was allowed.");
+    } catch (e) {
+        log("PASS: " + description + " was not allowed - Threw error: " + e + ".");
+    }
+}
+
+test = function(canvas, description)
+{
+    testGetImageData(canvas.getContext("2d"), description);
+    testToDataURL(canvas, description);
+}
+
+var image = new Image();
+image.onload = function() {
+    var canvas = document.createElement("canvas");
+    canvas.width = 100;
+    canvas.height = 100;
+    var context = canvas.getContext("2d");
+
+    // Control tests
+    log("Untainted canvas:");
+    try {
+        var imageData = context.getImageData(0, 0, 100, 100);
+        log("PASS: Calling getImageData() from an untainted canvas was allowed.");
+    } catch (e) {
+        log("FAIL: Calling getImageData() from an untainted canvas was not allowed: Threw error: " + e + ".");
+    }
+    try {
+        var dataURL = canvas.toDataURL();
+        log("PASS: Calling toDataURL() on an untainted canvas was allowed.");
+    } catch (e) {
+        log("FAIL: Calling toDataURL() on an untainted canvas was not allowed: Threw error: " + e + ".");
+    }
+
+    log("\n");
+    log("Tainted canvas:");
+    // Test reading from a canvas after drawing a remote image onto it
+    context.drawImage(image, 0, 0, 100, 100);
+
+    test(canvas, "remote image");
+
+    var dirtyCanvas = canvas;
+
+    // Now test reading from a canvas after drawing a tainted canvas onto it
+    canvas = document.createElement("canvas");
+    canvas.width = 100;
+    canvas.height = 100;
+    var context = canvas.getContext("2d");
+    context.drawImage(dirtyCanvas, 0, 0, 100, 100);
+
+    test(canvas, "tainted canvas");
+
+    // Test reading after using a tainted pattern
+    canvas = document.createElement("canvas");
+    canvas.width = 100;
+    canvas.height = 100;
+    var context = canvas.getContext("2d");
+    var remoteImagePattern = context.createPattern(image, "repeat");
+    context.fillStyle = remoteImagePattern;
+    context.fillRect(0, 0, 100, 100);
+
+    test(canvas, "remote image tainted pattern");
+
+    // Test reading after using a tainted pattern
+    canvas = document.createElement("canvas");
+    canvas.width = 100;
+    canvas.height = 100;
+    var context = canvas.getContext("2d");
+    var taintedCanvasPattern = context.createPattern(dirtyCanvas, "repeat");
+    context.fillStyle = taintedCanvasPattern;
+    context.fillRect(0, 0, 100, 100);
+
+    test(canvas, "tainted canvas pattern");
+
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+image.src = "resources/redir.php?url=http://localhost:8000/security/resources/abe.png";
+</script>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index a0bdb88..113e8f3 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,16 @@
+2010-08-23  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        Fix security origin calculation in createPattern. Need to use
+        cachedImage->response().url() instead of cachedImage->url().
+        https://bugs.webkit.org/show_bug.cgi?id=44399.
+
+        Test: http/tests/security/canvas-remote-read-remote-image-redirect.html
+
+        * html/canvas/CanvasRenderingContext2D.cpp:
+        (WebCore::CanvasRenderingContext2D::createPattern):
+
 2010-08-20  Tony Chang  <tony at chromium.org>
 
         Reviewed by Adam Barth.
diff --git a/WebCore/html/canvas/CanvasRenderingContext2D.cpp b/WebCore/html/canvas/CanvasRenderingContext2D.cpp
index 6fe74f9..45717e9 100644
--- a/WebCore/html/canvas/CanvasRenderingContext2D.cpp
+++ b/WebCore/html/canvas/CanvasRenderingContext2D.cpp
@@ -1211,7 +1211,7 @@ PassRefPtr<CanvasPattern> CanvasRenderingContext2D::createPattern(HTMLImageEleme
     if (!cachedImage || !image->cachedImage()->image())
         return CanvasPattern::create(Image::nullImage(), repeatX, repeatY, true);
 
-    bool originClean = !canvas()->document()->securityOrigin()->taintsCanvas(KURL(KURL(), cachedImage->url())) && cachedImage->image()->hasSingleSecurityOrigin();
+    bool originClean = !canvas()->document()->securityOrigin()->taintsCanvas(KURL(KURL(), cachedImage->response().url())) && cachedImage->image()->hasSingleSecurityOrigin();
     return CanvasPattern::create(cachedImage->image(), repeatX, repeatY, originClean);
 }
 

-- 
WebKit Debian packaging



More information about the Pkg-webkit-commits mailing list