[webkit-changes] cvs commit: WebCore/kwq KWQKHTMLPart.h
KWQKHTMLPart.mm
Adele
adele at opensource.apple.com
Tue Aug 2 09:52:28 PDT 2005
adele 05/08/02 09:52:28
Modified: . Tag: Safari-2-0-branch ChangeLog
kwq Tag: Safari-2-0-branch KWQKHTMLPart.h
KWQKHTMLPart.mm
Log:
Merged fix from TOT to Safari-2-0-branch
2005-07-08 Vicki Murley <vicki at apple.com>
- fixed by Trey Matteson <trey at usa.net>, reviewed by Maciej.
Test cases added: (NONE)
<rdar://problem/4109893> REGRESSION: back/forward broken at wsj.com, worked in v185
Also written as http://bugzilla.opendarwin.org/show_bug.cgi?id=3901
Broken by security fix for 4005575: Arbitrary file disclosure vulnerability due to ability to load local html from remote content
The root of this bug is that URLs for subframes of a page are sometimes added to the back/forward list. This happens a lot at
wsj.com, and I believe it would happen for many or all sites that use JS to cons up a URL for an iframe and then load it.
The security fix changed the code path to go through openURLRequest, but only openURL had the logic to guess if
the current navigation was done in response to a user gesture. openURLRequest always assumed it was a user gesture,
and thus all uses of this code path would place an item in the b/f list.
* kwq/KWQKHTMLPart.h:
* kwq/KWQKHTMLPart.mm:
(KWQKHTMLPart::userGestureHint): Factored code from openURL.
(KWQKHTMLPart::openURL): Call newly factored code.
(KWQKHTMLPart::openURLRequest): Newly call newly factored code.
Revision Changes Path
No revision
No revision
1.4104.2.80 +28 -0 WebCore/ChangeLog
Index: ChangeLog
===================================================================
RCS file: /cvs/root/WebCore/ChangeLog,v
retrieving revision 1.4104.2.79
retrieving revision 1.4104.2.80
diff -u -r1.4104.2.79 -r1.4104.2.80
--- ChangeLog 2 Aug 2005 16:47:31 -0000 1.4104.2.79
+++ ChangeLog 2 Aug 2005 16:52:20 -0000 1.4104.2.80
@@ -2,6 +2,34 @@
Merged fix from TOT to Safari-2-0-branch
+ 2005-07-08 Vicki Murley <vicki at apple.com>
+
+ - fixed by Trey Matteson <trey at usa.net>, reviewed by Maciej.
+
+ Test cases added: (NONE)
+
+ <rdar://problem/4109893> REGRESSION: back/forward broken at wsj.com, worked in v185
+ Also written as http://bugzilla.opendarwin.org/show_bug.cgi?id=3901
+
+ Broken by security fix for 4005575: Arbitrary file disclosure vulnerability due to ability to load local html from remote content
+
+ The root of this bug is that URLs for subframes of a page are sometimes added to the back/forward list. This happens a lot at
+ wsj.com, and I believe it would happen for many or all sites that use JS to cons up a URL for an iframe and then load it.
+
+ The security fix changed the code path to go through openURLRequest, but only openURL had the logic to guess if
+ the current navigation was done in response to a user gesture. openURLRequest always assumed it was a user gesture,
+ and thus all uses of this code path would place an item in the b/f list.
+
+ * kwq/KWQKHTMLPart.h:
+ * kwq/KWQKHTMLPart.mm:
+ (KWQKHTMLPart::userGestureHint): Factored code from openURL.
+ (KWQKHTMLPart::openURL): Call newly factored code.
+ (KWQKHTMLPart::openURLRequest): Newly call newly factored code.
+
+2005-08-02 Adele Peterson <adele at apple.com>
+
+ Merged fix from TOT to Safari-2-0-branch
+
2005-07-28 Beth Dakin <bdakin at apple.com>
This is a fix for <rdar://problem/4190684>. Hyatt and I
No revision
No revision
1.216.8.3 +2 -0 WebCore/kwq/KWQKHTMLPart.h
Index: KWQKHTMLPart.h
===================================================================
RCS file: /cvs/root/WebCore/kwq/KWQKHTMLPart.h,v
retrieving revision 1.216.8.2
retrieving revision 1.216.8.3
diff -u -r1.216.8.2 -r1.216.8.3
--- KWQKHTMLPart.h 26 Jul 2005 21:14:24 -0000 1.216.8.2
+++ KWQKHTMLPart.h 2 Aug 2005 16:52:27 -0000 1.216.8.3
@@ -401,6 +401,8 @@
NSView *mouseDownViewIfStillGood();
+ bool userGestureHint();
+
QString generateFrameName();
NSView *nextKeyViewInFrame(DOM::NodeImpl *startingPoint, KWQSelectionDirection);
1.628.6.5 +12 -9 WebCore/kwq/KWQKHTMLPart.mm
Index: KWQKHTMLPart.mm
===================================================================
RCS file: /cvs/root/WebCore/kwq/KWQKHTMLPart.mm,v
retrieving revision 1.628.6.4
retrieving revision 1.628.6.5
diff -u -r1.628.6.4 -r1.628.6.5
--- KWQKHTMLPart.mm 26 Jul 2005 21:14:24 -0000 1.628.6.4
+++ KWQKHTMLPart.mm 2 Aug 2005 16:52:27 -0000 1.628.6.5
@@ -294,19 +294,22 @@
cancelRedirection(true);
}
-bool KWQKHTMLPart::openURL(const KURL &url)
+bool KWQKHTMLPart::userGestureHint()
{
- KWQ_BLOCK_EXCEPTIONS;
-
- bool userGesture = true;
-
if (jScript() && jScript()->interpreter()) {
KHTMLPart *rootPart = this;
while (rootPart->parentPart() != 0)
rootPart = rootPart->parentPart();
KJS::ScriptInterpreter *interpreter = static_cast<KJS::ScriptInterpreter *>(KJSProxy::proxy(rootPart)->interpreter());
- userGesture = interpreter->wasRunByUserGesture();
- }
+ return interpreter->wasRunByUserGesture();
+ } else
+ // if no JS, assume the user initiated this nav
+ return true;
+}
+
+bool KWQKHTMLPart::openURL(const KURL &url)
+{
+ KWQ_BLOCK_EXCEPTIONS;
// FIXME: The lack of args here to get the reload flag from
// indicates a problem in how we use KHTMLPart::processObjectRequest,
@@ -314,7 +317,7 @@
[_bridge loadURL:url.getNSURL()
referrer:[_bridge referrer]
reload:NO
- userGesture:userGesture
+ userGesture:userGestureHint()
target:nil
triggeringEvent:nil
form:nil
@@ -340,7 +343,7 @@
[_bridge loadURL:url.getNSURL()
referrer:referrer
reload:args.reload
- userGesture:true
+ userGesture:userGestureHint()
target:args.frameName.getNSString()
triggeringEvent:nil
form:nil
More information about the webkit-changes
mailing list