[webkit-changes] cvs commit: WebCore/kwq KWQKHTMLPart.h KWQKHTMLPart.mm

Vicki vicki at opensource.apple.com
Fri Jul 8 11:39:38 PDT 2005 

vicki       05/07/08 11:39:38

  Modified:    .        ChangeLog
               kwq      KWQKHTMLPart.h KWQKHTMLPart.mm
  Log:
  	- fixed by Trey Matteson <trey at usa.net>, reviewed by Maciej.
  
  	Test cases added: (NONE)
  
  	<rdar://problem/4109893> REGRESSSION: back/forward broken at wsj.com, worked in v185
  	Also written as http://bugzilla.opendarwin.org/show_bug.cgi?id=3901
  
  	Broken by security fix for 4005575: Arbitrary file disclosure vulnerability due to ability to load local html from remote content
  
  	The root of this bug is that URLs for subframes of a page are sometimes added to the back/forward list.  This happens a lot at
  	wsj.com, and I believe it would happen for many or all sites that use JS to cons up a URL for an iframe and then load it.
  
  	The security fix changed the code path to go through openURLRequest, but only openURL had the logic to guess if
  	the current navigation was done in response to a user gesture.  openURLRequest always assumed it was a user gesture,
  	and thus all uses of this code path would place an item in the b/f list.
  
  	* kwq/KWQKHTMLPart.h:
  	* kwq/KWQKHTMLPart.mm:
  	(KWQKHTMLPart::userGestureHint):  Factored code from openURL.
  	(KWQKHTMLPart::openURL):  Call newly factored code.
  	(KWQKHTMLPart::openURLRequest):  Newly call newly factored code.
  
  Revision  Changes    Path
  1.4391    +24 -0     WebCore/ChangeLog
  
  Index: ChangeLog
  ===================================================================
  RCS file: /cvs/root/WebCore/ChangeLog,v
  retrieving revision 1.4390
  retrieving revision 1.4391
  diff -u -r1.4390 -r1.4391
  --- ChangeLog	8 Jul 2005 05:51:31 -0000	1.4390
  +++ ChangeLog	8 Jul 2005 18:39:34 -0000	1.4391
  @@ -1,3 +1,27 @@
  +2005-07-08  Vicki Murley <vicki at apple.com>
  +
  +	- fixed by Trey Matteson <trey at usa.net>, reviewed by Maciej.
  +
  +	Test cases added: (NONE)
  +
  +	<rdar://problem/4109893> REGRESSSION: back/forward broken at wsj.com, worked in v185
  +	Also written as http://bugzilla.opendarwin.org/show_bug.cgi?id=3901
  + 
  +	Broken by security fix for 4005575: Arbitrary file disclosure vulnerability due to ability to load local html from remote content
  + 
  +	The root of this bug is that URLs for subframes of a page are sometimes added to the back/forward list.  This happens a lot at
  +	wsj.com, and I believe it would happen for many or all sites that use JS to cons up a URL for an iframe and then load it.
  + 
  +	The security fix changed the code path to go through openURLRequest, but only openURL had the logic to guess if
  +	the current navigation was done in response to a user gesture.  openURLRequest always assumed it was a user gesture,
  +	and thus all uses of this code path would place an item in the b/f list.
  +
  +	* kwq/KWQKHTMLPart.h:
  +	* kwq/KWQKHTMLPart.mm:
  +	(KWQKHTMLPart::userGestureHint):  Factored code from openURL.
  +	(KWQKHTMLPart::openURL):  Call newly factored code.
  +	(KWQKHTMLPart::openURLRequest):  Newly call newly factored code.
  +
   2005-07-07  Maciej Stachowiak  <mjs at apple.com>
   
           - oops, accidentally committed stat dumping enabled
  
  
  
  1.222     +2 -0      WebCore/kwq/KWQKHTMLPart.h
  
  Index: KWQKHTMLPart.h
  ===================================================================
  RCS file: /cvs/root/WebCore/kwq/KWQKHTMLPart.h,v
  retrieving revision 1.221
  retrieving revision 1.222
  diff -u -r1.221 -r1.222
  --- KWQKHTMLPart.h	26 May 2005 20:30:12 -0000	1.221
  +++ KWQKHTMLPart.h	8 Jul 2005 18:39:37 -0000	1.222
  @@ -400,6 +400,8 @@
       
       NSView *mouseDownViewIfStillGood();
   
  +    bool userGestureHint();
  +
       QString generateFrameName();
   
       NSView *nextKeyViewInFrame(DOM::NodeImpl *startingPoint, KWQSelectionDirection);
  
  
  
  1.645     +12 -9     WebCore/kwq/KWQKHTMLPart.mm
  
  Index: KWQKHTMLPart.mm
  ===================================================================
  RCS file: /cvs/root/WebCore/kwq/KWQKHTMLPart.mm,v
  retrieving revision 1.644
  retrieving revision 1.645
  diff -u -r1.644 -r1.645
  --- KWQKHTMLPart.mm	7 Jul 2005 08:03:22 -0000	1.644
  +++ KWQKHTMLPart.mm	8 Jul 2005 18:39:37 -0000	1.645
  @@ -294,19 +294,22 @@
       cancelRedirection(true);
   }
   
  -bool KWQKHTMLPart::openURL(const KURL &url)
  +bool KWQKHTMLPart::userGestureHint()
   {
  -    KWQ_BLOCK_EXCEPTIONS;
  -
  -    bool userGesture = true;
  -    
       if (jScript() && jScript()->interpreter()) {
           KHTMLPart *rootPart = this;
           while (rootPart->parentPart() != 0)
               rootPart = rootPart->parentPart();
           KJS::ScriptInterpreter *interpreter = static_cast<KJS::ScriptInterpreter *>(KJSProxy::proxy(rootPart)->interpreter());
  -        userGesture = interpreter->wasRunByUserGesture();
  -    }
  +        return interpreter->wasRunByUserGesture();
  +    } else
  +        // if no JS, assume the user initiated this nav
  +        return true;
  +}
  +
  +bool KWQKHTMLPart::openURL(const KURL &url)
  +{
  +    KWQ_BLOCK_EXCEPTIONS;
   
       // FIXME: The lack of args here to get the reload flag from
       // indicates a problem in how we use KHTMLPart::processObjectRequest,
  @@ -314,7 +317,7 @@
       [_bridge loadURL:url.getNSURL()
               referrer:[_bridge referrer]
                 reload:NO
  -         userGesture:userGesture
  +         userGesture:userGestureHint()
                 target:nil
        triggeringEvent:nil
                   form:nil
  @@ -340,7 +343,7 @@
       [_bridge loadURL:url.getNSURL()
               referrer:referrer
                 reload:args.reload
  -         userGesture:true
  +         userGesture:userGestureHint()
                 target:args.frameName.getNSString()
        triggeringEvent:nil
                   form:nil

More information about the webkit-changes mailing list