[webkit-changes] cvs commit: WebKit/WebView.subproj WebBaseResourceHandleDelegate.h WebMainResourceClient.m

Adele adele at opensource.apple.com
Thu Sep 1 16:58:48 PDT 2005


adele       05/09/01 16:58:48

  Modified:    .        Tag: Safari-1-3-branch ChangeLog
               WebView.subproj Tag: Safari-1-3-branch
                        WebBaseResourceHandleDelegate.h
                        WebMainResourceClient.m
  Log:
           Merged fix for <rdar://problem/4208261> from TOT to Safari-1-3-branch
  
      2005-05-17  Chris Blumenberg  <cblu at apple.com>
  
    	Fixed: <rdar://problem/4120255> web archives on remote servers can be viewed directly (with major security issues); should download instead
  
          Reviewed by mjs.
  
          * WebView.subproj/WebBaseResourceHandleDelegate.h:
          * WebView.subproj/WebMainResourceClient.m:
          (-[WebMainResourceClient continueAfterContentPolicy:response:]): if the WebKit client has chosen to "use" a remote web archive, stop the load with an error
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.3120.2.14 +14 -0     WebKit/ChangeLog
  
  Index: ChangeLog
  ===================================================================
  RCS file: /cvs/root/WebKit/ChangeLog,v
  retrieving revision 1.3120.2.13
  retrieving revision 1.3120.2.14
  diff -u -r1.3120.2.13 -r1.3120.2.14
  --- ChangeLog	15 Jul 2005 17:23:51 -0000	1.3120.2.13
  +++ ChangeLog	1 Sep 2005 23:58:42 -0000	1.3120.2.14
  @@ -1,3 +1,17 @@
  +2005-09-01  Adele Peterson  <adele at apple.com>
  +
  +         Merged fix for <rdar://problem/4208261> from TOT to Safari-1-3-branch
  +
  +    2005-05-17  Chris Blumenberg  <cblu at apple.com>
  +
  +  	Fixed: <rdar://problem/4120255> web archives on remote servers can be viewed directly (with major security issues); should download instead
  +
  +        Reviewed by mjs.
  +
  +        * WebView.subproj/WebBaseResourceHandleDelegate.h:
  +        * WebView.subproj/WebMainResourceClient.m:
  +        (-[WebMainResourceClient continueAfterContentPolicy:response:]): if the WebKit client has chosen to "use" a remote web archive, stop the load with an error
  +
   === WebKit-312.5 ===
   
   2005-07-14  Vicki Murley  <vicki at apple.com>
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.38.8.2  +1 -1      WebKit/WebView.subproj/Attic/WebBaseResourceHandleDelegate.h
  
  Index: WebBaseResourceHandleDelegate.h
  ===================================================================
  RCS file: /cvs/root/WebKit/WebView.subproj/Attic/WebBaseResourceHandleDelegate.h,v
  retrieving revision 1.38.8.1
  retrieving revision 1.38.8.2
  diff -u -r1.38.8.1 -r1.38.8.2
  --- WebBaseResourceHandleDelegate.h	2 Jun 2005 15:44:43 -0000	1.38.8.1
  +++ WebBaseResourceHandleDelegate.h	1 Sep 2005 23:58:47 -0000	1.38.8.2
  @@ -24,6 +24,7 @@
       WebDataSource *dataSource;
       NSURLConnection *connection;
       NSURLRequest *request;
  +    BOOL reachedTerminalState;
   @private
       WebView *webView;
       NSURLResponse *response;
  @@ -33,7 +34,6 @@
       NSURLAuthenticationChallenge *currentConnectionChallenge;
       NSURLAuthenticationChallenge *currentWebChallenge;
       BOOL cancelledFlag;
  -    BOOL reachedTerminalState;
       BOOL defersCallbacks;
       BOOL waitingToDeliverResource;
       BOOL deliveredResource;
  
  
  
  1.260.6.2 +15 -4     WebKit/WebView.subproj/Attic/WebMainResourceClient.m
  
  Index: WebMainResourceClient.m
  ===================================================================
  RCS file: /cvs/root/WebKit/WebView.subproj/Attic/WebMainResourceClient.m,v
  retrieving revision 1.260.6.1
  retrieving revision 1.260.6.2
  diff -u -r1.260.6.1 -r1.260.6.2
  --- WebMainResourceClient.m	2 Jun 2005 15:44:43 -0000	1.260.6.1
  +++ WebMainResourceClient.m	1 Sep 2005 23:58:47 -0000	1.260.6.2
  @@ -16,6 +16,7 @@
   #import <Foundation/NSURLResponse.h>
   #import <Foundation/NSURLResponsePrivate.h>
   
  +#import <WebKit/WebDataProtocol.h>
   #import <WebKit/WebDataSourcePrivate.h>
   #import <WebKit/WebDefaultPolicyDelegate.h>
   #import <WebKit/WebDocument.h>
  @@ -200,15 +201,25 @@
   
   -(void)continueAfterContentPolicy:(WebPolicyAction)contentPolicy response:(NSURLResponse *)r
   {
  +    NSURL *URL = [request URL];
  +    NSString *MIMEType = [r MIMEType]; 
  +    
       switch (contentPolicy) {
       case WebPolicyUse:
  -	if (![WebView canShowMIMEType:[r MIMEType]]) {
  -	    [[dataSource webFrame] _handleUnimplementablePolicyWithErrorCode:WebKitErrorCannotShowMIMEType forURL:[[dataSource request] URL]];
  -	    [self stopLoadingForPolicyChange];
  +    {
  +        // Prevent remote web archives from loading because they can claim to be from any domain and thus avoid cross-domain security checks (4120255).
  +        BOOL isRemote = ![URL isFileURL] && ![WebDataProtocol _webIsDataProtocolURL:URL];
  +	BOOL isRemoteWebArchive = isRemote && [MIMEType _web_isCaseInsensitiveEqualToString:@"application/x-webarchive"];
  +        if (![WebView canShowMIMEType:MIMEType] || isRemoteWebArchive) {
  +	    [[dataSource webFrame] _handleUnimplementablePolicyWithErrorCode:WebKitErrorCannotShowMIMEType forURL:URL];
  +            // Check reachedTerminalState since the load may have already been cancelled inside of _handleUnimplementablePolicyWithErrorCode::.
  +            if (!reachedTerminalState) {
  +                [self stopLoadingForPolicyChange];
  +            }
   	    return;
   	}
           break;
  -
  +    }
       case WebPolicyDownload:
           [proxy setDelegate:nil];
           [WebDownload _downloadWithLoadingConnection:connection
  
  
  



More information about the webkit-changes mailing list