[webkit-changes] [WebKit/WebKit] 663387: REGRESSION (269108 at main): Same-origin XSLT documen...

Commit Queue noreply at github.com
Wed Apr 24 08:23:09 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 66338748251c4f55d2b29e32e4851add3ed40f0e
      https://github.com/WebKit/WebKit/commit/66338748251c4f55d2b29e32e4851add3ed40f0e
  Author: David Kilzer <ddkilzer at apple.com>
  Date:   2024-04-24 (Wed, 24 Apr 2024)

  Changed paths:
    R LayoutTests/http/tests/security/resources/xslt-external-entity.svg
    R LayoutTests/http/tests/security/resources/xslt2.py
    A LayoutTests/http/tests/security/resources/xss-ALLOWED-xsl-external-entity-xslt-docloader.py
    A LayoutTests/http/tests/security/resources/xss-ALLOWED-xsl-external-entity-xslt-docloader.svg
    A LayoutTests/http/tests/security/resources/xss-ALLOWED-xsl-external-entity-xslt-docloader.xml
    A LayoutTests/http/tests/security/resources/xss-DENIED-xsl-external-entity-xslt-docloader.py
    A LayoutTests/http/tests/security/resources/xss-DENIED-xsl-external-entity-xslt-docloader.svg
    R LayoutTests/http/tests/security/xslt-external-entity-expected.txt
    R LayoutTests/http/tests/security/xslt-external-entity.html
    A LayoutTests/http/tests/security/xss-ALLOWED-xsl-external-entity-xslt-docloader-expected.txt
    A LayoutTests/http/tests/security/xss-ALLOWED-xsl-external-entity-xslt-docloader.html
    A LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader-expected.txt
    A LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader.html
    R LayoutTests/platform/mac-monterey/http/tests/security/xslt-external-entity-expected.txt
    A LayoutTests/platform/mac-monterey/http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader-expected.txt
    M Source/WebCore/xml/XSLTProcessorLibxslt.cpp
    M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

  Log Message:
  -----------
  REGRESSION (269108 at main): Same-origin XSLT document() loads fail
https://bugs.webkit.org/show_bug.cgi?id=273106
<rdar://126897034>

Reviewed by Alex Christensen.

Prior to this change, all external entity loads using docLoaderFunc() in
XSLTProcessorLibxslt.cpp would fail in shouldAllowExternalLoad() because
XMLDocumentParserScope::currentCachedResourceLoader was nullptr.  This
caused both cross-origin loads and same-origin loads to fail.

The fix is to make use of XMLDocumentParserScope in docLoaderFunc() to
set XMLDocumentParserScope::currentCachedResourceLoader so that the
same-origin policy is applied.

We keep the check added to shouldAllowExternalLoad() from 269108 at main in
case a load is initiated without using XMLDocumentParserScope, and this
change adds a Debug assert to catch those cases before the load fails.

Tests:
    http/tests/security/xss-ALLOWED-xsl-external-entity-xslt-docloader.html
    http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader.html

* LayoutTests/http/tests/security/resources/xss-ALLOWED-xsl-external-entity-xslt-docloader.py: Add.
* LayoutTests/http/tests/security/resources/xss-ALLOWED-xsl-external-entity-xslt-docloader.svg: Copy from LayoutTests/http/tests/security/resources/xslt-external-entity.svg.
* LayoutTests/http/tests/security/resources/xss-ALLOWED-xsl-external-entity-xslt-docloader.xml: Add.
* LayoutTests/http/tests/security/resources/xss-DENIED-xsl-external-entity-xslt-docloader.py: Rename from LayoutTests/http/tests/security/resources/xslt2.py.
* LayoutTests/http/tests/security/resources/xss-DENIED-xsl-external-entity-xslt-docloader.svg: Rename from LayoutTests/http/tests/security/resources/xslt-external-entity.svg.
* LayoutTests/http/tests/security/xss-ALLOWED-xsl-external-entity-xslt-docloader-expected.txt: Add.
* LayoutTests/http/tests/security/xss-ALLOWED-xsl-external-entity-xslt-docloader.html: Copy from LayoutTests/http/tests/security/xslt-external-entity.html.
* LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader-expected.txt: Rename from LayoutTests/http/tests/security/xslt-external-entity-expected.txt.
- Update results with denied console messages.  This change is the
  result of the bug fix.
* LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader.html: Rename from LayoutTests/http/tests/security/xslt-external-entity.html.
- Add xss-ALLOWED-xsl-external-entity-xslt-docloader.html to test the
  same-origin case.  This test failed before this fix.
- Rename http/tests/security/xslt-external-entity.html to
  xss-DENIED-xsl-external-entity-xslt-docloader.html to match similar
  test cases.
* LayoutTests/platform/mac-monterey/http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader-expected.txt: Rename from LayoutTests/platform/mac-monterey/http/tests/security/xslt-external-entity-expected.txt.
- Update results with denied console messages.  This change is the
  result of the bug fix.

* Source/WebCore/xml/XSLTProcessorLibxslt.cpp:
(WebCore::docLoaderFunc):
- Make use of WebCore::XMLDocumentParserScope to fix the bug.

* Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::shouldAllowExternalLoad):
- Add Debug assert to catch failures where XMLDocumentParserScope is
  missing, or a non-WebKit, in-process libxml2 load occurs.

Canonical link: https://commits.webkit.org/277924@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list