[Webkit-unassigned] [Bug 249062] New: Fix use-after-move in WebCore::WorkerScriptLoader::loadAsynchronously()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 9 19:12:50 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=249062

            Bug ID: 249062
           Summary: Fix use-after-move in
                    WebCore::WorkerScriptLoader::loadAsynchronously()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Service Workers
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ddkilzer at webkit.org

Fix use-after-move in WebCore::WorkerScriptLoader::loadAsynchronously() in Source/WebCore/workers/WorkerScriptLoader.cpp.

There is a use-after-move of `scriptRequest` where `scriptRequest.url()` is called later in the method, but `m_url` may be used instead.

```
void WorkerScriptLoader::loadAsynchronously(ScriptExecutionContext& scriptExecutionContext, ResourceRequest&& scriptRequest, Source source, FetchOptions&& fetchOptions, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement, ServiceWorkersMode serviceWorkerMode, WorkerScriptLoaderClient& client, String&& taskMode, ScriptExecutionContextIdentifier clientIdentifier)
{
    m_client = &client;
    m_url = scriptRequest.url();
    m_source = source;
    m_destination = fetchOptions.destination;
    m_isCOEPEnabled = scriptExecutionContext.settingsValues().crossOriginEmbedderPolicyEnabled;
    m_clientIdentifier = clientIdentifier;

    ASSERT(scriptRequest.httpMethod() == "GET"_s);

    auto request = makeUnique<ResourceRequest>(WTFMove(scriptRequest));
    if (!request)
        return;
    [...]
    if (m_destination == FetchOptions::Destination::Sharedworker)
        m_userAgentForSharedWorker = scriptExecutionContext.userAgent(scriptRequest.url());  // Use-after-move of `scriptRequest`.

    // During create, callbacks may happen which remove the last reference to this object.
    Ref<WorkerScriptLoader> protectedThis(*this);
    m_threadableLoader = ThreadableLoader::create(scriptExecutionContext, *this, WTFMove(*request), options, { }, WTFMove(taskMode));
}
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221210/7b7cb3f6/attachment-0001.htm>

More information about the webkit-unassigned mailing list