Title: [113659] trunk/Source/WebCore
- Revision
- 113659
- Author
- [email protected]
- Date
- 2012-04-09 19:06:15 -0700 (Mon, 09 Apr 2012)
Log Message
[Mac] WebProcess dies due to m_process->checkURLReceivedFromWebProcess(url) dropping a file URL
https://bugs.webkit.org/show_bug.cgi?id=83506
<rdar://problem/11171264>
Reviewed by Darin Adler.
Cannot test, because dragging within a single window never initiates a navigation, and dragging
across windows is too much for DRT and WTR.
* platform/mac/DragDataMac.mm: (WebCore::DragData::asURL): Add the same checks that we had
for NSURLPboardType to NSStringPboardType case, preventing dropping of non-HTTP URLs.
String types cannot be sanitized when they are modified by _javascript_, and are thus less trusted.
String checks should be at least as restrictive as URL ones.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (113658 => 113659)
--- trunk/Source/WebCore/ChangeLog 2012-04-10 02:05:38 UTC (rev 113658)
+++ trunk/Source/WebCore/ChangeLog 2012-04-10 02:06:15 UTC (rev 113659)
@@ -1,3 +1,19 @@
+2012-04-09 Alexey Proskuryakov <[email protected]>
+
+ [Mac] WebProcess dies due to m_process->checkURLReceivedFromWebProcess(url) dropping a file URL
+ https://bugs.webkit.org/show_bug.cgi?id=83506
+ <rdar://problem/11171264>
+
+ Reviewed by Darin Adler.
+
+ Cannot test, because dragging within a single window never initiates a navigation, and dragging
+ across windows is too much for DRT and WTR.
+
+ * platform/mac/DragDataMac.mm: (WebCore::DragData::asURL): Add the same checks that we had
+ for NSURLPboardType to NSStringPboardType case, preventing dropping of non-HTTP URLs.
+ String types cannot be sanitized when they are modified by _javascript_, and are thus less trusted.
+ String checks should be at least as restrictive as URL ones.
+
2012-04-09 Greg Billock <[email protected]>
Add transfer map argument to Intent constructor
Modified: trunk/Source/WebCore/platform/mac/DragDataMac.mm (113658 => 113659)
--- trunk/Source/WebCore/platform/mac/DragDataMac.mm 2012-04-10 02:05:38 UTC (rev 113658)
+++ trunk/Source/WebCore/platform/mac/DragDataMac.mm 2012-04-10 02:06:15 UTC (rev 113659)
@@ -160,15 +160,19 @@
if (types.contains(String(NSURLPboardType))) {
NSURL *URLFromPasteboard = [NSURL URLWithString:platformStrategies()->pasteboardStrategy()->stringForType(String(NSURLPboardType), m_pasteboardName)];
NSString *scheme = [URLFromPasteboard scheme];
- if ([scheme isEqualToString:@"http"] || [scheme isEqualToString:@"https"]) {
+ // Cannot drop other schemes unless <rdar://problem/10562662> and <rdar://problem/11187315> are fixed.
+ if ([scheme isEqualToString:@"http"] || [scheme isEqualToString:@"https"])
return [frame->editor()->client()->canonicalizeURL(URLFromPasteboard) absoluteString];
- }
}
if (types.contains(String(NSStringPboardType))) {
- NSURL *URL = "" m_pasteboardName));
- if (URL)
- return [URL absoluteString];
+ NSURL *URLFromPasteboard = [NSURL URLWithString:platformStrategies()->pasteboardStrategy()->stringForType(String(NSStringPboardType), m_pasteboardName)];
+ NSString *scheme = [URLFromPasteboard scheme];
+ // Pasteboard content is not trusted, because _javascript_ code can modify it. We can sanitize it for URLs and other typed content, but not for strings.
+ // The result of this function is used to initiate navigation, so we shouldn't allow arbitrary file URLs.
+ // FIXME: Should we allow only http family schemes, or anything non-local?
+ if ([scheme isEqualToString:@"http"] || [scheme isEqualToString:@"https"])
+ return [frame->editor()->client()->canonicalizeURL(URLFromPasteboard) absoluteString];
}
if (types.contains(String(NSFilenamesPboardType))) {
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
