Title: [212122] branches/safari-603-branch/Source/WebCore
- Revision
- 212122
- Author
- bfulg...@apple.com
- Date
- 2017-02-10 09:54:50 -0800 (Fri, 10 Feb 2017)
Log Message
Merge r212026. rdar://problem/30096323
2017-02-09 Chris Dumez <cdu...@apple.com>
Crash under FormSubmission::create()
https://bugs.webkit.org/show_bug.cgi?id=167200
<rdar://problem/30096323>
Reviewed by Darin Adler.
The issue is that FormSubmission::create() was iterating over
form.associatedElements() as was calling Element::appendFormData()
in the loop. HTMLObjectElement::appendFormData() was calling
pluginWidget(PluginLoadingPolicy::Load) which causes a synchronous
layout and can fire events (such as focus event) synchronously.
Firing those events synchronously allows the JS to modify the
form.associatedElements() vector we are currently iterating on.
To avoid this issue, we now call pluginWidget(PluginLoadingPolicy::DoNotLoad)
in HTMLObjectElement::appendFormData() as we are not allowed to fire
synchronous events at this point. I also added a security assertion
in FormSubmission::create() to catch cases where we fire JS events
while iterating over the form associated elements to more easily
notice these things in the future.
Test: fast/forms/formsubmission-appendFormData-crash.html
* html/HTMLObjectElement.cpp:
(WebCore::HTMLObjectElement::appendFormData):
* loader/FormSubmission.cpp:
(WebCore::FormSubmission::create):
Modified Paths
Diff
Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (212121 => 212122)
--- branches/safari-603-branch/Source/WebCore/ChangeLog 2017-02-10 17:46:37 UTC (rev 212121)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog 2017-02-10 17:54:50 UTC (rev 212122)
@@ -1,5 +1,39 @@
2017-02-10 Brent Fulgham <bfulg...@apple.com>
+ Merge r212026. rdar://problem/30096323
+
+ 2017-02-09 Chris Dumez <cdu...@apple.com>
+
+ Crash under FormSubmission::create()
+ https://bugs.webkit.org/show_bug.cgi?id=167200
+ <rdar://problem/30096323>
+
+ Reviewed by Darin Adler.
+
+ The issue is that FormSubmission::create() was iterating over
+ form.associatedElements() as was calling Element::appendFormData()
+ in the loop. HTMLObjectElement::appendFormData() was calling
+ pluginWidget(PluginLoadingPolicy::Load) which causes a synchronous
+ layout and can fire events (such as focus event) synchronously.
+ Firing those events synchronously allows the JS to modify the
+ form.associatedElements() vector we are currently iterating on.
+
+ To avoid this issue, we now call pluginWidget(PluginLoadingPolicy::DoNotLoad)
+ in HTMLObjectElement::appendFormData() as we are not allowed to fire
+ synchronous events at this point. I also added a security assertion
+ in FormSubmission::create() to catch cases where we fire JS events
+ while iterating over the form associated elements to more easily
+ notice these things in the future.
+
+ Test: fast/forms/formsubmission-appendFormData-crash.html
+
+ * html/HTMLObjectElement.cpp:
+ (WebCore::HTMLObjectElement::appendFormData):
+ * loader/FormSubmission.cpp:
+ (WebCore::FormSubmission::create):
+
+2017-02-10 Brent Fulgham <bfulg...@apple.com>
+
Unreviewed build fix.
* dom/Document.cpp:
Modified: branches/safari-603-branch/Source/WebCore/html/HTMLObjectElement.cpp (212121 => 212122)
--- branches/safari-603-branch/Source/WebCore/html/HTMLObjectElement.cpp 2017-02-10 17:46:37 UTC (rev 212121)
+++ branches/safari-603-branch/Source/WebCore/html/HTMLObjectElement.cpp 2017-02-10 17:54:50 UTC (rev 212122)
@@ -509,7 +509,9 @@
if (name().isEmpty())
return false;
- Widget* widget = pluginWidget();
+ // Use PluginLoadingPolicy::DoNotLoad here or it would fire JS events synchronously
+ // which would not be safe here.
+ auto* widget = pluginWidget(PluginLoadingPolicy::DoNotLoad);
if (!is<PluginViewBase>(widget))
return false;
String value;
Modified: branches/safari-603-branch/Source/WebCore/loader/FormSubmission.cpp (212121 => 212122)
--- branches/safari-603-branch/Source/WebCore/loader/FormSubmission.cpp 2017-02-10 17:46:37 UTC (rev 212121)
+++ branches/safari-603-branch/Source/WebCore/loader/FormSubmission.cpp 2017-02-10 17:54:50 UTC (rev 212122)
@@ -47,6 +47,7 @@
#include "HTMLInputElement.h"
#include "HTMLNames.h"
#include "HTMLParserIdioms.h"
+#include "NoEventDispatchAssertion.h"
#include "TextEncoding.h"
#include <wtf/CurrentTime.h>
@@ -204,18 +205,23 @@
Vector<std::pair<String, String>> formValues;
bool containsPasswordData = false;
- for (auto& control : form->associatedElements()) {
- HTMLElement& element = control->asHTMLElement();
- if (!element.isDisabledFormControl())
- control->appendFormData(*domFormData, isMultiPartForm);
- if (is<HTMLInputElement>(element)) {
- HTMLInputElement& input = downcast<HTMLInputElement>(element);
- if (input.isTextField()) {
- formValues.append(std::pair<String, String>(input.name().string(), input.value()));
- input.addSearchResult();
+ {
+ NoEventDispatchAssertion noEventDispatchAssertion;
+
+ for (auto& control : form->associatedElements()) {
+ auto& element = control->asHTMLElement();
+ if (!element.isDisabledFormControl())
+ control->appendFormData(*domFormData, isMultiPartForm);
+ if (is<HTMLInputElement>(element)) {
+ auto& input = downcast<HTMLInputElement>(element);
+ if (input.isTextField()) {
+ // formValues.append({ input.name().string(), input.value() });
+ formValues.append(std::pair<String, String>(input.name().string(), input.value()));
+ input.addSearchResult();
+ }
+ if (input.isPasswordField() && !input.value().isEmpty())
+ containsPasswordData = true;
}
- if (input.isPasswordField() && !input.value().isEmpty())
- containsPasswordData = true;
}
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
