Title: [199778] trunk
- Revision
- 199778
- Author
- bfulg...@apple.com
- Date
- 2016-04-20 11:26:20 -0700 (Wed, 20 Apr 2016)
Log Message
[WK2][Mac][iOS] WebContent crash when using special file:// URI scheme @ WebKit::resolveSymlinksInPath(WTF::CString const&) + 159
https://bugs.webkit.org/show_bug.cgi?id=156747
<rdar://problem/24648176>
Reviewed by Alexey Proskuryakov.
Source/WebKit2:
FileSystemCF::fileSystemRepresentation return a null string when presented with a file URL that contains embedded nulls. When
this happens, SandboxExtension::createHandle attempts to pass a null string to 'resolveSymlinksInPath', which attemps to call
'strrchr' on the null pointer, causing a crash.
Test: fast/url/file-uri-with-embedded-null-no-crash.html
* Shared/mac/SandboxExtensionMac.mm:
(WebKit::SandboxExtension::createHandle): If 'fileSystemRepresentation' is null, return early with an error.
LayoutTests:
* fast/url/file-uri-with-embedded-null-no-crash-expected.txt: Added.
* fast/url/file-uri-with-embedded-null-no-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (199777 => 199778)
--- trunk/LayoutTests/ChangeLog 2016-04-20 18:01:40 UTC (rev 199777)
+++ trunk/LayoutTests/ChangeLog 2016-04-20 18:26:20 UTC (rev 199778)
@@ -1,3 +1,14 @@
+2016-04-20 Brent Fulgham <bfulg...@apple.com>
+
+ [WK2][Mac][iOS] WebContent crash when using special file:// URI scheme @ WebKit::resolveSymlinksInPath(WTF::CString const&) + 159
+ https://bugs.webkit.org/show_bug.cgi?id=156747
+ <rdar://problem/24648176>
+
+ Reviewed by Alexey Proskuryakov.
+
+ * fast/url/file-uri-with-embedded-null-no-crash-expected.txt: Added.
+ * fast/url/file-uri-with-embedded-null-no-crash.html: Added.
+
2016-04-20 Dave Hyatt <hy...@apple.com>
Hangable punctuation measurement using the wrong indices.
Added: trunk/LayoutTests/fast/url/file-uri-with-embedded-null-no-crash-expected.txt (0 => 199778)
--- trunk/LayoutTests/fast/url/file-uri-with-embedded-null-no-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/url/file-uri-with-embedded-null-no-crash-expected.txt 2016-04-20 18:26:20 UTC (rev 199778)
@@ -0,0 +1,4 @@
+Tests that attempting to ping an invalid file URI doesn't crash WebKit.
+
+Click Me
+The test passes if it does not crash.
Added: trunk/LayoutTests/fast/url/file-uri-with-embedded-null-no-crash.html (0 => 199778)
--- trunk/LayoutTests/fast/url/file-uri-with-embedded-null-no-crash.html (rev 0)
+++ trunk/LayoutTests/fast/url/file-uri-with-embedded-null-no-crash.html 2016-04-20 18:26:20 UTC (rev 199778)
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<p>Tests that attempting to ping an invalid file URI doesn't crash WebKit.</p>
+<a href="" ping="file://%00/%00/x">Click Me</a><script>document.querySelector('a').click();</script>
+<p>The test passes if it does not crash.</p>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebKit2/ChangeLog (199777 => 199778)
--- trunk/Source/WebKit2/ChangeLog 2016-04-20 18:01:40 UTC (rev 199777)
+++ trunk/Source/WebKit2/ChangeLog 2016-04-20 18:26:20 UTC (rev 199778)
@@ -1,3 +1,20 @@
+2016-04-20 Brent Fulgham <bfulg...@apple.com>
+
+ [WK2][Mac][iOS] WebContent crash when using special file:// URI scheme @ WebKit::resolveSymlinksInPath(WTF::CString const&) + 159
+ https://bugs.webkit.org/show_bug.cgi?id=156747
+ <rdar://problem/24648176>
+
+ Reviewed by Alexey Proskuryakov.
+
+ FileSystemCF::fileSystemRepresentation return a null string when presented with a file URL that contains embedded nulls. When
+ this happens, SandboxExtension::createHandle attempts to pass a null string to 'resolveSymlinksInPath', which attemps to call
+ 'strrchr' on the null pointer, causing a crash.
+
+ Test: fast/url/file-uri-with-embedded-null-no-crash.html
+
+ * Shared/mac/SandboxExtensionMac.mm:
+ (WebKit::SandboxExtension::createHandle): If 'fileSystemRepresentation' is null, return early with an error.
+
2016-04-19 Alex Christensen <achristen...@webkit.org>
Fix CMake build.
Modified: trunk/Source/WebKit2/Shared/mac/SandboxExtensionMac.mm (199777 => 199778)
--- trunk/Source/WebKit2/Shared/mac/SandboxExtensionMac.mm 2016-04-20 18:01:40 UTC (rev 199777)
+++ trunk/Source/WebKit2/Shared/mac/SandboxExtensionMac.mm 2016-04-20 18:26:20 UTC (rev 199778)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -217,7 +217,13 @@
ASSERT(!handle.m_sandboxExtension);
// FIXME: Do we need both resolveSymlinksInPath() and -stringByStandardizingPath?
- CString standardizedPath = resolveSymlinksInPath(fileSystemRepresentation([(NSString *)path stringByStandardizingPath]));
+ CString fileSystemPath = fileSystemRepresentation([(NSString *)path stringByStandardizingPath]);
+ if (fileSystemPath.isNull()) {
+ LOG_ERROR("Could not create a valid file system representation for the string '%s' of length %lu", fileSystemPath.data(), fileSystemPath.length());
+ return false;
+ }
+
+ CString standardizedPath = resolveSymlinksInPath(fileSystemPath);
handle.m_sandboxExtension = WKSandboxExtensionCreate(standardizedPath.data(), wkSandboxExtensionType(type));
if (!handle.m_sandboxExtension) {
LOG_ERROR("Could not create a sandbox extension for '%s'", path.utf8().data());
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
