Diff
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/text/StringWithDirection.h (216379 => 216380)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/text/StringWithDirection.h 2017-05-08 10:38:31 UTC (rev 216379)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/text/StringWithDirection.h 2017-05-08 10:57:51 UTC (rev 216380)
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2011 Google Inc. All rights reserved.
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -62,4 +63,11 @@
return !(a == b);
}
+inline StringWithDirection truncateFromEnd(const StringWithDirection& string, unsigned maxLength)
+{
+ if (string.direction == LTR)
+ return StringWithDirection(string.string.left(maxLength), LTR);
+ return StringWithDirection(string.string.right(maxLength), RTL);
}
+
+}
Modified: releases/WebKitGTK/webkit-2.16/Source/WebKit/mac/ChangeLog (216379 => 216380)
--- releases/WebKitGTK/webkit-2.16/Source/WebKit/mac/ChangeLog 2017-05-08 10:38:31 UTC (rev 216379)
+++ releases/WebKitGTK/webkit-2.16/Source/WebKit/mac/ChangeLog 2017-05-08 10:57:51 UTC (rev 216380)
@@ -1,3 +1,23 @@
+2017-04-25 Brent Fulgham <[email protected]>
+
+ Limit allowed size of document.title to avoid locking WebKit clients
+ https://bugs.webkit.org/show_bug.cgi?id=165113
+ <rdar://problem/28324389>
+
+ Reviewed by Darin Adler.
+
+ When a web application attempts to set an extremely long title, truncate the
+ title to a more reasonable size.
+
+ We do this at at the presentation layer, rather than in the DOM, so that we do
+ not affect script function. Instead, we merely limit display to a level that is
+ reasonable for normal GUI widgets. Anything else needs to be truncated in the UI
+ layer, so it is a waste of effort to send across IPC.
+
+ * WebCoreSupport/WebFrameLoaderClient.h:
+ * WebCoreSupport/WebFrameLoaderClient.mm:
+ (WebFrameLoaderClient::dispatchDidReceiveTitle):
+
2017-02-20 Manuel Rego Casasnovas <[email protected]>
[css-grid] Remove compilation flag ENABLE_CSS_GRID_LAYOUT
Modified: releases/WebKitGTK/webkit-2.16/Source/WebKit/mac/WebCoreSupport/WebFrameLoaderClient.mm (216379 => 216380)
--- releases/WebKitGTK/webkit-2.16/Source/WebKit/mac/WebCoreSupport/WebFrameLoaderClient.mm 2017-05-08 10:38:31 UTC (rev 216379)
+++ releases/WebKitGTK/webkit-2.16/Source/WebKit/mac/WebCoreSupport/WebFrameLoaderClient.mm 2017-05-08 10:57:51 UTC (rev 216380)
@@ -681,13 +681,17 @@
CallFrameLoadDelegate(implementations->didStartProvisionalLoadForFrameFunc, webView, @selector(webView:didStartProvisionalLoadForFrame:), m_webFrame.get());
}
+static constexpr unsigned maxTitleLength = 1000; // Closest power of 10 above the W3C recommendation for Title length.
+
void WebFrameLoaderClient::dispatchDidReceiveTitle(const StringWithDirection& title)
{
+ auto truncatedTitle = truncateFromEnd(title, maxTitleLength);
+
WebView *webView = getWebView(m_webFrame.get());
WebFrameLoadDelegateImplementationCache* implementations = WebViewGetFrameLoadDelegateImplementations(webView);
if (implementations->didReceiveTitleForFrameFunc) {
// FIXME: Use direction of title.
- CallFrameLoadDelegate(implementations->didReceiveTitleForFrameFunc, webView, @selector(webView:didReceiveTitle:forFrame:), (NSString *)title.string, m_webFrame.get());
+ CallFrameLoadDelegate(implementations->didReceiveTitleForFrameFunc, webView, @selector(webView:didReceiveTitle:forFrame:), (NSString *)truncatedTitle.string, m_webFrame.get());
}
}
Modified: releases/WebKitGTK/webkit-2.16/Source/WebKit2/ChangeLog (216379 => 216380)
--- releases/WebKitGTK/webkit-2.16/Source/WebKit2/ChangeLog 2017-05-08 10:38:31 UTC (rev 216379)
+++ releases/WebKitGTK/webkit-2.16/Source/WebKit2/ChangeLog 2017-05-08 10:57:51 UTC (rev 216380)
@@ -1,3 +1,23 @@
+2017-04-25 Brent Fulgham <[email protected]>
+
+ Limit allowed size of document.title to avoid locking WebKit clients
+ https://bugs.webkit.org/show_bug.cgi?id=165113
+ <rdar://problem/28324389>
+
+ Reviewed by Darin Adler.
+
+ When a web application attempts to set an extremely long title, truncate the
+ title to a more reasonable size.
+
+ We do this at at the presentation layer, rather than in the DOM, so that we do
+ not affect script function. Instead, we merely limit display to a level that is
+ reasonable for normal GUI widgets. Anything else needs to be truncated in the UI
+ layer, so it is a waste of effort to send across IPC.
+
+ * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+ (WebKit::WebFrameLoaderClient::dispatchDidReceiveTitle):
+ * WebProcess/WebCoreSupport/WebFrameLoaderClient.h:
+
2017-04-25 Chris Dumez <[email protected]>
Content-Disposition header filename is ignored when 'download' attribute is specified in HTML
Modified: releases/WebKitGTK/webkit-2.16/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp (216379 => 216380)
--- releases/WebKitGTK/webkit-2.16/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2017-05-08 10:38:31 UTC (rev 216379)
+++ releases/WebKitGTK/webkit-2.16/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2017-05-08 10:57:51 UTC (rev 216380)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -424,6 +424,8 @@
webPage->send(Messages::WebPageProxy::DidStartProvisionalLoadForFrame(m_frame->frameID(), provisionalLoader.navigationID(), url, unreachableURL, UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get())));
}
+static constexpr unsigned maxTitleLength = 1000; // Closest power of 10 above the W3C recommendation for Title length.
+
void WebFrameLoaderClient::dispatchDidReceiveTitle(const StringWithDirection& title)
{
WebPage* webPage = m_frame->page();
@@ -430,14 +432,16 @@
if (!webPage)
return;
+ auto truncatedTitle = truncateFromEnd(title, maxTitleLength);
+
RefPtr<API::Object> userData;
// Notify the bundle client.
// FIXME: Use direction of title.
- webPage->injectedBundleLoaderClient().didReceiveTitleForFrame(webPage, title.string, m_frame, userData);
+ webPage->injectedBundleLoaderClient().didReceiveTitleForFrame(webPage, truncatedTitle.string, m_frame, userData);
// Notify the UIProcess.
- webPage->send(Messages::WebPageProxy::DidReceiveTitleForFrame(m_frame->frameID(), title.string, UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get())));
+ webPage->send(Messages::WebPageProxy::DidReceiveTitleForFrame(m_frame->frameID(), truncatedTitle.string, UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get())));
}
void WebFrameLoaderClient::dispatchDidCommitLoad(std::optional<HasInsecureContent> hasInsecureContent)
Modified: releases/WebKitGTK/webkit-2.16/Tools/ChangeLog (216379 => 216380)
--- releases/WebKitGTK/webkit-2.16/Tools/ChangeLog 2017-05-08 10:38:31 UTC (rev 216379)
+++ releases/WebKitGTK/webkit-2.16/Tools/ChangeLog 2017-05-08 10:57:51 UTC (rev 216380)
@@ -1,3 +1,16 @@
+2017-04-25 Brent Fulgham <[email protected]>
+
+ Limit allowed size of document.title to avoid locking WebKit clients
+ https://bugs.webkit.org/show_bug.cgi?id=165113
+ <rdar://problem/28324389>
+
+ Reviewed by Darin Adler.
+
+ * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj: Add new files.
+ * TestWebKitAPI/Tests/WebKit2/LimitTitleSize.cpp: Added.
+ * TestWebKitAPI/Tests/WebKit2/set-long-title.html: Added.
+ * TestWebKitAPI/Tests/mac/LimitTitleSize.mm: Added.
+
2017-04-07 Myles C. Maxfield <[email protected]>
REGRESSION(r211382): Complex text with justification erroneously overflows containers
Added: releases/WebKitGTK/webkit-2.16/Tools/TestWebKitAPI/Tests/WebKit2/LimitTitleSize.cpp (0 => 216380)
--- releases/WebKitGTK/webkit-2.16/Tools/TestWebKitAPI/Tests/WebKit2/LimitTitleSize.cpp (rev 0)
+++ releases/WebKitGTK/webkit-2.16/Tools/TestWebKitAPI/Tests/WebKit2/LimitTitleSize.cpp 2017-05-08 10:57:51 UTC (rev 216380)
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#if WK_HAVE_C_SPI
+
+#include "PlatformUtilities.h"
+#include "PlatformWebView.h"
+#include "Test.h"
+#include <WebKit/WKRetainPtr.h>
+
+namespace TestWebKitAPI {
+
+static bool waitUntilLongTitleReceived = false;
+static bool didFinishLoad = false;
+static size_t maxTitleLength = 4096;
+
+static void didFinishLoadForFrame(WKPageRef page, WKFrameRef frame, WKTypeRef userData, const void* clientInfo)
+{
+ didFinishLoad = true;
+}
+
+static void didReceiveTitleForFrame(WKPageRef page, WKStringRef title, WKFrameRef, WKTypeRef, const void*)
+{
+ WKStringRef titleString = (WKStringRef)title;
+
+ if (WKStringIsEqualToUTF8CString(titleString, "Original Short Title"))
+ return;
+
+ EXPECT_LE(WKStringGetLength(titleString), maxTitleLength);
+ waitUntilLongTitleReceived = true;
+}
+
+TEST(WebKit2, LimitTitleSize)
+{
+ WKRetainPtr<WKContextRef> context(AdoptWK, WKContextCreate());
+ PlatformWebView webView(context.get());
+
+ WKPageLoaderClientV0 loaderClient;
+ memset(&loaderClient, 0, sizeof(loaderClient));
+
+ loaderClient.base.version = 0;
+ loaderClient.didReceiveTitleForFrame = didReceiveTitleForFrame;
+ loaderClient.didFinishLoadForFrame = didFinishLoadForFrame;
+
+ WKPageSetPageLoaderClient(webView.page(), &loaderClient.base);
+
+ WKRetainPtr<WKURLRef> url(AdoptWK, Util::createURLForResource("set-long-title", "html"));
+
+ WKPageLoadURL(webView.page(), url.get());
+ Util::run(&waitUntilLongTitleReceived);
+}
+
+} // namespace TestWebKitAPI
+
+#endif
Added: releases/WebKitGTK/webkit-2.16/Tools/TestWebKitAPI/Tests/WebKit2/set-long-title.html (0 => 216380)
--- releases/WebKitGTK/webkit-2.16/Tools/TestWebKitAPI/Tests/WebKit2/set-long-title.html (rev 0)
+++ releases/WebKitGTK/webkit-2.16/Tools/TestWebKitAPI/Tests/WebKit2/set-long-title.html 2017-05-08 10:57:51 UTC (rev 216380)
@@ -0,0 +1,10 @@
+<html>
+<head>
+<title>Original Short Title</title>
+</head>
+<body>
+<script>
+document.title = Array(8096).join(String.fromCharCode(0x8181));
+</script>
+</body>
+</html>
\ No newline at end of file
Added: releases/WebKitGTK/webkit-2.16/Tools/TestWebKitAPI/Tests/mac/LimitTitleSize.mm (0 => 216380)
--- releases/WebKitGTK/webkit-2.16/Tools/TestWebKitAPI/Tests/mac/LimitTitleSize.mm (rev 0)
+++ releases/WebKitGTK/webkit-2.16/Tools/TestWebKitAPI/Tests/mac/LimitTitleSize.mm 2017-05-08 10:57:51 UTC (rev 216380)
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#import "config.h"
+
+#import "PlatformUtilities.h"
+#import "PlatformWebView.h"
+#import <WebKit/DOMPrivate.h>
+#import <WebKit/WebViewPrivate.h>
+#import <wtf/RetainPtr.h>
+
+@interface LimitTitleSizeTest : NSObject <WebFrameLoadDelegate>
+@end
+
+static bool waitUntilLongTitleReceived = false;
+static bool didFinishLoad = false;
+
+@implementation LimitTitleSizeTest
+
+static size_t maxTitleLength = 4096;
+
+- (void)webView:(WebView *)sender didReceiveTitle:(NSString *)title forFrame:(WebFrame *)frame
+{
+ if ([title isEqualToString:@"Original Short Title"])
+ return;
+
+ EXPECT_LE(title.length, maxTitleLength);
+ waitUntilLongTitleReceived = true;
+}
+
+- (void)webView:(WebView *)sender didFinishLoadForFrame:(WebFrame *)frame
+{
+ didFinishLoad = true;
+}
+@end
+
+namespace TestWebKitAPI {
+
+TEST(WebKit1, LimitTitleSize)
+{
+ RetainPtr<WebView> webView = adoptNS([[WebView alloc] initWithFrame:NSMakeRect(0, 0, 120, 200) frameName:nil groupName:nil]);
+ RetainPtr<LimitTitleSizeTest> testController = adoptNS([LimitTitleSizeTest new]);
+
+ webView.get().frameLoadDelegate = testController.get();
+ [[webView.get() mainFrame] loadRequest:[NSURLRequest requestWithURL:[[NSBundle mainBundle]
+ URLForResource:@"set-long-title" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]]];
+
+ Util::run(&didFinishLoad);
+}
+
+} // namespace TestWebKitAPI
