- Revision
- 269193
- Author
- [email protected]
- Date
- 2020-10-30 10:42:26 -0700 (Fri, 30 Oct 2020)
Log Message
Cherry-pick r268904. rdar://problem/70831149
Null check platformStrategies when making blob read stream for an NSURLRequest
https://bugs.webkit.org/show_bug.cgi?id=218112
<rdar://problem/70507102>
Patch by Alex Christensen <[email protected]> on 2020-10-22
Reviewed by Wenson Hsieh.
Source/WebCore:
r266187 made it possible to create a DataTransfer without a user event, which allows you to make a FileList,
which allows you to submit a multipart form without a user event that calls decidePolicyForNavigationAction
with a request that has a form data body that would make a blob upload stream. This causes us to use
platformStrategies in the UI process, which dereferences null. Since the blob only really exists in the network
process, just return a nil HTTPBody in such an exotic case instead of crashing.
Covered by an API test that would hit this crash. Web platform tests were insufficient because WebKitTestRunner does not
access WKNavigationAction.request, but Safari does.
* platform/PlatformStrategies.cpp:
(WebCore::hasPlatformStrategies):
* platform/PlatformStrategies.h:
* platform/network/FormData.cpp:
(WebCore::FormData::containsBlobElement const):
(WebCore::FormData::resolveBlobReferences):
* platform/network/FormData.h:
* platform/network/cf/FormDataStreamCFNet.cpp:
(WebCore::createHTTPBodyCFReadStream):
Tools:
* TestWebKitAPI/Tests/WebKitCocoa/NavigationAction.mm:
(TEST):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@268904 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-611.1.4-branch/Source/WebCore/ChangeLog (269192 => 269193)
--- branches/safari-611.1.4-branch/Source/WebCore/ChangeLog 2020-10-30 17:42:22 UTC (rev 269192)
+++ branches/safari-611.1.4-branch/Source/WebCore/ChangeLog 2020-10-30 17:42:26 UTC (rev 269193)
@@ -1,5 +1,71 @@
2020-10-29 Alan Coon <[email protected]>
+ Cherry-pick r268904. rdar://problem/70831149
+
+ Null check platformStrategies when making blob read stream for an NSURLRequest
+ https://bugs.webkit.org/show_bug.cgi?id=218112
+ <rdar://problem/70507102>
+
+ Patch by Alex Christensen <[email protected]> on 2020-10-22
+ Reviewed by Wenson Hsieh.
+
+ Source/WebCore:
+
+ r266187 made it possible to create a DataTransfer without a user event, which allows you to make a FileList,
+ which allows you to submit a multipart form without a user event that calls decidePolicyForNavigationAction
+ with a request that has a form data body that would make a blob upload stream. This causes us to use
+ platformStrategies in the UI process, which dereferences null. Since the blob only really exists in the network
+ process, just return a nil HTTPBody in such an exotic case instead of crashing.
+
+ Covered by an API test that would hit this crash. Web platform tests were insufficient because WebKitTestRunner does not
+ access WKNavigationAction.request, but Safari does.
+
+ * platform/PlatformStrategies.cpp:
+ (WebCore::hasPlatformStrategies):
+ * platform/PlatformStrategies.h:
+ * platform/network/FormData.cpp:
+ (WebCore::FormData::containsBlobElement const):
+ (WebCore::FormData::resolveBlobReferences):
+ * platform/network/FormData.h:
+ * platform/network/cf/FormDataStreamCFNet.cpp:
+ (WebCore::createHTTPBodyCFReadStream):
+
+ Tools:
+
+ * TestWebKitAPI/Tests/WebKitCocoa/NavigationAction.mm:
+ (TEST):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@268904 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-10-22 Alex Christensen <[email protected]>
+
+ Null check platformStrategies when making blob read stream for an NSURLRequest
+ https://bugs.webkit.org/show_bug.cgi?id=218112
+ <rdar://problem/70507102>
+
+ Reviewed by Wenson Hsieh.
+
+ r266187 made it possible to create a DataTransfer without a user event, which allows you to make a FileList,
+ which allows you to submit a multipart form without a user event that calls decidePolicyForNavigationAction
+ with a request that has a form data body that would make a blob upload stream. This causes us to use
+ platformStrategies in the UI process, which dereferences null. Since the blob only really exists in the network
+ process, just return a nil HTTPBody in such an exotic case instead of crashing.
+
+ Covered by an API test that would hit this crash. Web platform tests were insufficient because WebKitTestRunner does not
+ access WKNavigationAction.request, but Safari does.
+
+ * platform/PlatformStrategies.cpp:
+ (WebCore::hasPlatformStrategies):
+ * platform/PlatformStrategies.h:
+ * platform/network/FormData.cpp:
+ (WebCore::FormData::containsBlobElement const):
+ (WebCore::FormData::resolveBlobReferences):
+ * platform/network/FormData.h:
+ * platform/network/cf/FormDataStreamCFNet.cpp:
+ (WebCore::createHTTPBodyCFReadStream):
+
+2020-10-29 Alan Coon <[email protected]>
+
Cherry-pick r268386. rdar://problem/70831174
Cocoa: Make WebGLLayer not dependent on GraphicsContextGLOpenGL
Modified: branches/safari-611.1.4-branch/Source/WebCore/platform/PlatformStrategies.cpp (269192 => 269193)
--- branches/safari-611.1.4-branch/Source/WebCore/platform/PlatformStrategies.cpp 2020-10-30 17:42:22 UTC (rev 269192)
+++ branches/safari-611.1.4-branch/Source/WebCore/platform/PlatformStrategies.cpp 2020-10-30 17:42:26 UTC (rev 269193)
@@ -30,6 +30,11 @@
static PlatformStrategies* s_platformStrategies;
+bool hasPlatformStrategies()
+{
+ return !!s_platformStrategies;
+}
+
PlatformStrategies* platformStrategies()
{
ASSERT(s_platformStrategies);
Modified: branches/safari-611.1.4-branch/Source/WebCore/platform/PlatformStrategies.h (269192 => 269193)
--- branches/safari-611.1.4-branch/Source/WebCore/platform/PlatformStrategies.h 2020-10-30 17:42:22 UTC (rev 269192)
+++ branches/safari-611.1.4-branch/Source/WebCore/platform/PlatformStrategies.h 2020-10-30 17:42:26 UTC (rev 269193)
@@ -81,6 +81,7 @@
BlobRegistry* m_blobRegistry { };
};
+bool hasPlatformStrategies();
WEBCORE_EXPORT PlatformStrategies* platformStrategies();
WEBCORE_EXPORT void setPlatformStrategies(PlatformStrategies*);
Modified: branches/safari-611.1.4-branch/Source/WebCore/platform/network/FormData.cpp (269192 => 269193)
--- branches/safari-611.1.4-branch/Source/WebCore/platform/network/FormData.cpp 2020-10-30 17:42:22 UTC (rev 269192)
+++ branches/safari-611.1.4-branch/Source/WebCore/platform/network/FormData.cpp 2020-10-30 17:42:26 UTC (rev 269193)
@@ -316,18 +316,19 @@
}
}
-Ref<FormData> FormData::resolveBlobReferences(BlobRegistryImpl* blobRegistryImpl)
+bool FormData::containsBlobElement() const
{
- // First check if any blobs needs to be resolved, or we can take the fast path.
- bool hasBlob = false;
for (auto& element : m_elements) {
- if (WTF::holds_alternative<FormDataElement::EncodedBlobData>(element.data)) {
- hasBlob = true;
- break;
- }
+ if (WTF::holds_alternative<FormDataElement::EncodedBlobData>(element.data))
+ return true;
}
+ return false;
+}
- if (!hasBlob)
+Ref<FormData> FormData::resolveBlobReferences(BlobRegistryImpl* blobRegistryImpl)
+{
+ // First check if any blobs needs to be resolved, or we can take the fast path.
+ if (!containsBlobElement())
return *this;
// Create a copy to append the result into.
Modified: branches/safari-611.1.4-branch/Source/WebCore/platform/network/FormData.h (269192 => 269193)
--- branches/safari-611.1.4-branch/Source/WebCore/platform/network/FormData.h 2020-10-30 17:42:22 UTC (rev 269192)
+++ branches/safari-611.1.4-branch/Source/WebCore/platform/network/FormData.h 2020-10-30 17:42:26 UTC (rev 269193)
@@ -221,6 +221,7 @@
// Resolve all blob references so we only have file and data.
// If the FormData has no blob references to resolve, this is returned.
WEBCORE_EXPORT Ref<FormData> resolveBlobReferences(BlobRegistryImpl* = nullptr);
+ bool containsBlobElement() const;
WEBCORE_EXPORT FormDataForUpload prepareForUpload();
Modified: branches/safari-611.1.4-branch/Source/WebCore/platform/network/cf/FormDataStreamCFNet.cpp (269192 => 269193)
--- branches/safari-611.1.4-branch/Source/WebCore/platform/network/cf/FormDataStreamCFNet.cpp 2020-10-30 17:42:22 UTC (rev 269192)
+++ branches/safari-611.1.4-branch/Source/WebCore/platform/network/cf/FormDataStreamCFNet.cpp 2020-10-30 17:42:26 UTC (rev 269193)
@@ -31,6 +31,7 @@
#include "BlobRegistryImpl.h"
#include "FormData.h"
+#include "PlatformStrategies.h"
#include <sys/stat.h>
#include <sys/types.h>
#include <wtf/Assertions.h>
@@ -370,6 +371,9 @@
RetainPtr<CFReadStreamRef> createHTTPBodyCFReadStream(FormData& formData)
{
+ if (!hasPlatformStrategies() && formData.containsBlobElement())
+ return nullptr;
+
auto resolvedFormData = formData.resolveBlobReferences();
auto dataForUpload = resolvedFormData->prepareForUpload();
Modified: branches/safari-611.1.4-branch/Tools/ChangeLog (269192 => 269193)
--- branches/safari-611.1.4-branch/Tools/ChangeLog 2020-10-30 17:42:22 UTC (rev 269192)
+++ branches/safari-611.1.4-branch/Tools/ChangeLog 2020-10-30 17:42:26 UTC (rev 269193)
@@ -1,5 +1,55 @@
2020-10-29 Alan Coon <[email protected]>
+ Cherry-pick r268904. rdar://problem/70831149
+
+ Null check platformStrategies when making blob read stream for an NSURLRequest
+ https://bugs.webkit.org/show_bug.cgi?id=218112
+ <rdar://problem/70507102>
+
+ Patch by Alex Christensen <[email protected]> on 2020-10-22
+ Reviewed by Wenson Hsieh.
+
+ Source/WebCore:
+
+ r266187 made it possible to create a DataTransfer without a user event, which allows you to make a FileList,
+ which allows you to submit a multipart form without a user event that calls decidePolicyForNavigationAction
+ with a request that has a form data body that would make a blob upload stream. This causes us to use
+ platformStrategies in the UI process, which dereferences null. Since the blob only really exists in the network
+ process, just return a nil HTTPBody in such an exotic case instead of crashing.
+
+ Covered by an API test that would hit this crash. Web platform tests were insufficient because WebKitTestRunner does not
+ access WKNavigationAction.request, but Safari does.
+
+ * platform/PlatformStrategies.cpp:
+ (WebCore::hasPlatformStrategies):
+ * platform/PlatformStrategies.h:
+ * platform/network/FormData.cpp:
+ (WebCore::FormData::containsBlobElement const):
+ (WebCore::FormData::resolveBlobReferences):
+ * platform/network/FormData.h:
+ * platform/network/cf/FormDataStreamCFNet.cpp:
+ (WebCore::createHTTPBodyCFReadStream):
+
+ Tools:
+
+ * TestWebKitAPI/Tests/WebKitCocoa/NavigationAction.mm:
+ (TEST):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@268904 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-10-22 Alex Christensen <[email protected]>
+
+ Null check platformStrategies when making blob read stream for an NSURLRequest
+ https://bugs.webkit.org/show_bug.cgi?id=218112
+ <rdar://problem/70507102>
+
+ Reviewed by Wenson Hsieh.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/NavigationAction.mm:
+ (TEST):
+
+2020-10-29 Alan Coon <[email protected]>
+
Cherry-pick r268878. rdar://problem/70831133
UIClient isn't notified when page muted state changes
Modified: branches/safari-611.1.4-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/NavigationAction.mm (269192 => 269193)
--- branches/safari-611.1.4-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/NavigationAction.mm 2020-10-30 17:42:22 UTC (rev 269192)
+++ branches/safari-611.1.4-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/NavigationAction.mm 2020-10-30 17:42:26 UTC (rev 269193)
@@ -25,8 +25,10 @@
#import "config.h"
+#import "HTTPServer.h"
#import "PlatformUtilities.h"
#import "Test.h"
+#import "TestNavigationDelegate.h"
#import "TestWKWebView.h"
#import <WebKit/WKNavigationActionPrivate.h>
#import <wtf/RetainPtr.h>
@@ -175,3 +177,41 @@
EXPECT_NOT_NULL(navigationDelegate.get().navigationAction);
EXPECT_FALSE(navigationDelegate.get().navigationAction._shouldPerformDownload);
}
+
+TEST(WKNavigationAction, BlobRequestBody)
+{
+ NSString *html = @""
+ "<script>"
+ "function bodyLoaded() {"
+ "const form = Object.assign(document.createElement('form'), {"
+ "action: '/formAction', method: 'POST', enctype: 'multipart/form-data',"
+ "});"
+ "document.body.append(form);"
+ "const fileInput = Object.assign(document.createElement('input'), {"
+ "type: 'file', name: 'file',"
+ "});"
+ "form.append(fileInput);"
+ "const dataTransfer = new DataTransfer;"
+ "dataTransfer.items.add(new File(['a'], 'filename'));"
+ "fileInput.files = dataTransfer.files;"
+ "form.submit();"
+ "}"
+ "</script>"
+ "<body _onload_='bodyLoaded()'>";
+ auto delegate = [[TestNavigationDelegate new] autorelease];
+ auto webView = [[WKWebView new] autorelease];
+ webView.navigationDelegate = delegate;
+ __block bool done = false;
+ delegate.decidePolicyForNavigationAction = ^(WKNavigationAction *action, void (^completionHandler)(WKNavigationActionPolicy)) {
+ EXPECT_NULL(action.request.HTTPBody);
+ if ([action.request.URL.absoluteString isEqualToString:@"about:blank"])
+ completionHandler(WKNavigationActionPolicyAllow);
+ else {
+ EXPECT_WK_STREQ(action.request.URL.absoluteString, "/formAction");
+ completionHandler(WKNavigationActionPolicyCancel);
+ done = true;
+ }
+ };
+ [webView loadHTMLString:html baseURL:nil];
+ TestWebKitAPI::Util::run(&done);
+}
