Diff
Modified: trunk/Source/WebCore/ChangeLog (163241 => 163242)
--- trunk/Source/WebCore/ChangeLog 2014-02-01 15:30:41 UTC (rev 163241)
+++ trunk/Source/WebCore/ChangeLog 2014-02-01 16:32:11 UTC (rev 163242)
@@ -1,3 +1,60 @@
+2014-02-01 David Kilzer <[email protected]>
+
+ Add security-checked casts for all WebCore::CachedResource subclasses
+ <http://webkit.org/b/127988>
+
+ Reviewed by Darin Adler.
+
+ * inspector/InspectorPageAgent.cpp:
+ (WebCore::InspectorPageAgent::cachedResourceContent):
+ * inspector/InspectorResourceAgent.cpp:
+ (WebCore::InspectorResourceAgent::didLoadResourceFromMemoryCache):
+ - Switch from static_cast<>() to security-checked cast.
+
+ * loader/cache/CachedCSSStyleSheet.h:
+ (WebCore::toCachedCSSStyleSheet): Add.
+ * loader/cache/CachedFont.h:
+ (WebCore::toCachedFont): Add.
+
+ * loader/cache/CachedImage.h: Make CachedImageManual final.
+
+ * loader/cache/CachedRawResource.cpp:
+ (WebCore::CachedRawResource::CachedRawResource): Add assert that
+ only MainResource or RawResource types are used to construct a
+ CachedRawResource. This may be a security issue depending on
+ what code exists that uses the type() value to cast to a
+ CachedResource subclass.
+ (WebCore::CachedRawResource::switchClientsToRevalidatedResource):
+ Switch from static_cast<>() to toCachedRawResource().
+
+ * loader/cache/CachedRawResource.h:
+ (WebCore::toCachedRawResource): Add.
+ * loader/cache/CachedResource.h:
+ (WebCore::CachedResource::isMainOrRawResource): Add. A
+ CachedRawResource could be either a MainResource or a
+ RawResource. Currently only used in assertions.
+
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::requestFont):
+ (WebCore::CachedResourceLoader::requestTextTrack):
+ (WebCore::CachedResourceLoader::requestCSSStyleSheet):
+ (WebCore::CachedResourceLoader::requestUserCSSStyleSheet):
+ (WebCore::CachedResourceLoader::requestScript):
+ (WebCore::CachedResourceLoader::requestXSLStyleSheet):
+ (WebCore::CachedResourceLoader::requestSVGDocument):
+ (WebCore::CachedResourceLoader::requestRawResource):
+ (WebCore::CachedResourceLoader::requestMainResource):
+ - Switch from static_cast<>() to security-checked cast.
+
+ * loader/cache/CachedSVGDocument.h:
+ (WebCore::toCachedSVGDocument): Add.
+ * loader/cache/CachedScript.h:
+ (WebCore::toCachedScript): Add.
+ * loader/cache/CachedTextTrack.h:
+ (WebCore::toCachedTextTrack): Add.
+ * loader/cache/CachedXSLStyleSheet.h:
+ (WebCore::toCachedXSLStyleSheet): Add.
+
2014-02-01 Xabier Rodriguez Calvar <[email protected]>
Unreviewed. Fixed GTK+ CMake build after r162922.
Modified: trunk/Source/WebCore/inspector/InspectorPageAgent.cpp (163241 => 163242)
--- trunk/Source/WebCore/inspector/InspectorPageAgent.cpp 2014-02-01 15:30:41 UTC (rev 163241)
+++ trunk/Source/WebCore/inspector/InspectorPageAgent.cpp 2014-02-01 16:32:11 UTC (rev 163242)
@@ -174,10 +174,10 @@
if (cachedResource) {
switch (cachedResource->type()) {
case CachedResource::CSSStyleSheet:
- *result = static_cast<CachedCSSStyleSheet*>(cachedResource)->sheetText(false);
+ *result = toCachedCSSStyleSheet(cachedResource)->sheetText(false);
return true;
case CachedResource::Script:
- *result = static_cast<CachedScript*>(cachedResource)->script();
+ *result = toCachedScript(cachedResource)->script();
return true;
case CachedResource::RawResource: {
ResourceBuffer* buffer = cachedResource->resourceBuffer();
Modified: trunk/Source/WebCore/inspector/InspectorResourceAgent.cpp (163241 => 163242)
--- trunk/Source/WebCore/inspector/InspectorResourceAgent.cpp 2014-02-01 15:30:41 UTC (rev 163241)
+++ trunk/Source/WebCore/inspector/InspectorResourceAgent.cpp 2014-02-01 16:32:11 UTC (rev 163242)
@@ -334,7 +334,7 @@
m_resourcesData->resourceCreated(requestId, loaderId);
m_resourcesData->addCachedResource(requestId, resource);
if (resource->type() == CachedResource::RawResource) {
- CachedRawResource* rawResource = static_cast<CachedRawResource*>(resource);
+ CachedRawResource* rawResource = toCachedRawResource(resource);
String rawRequestId = IdentifiersFactory::requestId(rawResource->identifier());
m_resourcesData->reuseXHRReplayData(requestId, rawRequestId);
}
Modified: trunk/Source/WebCore/loader/cache/CachedCSSStyleSheet.h (163241 => 163242)
--- trunk/Source/WebCore/loader/cache/CachedCSSStyleSheet.h 2014-02-01 15:30:41 UTC (rev 163241)
+++ trunk/Source/WebCore/loader/cache/CachedCSSStyleSheet.h 2014-02-01 16:32:11 UTC (rev 163242)
@@ -67,6 +67,8 @@
RefPtr<StyleSheetContents> m_parsedStyleSheetCache;
};
+CACHED_RESOURCE_TYPE_CASTS(CachedCSSStyleSheet, CachedResource, CachedResource::CSSStyleSheet)
+
}
#endif
Modified: trunk/Source/WebCore/loader/cache/CachedFont.h (163241 => 163242)
--- trunk/Source/WebCore/loader/cache/CachedFont.h 2014-02-01 15:30:41 UTC (rev 163241)
+++ trunk/Source/WebCore/loader/cache/CachedFont.h 2014-02-01 16:32:11 UTC (rev 163242)
@@ -78,6 +78,8 @@
friend class MemoryCache;
};
+CACHED_RESOURCE_TYPE_CASTS(CachedFont, CachedResource, CachedResource::FontResource)
+
} // namespace WebCore
#endif // CachedFont_h
Modified: trunk/Source/WebCore/loader/cache/CachedImage.h (163241 => 163242)
--- trunk/Source/WebCore/loader/cache/CachedImage.h 2014-02-01 15:30:41 UTC (rev 163241)
+++ trunk/Source/WebCore/loader/cache/CachedImage.h 2014-02-01 16:32:11 UTC (rev 163242)
@@ -149,7 +149,7 @@
// FIXME: We should look to incorporate the functionality of CachedImageManual
// into CachedImage or find a better place for this class.
// FIXME: Remove the USE(CF) once we make MemoryCache::addImageToCache() platform-independent.
-class CachedImageManual : public CachedImage {
+class CachedImageManual final : public CachedImage {
public:
CachedImageManual(const URL&, Image*);
void addFakeClient() { addClient(m_fakeClient.get()); }
Modified: trunk/Source/WebCore/loader/cache/CachedRawResource.cpp (163241 => 163242)
--- trunk/Source/WebCore/loader/cache/CachedRawResource.cpp 2014-02-01 15:30:41 UTC (rev 163241)
+++ trunk/Source/WebCore/loader/cache/CachedRawResource.cpp 2014-02-01 16:32:11 UTC (rev 163242)
@@ -39,6 +39,8 @@
: CachedResource(resourceRequest, type)
, m_identifier(0)
{
+ // FIXME: The wrong CachedResource::Type here may cause a bad cast elsewhere.
+ ASSERT(isMainOrRawResource());
}
const char* CachedRawResource::calculateIncrementalDataChunk(ResourceBuffer* data, unsigned& incrementalDataLength)
@@ -181,7 +183,7 @@
ASSERT(m_loader);
// If we're in the middle of a successful revalidation, responseReceived() hasn't been called, so we haven't set m_identifier.
ASSERT(!m_identifier);
- static_cast<CachedRawResource*>(resourceToRevalidate())->m_identifier = m_loader->identifier();
+ toCachedRawResource(resourceToRevalidate())->m_identifier = m_loader->identifier();
CachedResource::switchClientsToRevalidatedResource();
}
Modified: trunk/Source/WebCore/loader/cache/CachedRawResource.h (163241 => 163242)
--- trunk/Source/WebCore/loader/cache/CachedRawResource.h 2014-02-01 15:30:41 UTC (rev 163241)
+++ trunk/Source/WebCore/loader/cache/CachedRawResource.h 2014-02-01 16:32:11 UTC (rev 163242)
@@ -88,6 +88,8 @@
Vector<RedirectPair> m_redirectChain;
};
+TYPE_CASTS_BASE(CachedRawResource, CachedResource, resource, resource->isMainOrRawResource(), resource.isMainOrRawResource())
+
}
#endif // CachedRawResource_h
Modified: trunk/Source/WebCore/loader/cache/CachedResource.h (163241 => 163242)
--- trunk/Source/WebCore/loader/cache/CachedResource.h 2014-02-01 15:30:41 UTC (rev 163241)
+++ trunk/Source/WebCore/loader/cache/CachedResource.h 2014-02-01 16:32:11 UTC (rev 163242)
@@ -156,6 +156,8 @@
SubresourceLoader* loader() { return m_loader.get(); }
bool isImage() const { return type() == ImageResource; }
+ // FIXME: CachedRawResource could be either a main resource or a raw XHR resource.
+ bool isMainOrRawResource() const { return type() == MainResource || type() == RawResource; }
bool ignoreForRequestCount() const
{
return type() == MainResource
Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (163241 => 163242)
--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2014-02-01 15:30:41 UTC (rev 163241)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2014-02-01 16:32:11 UTC (rev 163242)
@@ -165,19 +165,19 @@
CachedResourceHandle<CachedFont> CachedResourceLoader::requestFont(CachedResourceRequest& request)
{
- return static_cast<CachedFont*>(requestResource(CachedResource::FontResource, request).get());
+ return toCachedFont(requestResource(CachedResource::FontResource, request).get());
}
#if ENABLE(VIDEO_TRACK)
CachedResourceHandle<CachedTextTrack> CachedResourceLoader::requestTextTrack(CachedResourceRequest& request)
{
- return static_cast<CachedTextTrack*>(requestResource(CachedResource::TextTrackResource, request).get());
+ return toCachedTextTrack(requestResource(CachedResource::TextTrackResource, request).get());
}
#endif
CachedResourceHandle<CachedCSSStyleSheet> CachedResourceLoader::requestCSSStyleSheet(CachedResourceRequest& request)
{
- return static_cast<CachedCSSStyleSheet*>(requestResource(CachedResource::CSSStyleSheet, request).get());
+ return toCachedCSSStyleSheet(requestResource(CachedResource::CSSStyleSheet, request).get());
}
CachedResourceHandle<CachedCSSStyleSheet> CachedResourceLoader::requestUserCSSStyleSheet(CachedResourceRequest& request)
@@ -190,7 +190,7 @@
if (CachedResource* existing = memoryCache()->resourceForRequest(request.resourceRequest())) {
if (existing->type() == CachedResource::CSSStyleSheet)
- return static_cast<CachedCSSStyleSheet*>(existing);
+ return toCachedCSSStyleSheet(existing);
memoryCache()->remove(existing);
}
if (url.string() != request.resourceRequest().url())
@@ -208,20 +208,20 @@
CachedResourceHandle<CachedScript> CachedResourceLoader::requestScript(CachedResourceRequest& request)
{
- return static_cast<CachedScript*>(requestResource(CachedResource::Script, request).get());
+ return toCachedScript(requestResource(CachedResource::Script, request).get());
}
#if ENABLE(XSLT)
CachedResourceHandle<CachedXSLStyleSheet> CachedResourceLoader::requestXSLStyleSheet(CachedResourceRequest& request)
{
- return static_cast<CachedXSLStyleSheet*>(requestResource(CachedResource::XSLStyleSheet, request).get());
+ return toCachedXSLStyleSheet(requestResource(CachedResource::XSLStyleSheet, request).get());
}
#endif
#if ENABLE(SVG)
CachedResourceHandle<CachedSVGDocument> CachedResourceLoader::requestSVGDocument(CachedResourceRequest& request)
{
- return static_cast<CachedSVGDocument*>(requestResource(CachedResource::SVGDocumentResource, request).get());
+ return toCachedSVGDocument(requestResource(CachedResource::SVGDocumentResource, request).get());
}
#endif
@@ -236,12 +236,12 @@
CachedResourceHandle<CachedRawResource> CachedResourceLoader::requestRawResource(CachedResourceRequest& request)
{
- return static_cast<CachedRawResource*>(requestResource(CachedResource::RawResource, request).get());
+ return toCachedRawResource(requestResource(CachedResource::RawResource, request).get());
}
CachedResourceHandle<CachedRawResource> CachedResourceLoader::requestMainResource(CachedResourceRequest& request)
{
- return static_cast<CachedRawResource*>(requestResource(CachedResource::MainResource, request).get());
+ return toCachedRawResource(requestResource(CachedResource::MainResource, request).get());
}
bool CachedResourceLoader::checkInsecureContent(CachedResource::Type type, const URL& url) const
Modified: trunk/Source/WebCore/loader/cache/CachedSVGDocument.h (163241 => 163242)
--- trunk/Source/WebCore/loader/cache/CachedSVGDocument.h 2014-02-01 15:30:41 UTC (rev 163241)
+++ trunk/Source/WebCore/loader/cache/CachedSVGDocument.h 2014-02-01 16:32:11 UTC (rev 163242)
@@ -49,6 +49,8 @@
virtual void finishLoading(ResourceBuffer*) override;
};
+CACHED_RESOURCE_TYPE_CASTS(CachedSVGDocument, CachedResource, CachedResource::SVGDocumentResource)
+
} // namespace WebCore
#endif // USE(SVG)
Modified: trunk/Source/WebCore/loader/cache/CachedScript.h (163241 => 163242)
--- trunk/Source/WebCore/loader/cache/CachedScript.h 2014-02-01 15:30:41 UTC (rev 163241)
+++ trunk/Source/WebCore/loader/cache/CachedScript.h 2014-02-01 16:32:11 UTC (rev 163242)
@@ -61,6 +61,9 @@
String m_script;
RefPtr<TextResourceDecoder> m_decoder;
};
+
+CACHED_RESOURCE_TYPE_CASTS(CachedScript, CachedResource, CachedResource::Script)
+
}
#endif
Modified: trunk/Source/WebCore/loader/cache/CachedTextTrack.h (163241 => 163242)
--- trunk/Source/WebCore/loader/cache/CachedTextTrack.h 2014-02-01 15:30:41 UTC (rev 163241)
+++ trunk/Source/WebCore/loader/cache/CachedTextTrack.h 2014-02-01 16:32:11 UTC (rev 163242)
@@ -44,6 +44,8 @@
virtual void finishLoading(ResourceBuffer*) override;
};
+CACHED_RESOURCE_TYPE_CASTS(CachedTextTrack, CachedResource, CachedResource::TextTrackResource)
+
}
#endif
Modified: trunk/Source/WebCore/loader/cache/CachedXSLStyleSheet.h (163241 => 163242)
--- trunk/Source/WebCore/loader/cache/CachedXSLStyleSheet.h 2014-02-01 15:30:41 UTC (rev 163241)
+++ trunk/Source/WebCore/loader/cache/CachedXSLStyleSheet.h 2014-02-01 16:32:11 UTC (rev 163242)
@@ -57,6 +57,8 @@
virtual void finishLoading(ResourceBuffer*) override;
};
+CACHED_RESOURCE_TYPE_CASTS(CachedXSLStyleSheet, CachedResource, CachedResource::XSLStyleSheet)
+
#endif
}
