Diff
Modified: trunk/LayoutTests/ChangeLog (190587 => 190588)
--- trunk/LayoutTests/ChangeLog 2015-10-05 23:17:42 UTC (rev 190587)
+++ trunk/LayoutTests/ChangeLog 2015-10-05 23:28:20 UTC (rev 190588)
@@ -1,3 +1,15 @@
+2015-10-05 Jiewen Tan <[email protected]>
+
+ Fix null pointer dereference in WebSocket::connect()
+ https://bugs.webkit.org/show_bug.cgi?id=149311
+ <rdar://problem/22748858>
+
+ Reviewed by Chris Dumez.
+
+ * http/tests/websocket/construct-in-detached-frame-expected.txt: Added.
+ * http/tests/websocket/construct-in-detached-frame.html: Added.
+ * http/tests/websocket/resources/construct-in-detached-frame.html: Added.
+
2015-10-05 Alexey Proskuryakov <[email protected]>
Revert LayoutTests parts of r190579, which were incorrect.
Added: trunk/LayoutTests/http/tests/websocket/construct-in-detached-frame-expected.txt (0 => 190588)
--- trunk/LayoutTests/http/tests/websocket/construct-in-detached-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/websocket/construct-in-detached-frame-expected.txt 2015-10-05 23:28:20 UTC (rev 190588)
@@ -0,0 +1,9 @@
+Construct a WebSocket in a detached frame. The test passes if there is no crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/websocket/construct-in-detached-frame.html (0 => 190588)
--- trunk/LayoutTests/http/tests/websocket/construct-in-detached-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/websocket/construct-in-detached-frame.html 2015-10-05 23:28:20 UTC (rev 190588)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<script src=""
+<script>
+ description('Construct a WebSocket in a detached frame. The test passes if there is no crash.');
+
+ window.jsTestIsAsync = true;
+
+ function detachIframe()
+ {
+ var testIframe = document.getElementById('testIframe');
+ testIframe.parentNode.remove(testIframe);
+ }
+
+ function done()
+ {
+ finishJSTest();
+ }
+</script>
+<iframe src="" id="testIframe"></iframe>
+<script src=""
\ No newline at end of file
Added: trunk/LayoutTests/http/tests/websocket/resources/construct-in-detached-frame.html (0 => 190588)
--- trunk/LayoutTests/http/tests/websocket/resources/construct-in-detached-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/websocket/resources/construct-in-detached-frame.html 2015-10-05 23:28:20 UTC (rev 190588)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<script>
+var parentWindow = parent;
+var webSocketClass = WebSocket;
+
+parentWindow.detachIframe();
+try {
+ new webSocketClass('ws://127.0.0.1/');
+} catch (e) {
+ parentWindow.console.log(e.message);
+}
+parentWindow.done();
+</script>
Modified: trunk/Source/WebCore/ChangeLog (190587 => 190588)
--- trunk/Source/WebCore/ChangeLog 2015-10-05 23:17:42 UTC (rev 190587)
+++ trunk/Source/WebCore/ChangeLog 2015-10-05 23:28:20 UTC (rev 190588)
@@ -1,3 +1,32 @@
+2015-10-05 Jiewen Tan <[email protected]>
+
+ Fix null pointer dereference in WebSocket::connect()
+ https://bugs.webkit.org/show_bug.cgi?id=149311
+ <rdar://problem/22748858>
+
+ Reviewed by Chris Dumez.
+
+ This is a merge of Blink r187441,
+ https://codereview.chromium.org/785933005
+
+ Test: http/tests/websocket/construct-in-detached-frame.html
+
+ * Modules/websockets/WebSocket.cpp:
+ (WebCore::WebSocket::connect):
+ Call function implemented below instead of duplicating the code.
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy):
+ * page/ContentSecurityPolicy.h:
+ Factor the logic to check shouldBypassMainWorldContentSecurityPolicy into
+ a function in this class. Check Frame pointers are not null before getting
+ shouldBypassMainWorldContentSecurityPolicy via those pointers.
+ * page/EventSource.cpp:
+ (WebCore::EventSource::create):
+ This got fixed as a bonus.
+ * xml/XMLHttpRequest.cpp:
+ (WebCore::XMLHttpRequest::open):
+ This got fixed as a bonus too.
+
2015-10-05 Beth Dakin <[email protected]>
WebCore::IOSurface should ask the IOSurface for the pixel format instead of
Modified: trunk/Source/WebCore/Modules/websockets/WebSocket.cpp (190587 => 190588)
--- trunk/Source/WebCore/Modules/websockets/WebSocket.cpp 2015-10-05 23:17:42 UTC (rev 190587)
+++ trunk/Source/WebCore/Modules/websockets/WebSocket.cpp 2015-10-05 23:28:20 UTC (rev 190588)
@@ -238,11 +238,7 @@
}
// FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
- bool shouldBypassMainWorldContentSecurityPolicy = false;
- if (is<Document>(*scriptExecutionContext())) {
- Document& document = downcast<Document>(*scriptExecutionContext());
- shouldBypassMainWorldContentSecurityPolicy = document.frame()->script().shouldBypassMainWorldContentSecurityPolicy();
- }
+ bool shouldBypassMainWorldContentSecurityPolicy = ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy(*scriptExecutionContext());
if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(m_url, shouldBypassMainWorldContentSecurityPolicy)) {
m_state = CLOSED;
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (190587 => 190588)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2015-10-05 23:17:42 UTC (rev 190587)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2015-10-05 23:28:20 UTC (rev 190588)
@@ -37,6 +37,7 @@
#include "PingLoader.h"
#include "RuntimeEnabledFeatures.h"
#include "SchemeRegistry.h"
+#include "ScriptController.h"
#include "ScriptState.h"
#include "SecurityOrigin.h"
#include "SecurityPolicyViolationEvent.h"
@@ -1780,4 +1781,14 @@
#endif
}
+bool ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy(ScriptExecutionContext& context)
+{
+ if (is<Document>(context)) {
+ auto& document = downcast<Document>(context);
+ return document.frame() && document.frame()->script().shouldBypassMainWorldContentSecurityPolicy();
+ }
+
+ return false;
}
+
+}
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.h (190587 => 190588)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.h 2015-10-05 23:17:42 UTC (rev 190587)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.h 2015-10-05 23:28:20 UTC (rev 190588)
@@ -130,6 +130,7 @@
String evalDisabledErrorMessage() const;
bool experimentalFeaturesEnabled() const;
+ static bool shouldBypassMainWorldContentSecurityPolicy(ScriptExecutionContext&);
private:
void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
Modified: trunk/Source/WebCore/page/EventSource.cpp (190587 => 190588)
--- trunk/Source/WebCore/page/EventSource.cpp 2015-10-05 23:17:42 UTC (rev 190587)
+++ trunk/Source/WebCore/page/EventSource.cpp 2015-10-05 23:28:20 UTC (rev 190588)
@@ -85,11 +85,7 @@
}
// FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
- bool shouldBypassMainWorldContentSecurityPolicy = false;
- if (is<Document>(context)) {
- Document& document = downcast<Document>(context);
- shouldBypassMainWorldContentSecurityPolicy = document.frame()->script().shouldBypassMainWorldContentSecurityPolicy();
- }
+ bool shouldBypassMainWorldContentSecurityPolicy = ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy(context);
if (!context.contentSecurityPolicy()->allowConnectToSource(fullURL, shouldBypassMainWorldContentSecurityPolicy)) {
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
Modified: trunk/Source/WebCore/xml/XMLHttpRequest.cpp (190587 => 190588)
--- trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2015-10-05 23:17:42 UTC (rev 190587)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2015-10-05 23:28:20 UTC (rev 190588)
@@ -499,12 +499,7 @@
}
// FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
- bool shouldBypassMainWorldContentSecurityPolicy = false;
- if (is<Document>(*scriptExecutionContext())) {
- Document& document = downcast<Document>(*scriptExecutionContext());
- if (document.frame())
- shouldBypassMainWorldContentSecurityPolicy = document.frame()->script().shouldBypassMainWorldContentSecurityPolicy();
- }
+ bool shouldBypassMainWorldContentSecurityPolicy = ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy(*scriptExecutionContext());
if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(url, shouldBypassMainWorldContentSecurityPolicy)) {
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
