Block SVG external references pending a security review
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 29 Oct 2012 21:23:10 +0000 (21:23 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 29 Oct 2012 21:23:10 +0000 (21:23 +0000)
https://bugs.webkit.org/show_bug.cgi?id=100635

Reviewed by Eric Seidel.

Source/WebCore:

We need to do a security review of loading external SVG references
before we're sure that it is safe.

* css/StyleResolver.cpp:
(WebCore::StyleResolver::createFilterOperations):
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::canRequest):

Source/WTF:

We need to do a security review of loading external SVG references
before we're sure that it is safe.

* wtf/Platform.h:

LayoutTests:

Skip tests that depend on external SVG references.

* platform/chromium/TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@132849 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/platform/chromium/TestExpectations
Source/WTF/ChangeLog
Source/WTF/wtf/Platform.h
Source/WebCore/ChangeLog
Source/WebCore/css/StyleResolver.cpp
Source/WebCore/loader/cache/CachedResourceLoader.cpp

index b80b507..5531601 100644 (file)
@@ -1,3 +1,14 @@
+2012-10-29  Adam Barth  <abarth@webkit.org>
+
+        Block SVG external references pending a security review
+        https://bugs.webkit.org/show_bug.cgi?id=100635
+
+        Reviewed by Eric Seidel.
+
+        Skip tests that depend on external SVG references.
+
+        * platform/chromium/TestExpectations:
+
 2012-10-29  Chris Rogers  <crogers@google.com>
 
         Unreviewed rebaseline of webaudio/audiobuffersource-loop-points
index 6b18bff..b5549e7 100644 (file)
@@ -1354,9 +1354,6 @@ webkit.org/b/84230 svg/as-image/img-preserveAspectRatio-support-1.html [ ImageOn
 
 webkit.org/b/84719 [ Win ] svg/text/select-text-svgfont.html [ Failure Pass ]
 
-webkit.org/b/84854 [ Android Linux ] svg/batik/text/textOnPath.svg [ ImageOnlyFailure Pass ]
-webkit.org/b/84854 [ Android Linux ] svg/batik/text/verticalTextOnPath.svg [ ImageOnlyFailure Pass ]
-
 webkit.org/b/85107 svg/as-image/svg-as-relative-image-with-explicit-size.html [ ImageOnlyFailure Pass ]
 webkit.org/b/85107 svg/as-image/animated-svg-as-image.html [ ImageOnlyFailure Pass ]
 
@@ -2134,8 +2131,6 @@ crbug.com/40680 fast/media/media-query-list-05.html
 crbug.com/40680 fast/media/media-query-list-06.html
 crbug.com/40680 fast/media/media-query-list-07.html
 
-crbug.com/117597 svg/batik/filters/feTile.svg [ ImageOnlyFailure ] 
-
 # Caused by http://trac.webkit.org/changeset/56394.
 crbug.com/143475 [ Win ] http/tests/xmlhttprequest/xmlhttprequest-50ms-download-dispatch.html [ Failure Pass Timeout ]
 
@@ -3902,6 +3897,41 @@ crbug.com/152953 [ Mac ] platform/chromium/virtual/softwarecompositing/scrollbar
 crbug.com/152953 [ Mac Win ] platform/chromium/virtual/softwarecompositing/absolute-position-changed-with-composited-parent-layer.html [ Skip ]
 crbug.com/152953 [ Win ] platform/chromium/virtual/softwarecompositing/iframes/composited-iframe-alignment.html [ ImageOnlyFailure ]
 
+# These tests disabled pending a security review of external SVG references.
+webkit.org/b/100635 css3/filters/effect-reference-external.html [ ImageOnlyFailure ]
+webkit.org/b/100635 svg/W3C-SVG-1.2-Tiny/struct-use-recursion-02-t.svg [ Failure ]
+webkit.org/b/100635 svg/W3C-SVG-1.2-Tiny/struct-use-recursion-03-t.svg [ Failure ]
+webkit.org/b/100635 svg/batik/filters/feTile.svg [ Failure ImageOnlyFailure ]
+webkit.org/b/100635 svg/batik/filters/filterRegions.svg [ Failure ]
+webkit.org/b/100635 svg/batik/masking/maskRegions.svg [ Failure ]
+webkit.org/b/100635 svg/batik/paints/patternPreserveAspectRatioA.svg [ Failure ]
+webkit.org/b/100635 svg/batik/paints/patternRegionA.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/longTextOnPath.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/smallFonts.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/textAnchor.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/textDecoration.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/textEffect2.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/textFeatures.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/textLayout.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/textLayout2.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/textLength.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/textOnPath.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/textOnPathSpaces.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/textPosition.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/textPosition2.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/textProperties.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/textProperties2.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/textStyles.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/verticalText.svg [ Failure ]
+webkit.org/b/100635 svg/batik/text/verticalTextOnPath.svg [ Failure ]
+webkit.org/b/100635 svg/custom/use-extern-href.svg [ Failure ]
+webkit.org/b/100635 svg/custom/use-referencing-indirectly-itself.svg [ ImageOnlyFailure ]
+webkit.org/b/100635 svg/dynamic-updates/SVGUseElement-dom-href1-attr.html [ Timeout ]
+webkit.org/b/100635 svg/dynamic-updates/SVGUseElement-dom-href2-attr.html [ Timeout ]
+webkit.org/b/100635 svg/dynamic-updates/SVGUseElement-svgdom-href1-prop.html [ Timeout ]
+webkit.org/b/100635 svg/dynamic-updates/SVGUseElement-svgdom-href2-prop.html [ Timeout ]
+webkit.org/b/100635 svg/hixie/error/014.xml [ Failure ]
+webkit.org/b/100635 svg/hixie/use/002.xml [ Failure ]
 
 # Render surfaces do not draw anything in the software compositor.
 crbug.com/150010 platform/chromium/virtual/softwarecompositing/culling/filter-occlusion-alpha-large.html [ ImageOnlyFailure ]
index 2000cc2..4331d79 100644 (file)
@@ -1,3 +1,15 @@
+2012-10-29  Adam Barth  <abarth@webkit.org>
+
+        Block SVG external references pending a security review
+        https://bugs.webkit.org/show_bug.cgi?id=100635
+
+        Reviewed by Eric Seidel.
+
+        We need to do a security review of loading external SVG references
+        before we're sure that it is safe.
+
+        * wtf/Platform.h:
+
 2012-10-29  Michael Saboff  <msaboff@apple.com>
 
         String::split(UChar, Vector<String>&) shouldn't create a temporary String
index c4e5ad3..403fdf2 100644 (file)
 #define ENABLE_TEXT_NOTIFICATIONS_ONLY 1
 #endif
 
+#if !defined(ENABLE_EXTERNAL_SVG_REFERENCES) && !PLATFORM(CHROMIUM)
+#define ENABLE_EXTERNAL_SVG_REFERENCES 1
+#endif
+
 #if !defined(WTF_USE_ZLIB) && !PLATFORM(QT)
 #define WTF_USE_ZLIB 1
 #endif
index e936dc1..21a996e 100644 (file)
@@ -1,3 +1,18 @@
+2012-10-29  Adam Barth  <abarth@webkit.org>
+
+        Block SVG external references pending a security review
+        https://bugs.webkit.org/show_bug.cgi?id=100635
+
+        Reviewed by Eric Seidel.
+
+        We need to do a security review of loading external SVG references
+        before we're sure that it is safe.
+
+        * css/StyleResolver.cpp:
+        (WebCore::StyleResolver::createFilterOperations):
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::canRequest):
+
 2012-10-29  Joshua Bell  <jsbell@chromium.org>
 
         IndexedDB: Crash on checking version of corrupt backing store
index 03d12d2..e140eab 100644 (file)
@@ -4933,7 +4933,7 @@ bool StyleResolver::createFilterOperations(CSSValue* inValue, RenderStyle* style
             if (SVGURIReference::isExternalURIReference(svgDocumentValue->url(), m_element->document())) {
                 if (!svgDocumentValue->loadRequested())
                     m_pendingSVGDocuments.set(operation.get(), svgDocumentValue);
-                else
+                else if (svgDocumentValue->cachedSVGDocument())
                     operation->setData(adoptPtr(new CachedSVGDocumentReference(svgDocumentValue->cachedSVGDocument())));
             }
             operations.operations().append(operation);
index 1565c6c..db012bc 100644 (file)
@@ -306,6 +306,11 @@ bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url
         return 0;
     }
 
+#if ENABLE(SVG) && !ENABLE(BLOCK_SVG_EXTERNAL_REFERENCES)
+    if (type == CachedResource::SVGDocumentResource)
+        return false;
+#endif
+
     // Some types of resources can be loaded only from the same origin.  Other
     // types of resources, like Images, Scripts, and CSS, can be loaded from
     // any URL.