- fixed <rdar://problem/
4059323> local-file security check is allowing plug-in streams, but must not
* Plugins.subproj/WebNetscapePluginStream.m:
(-[WebNetscapePluginStream initWithRequest:pluginPointer:notifyData:sendNotification:]):
Roll out change I made on 3-13. That change is needed for subresource, but not for plug-in streams.
For plug-in streams it's too risky, and leaves a serious security hole open.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@8934
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2005-03-19 Darin Adler <darin@apple.com>
+
+ Reviewed by Maciej (a while back).
+
+ - fixed <rdar://problem/4059323> local-file security check is allowing plug-in streams, but must not
+
+ * Plugins.subproj/WebNetscapePluginStream.m:
+ (-[WebNetscapePluginStream initWithRequest:pluginPointer:notifyData:sendNotification:]):
+ Roll out change I made on 3-13. That change is needed for subresource, but not for plug-in streams.
+ For plug-in streams it's too risky, and leaves a serious security hole open.
+
2005-03-19 Darin Adler <darin@apple.com>
Reviewed by Ken and John.
2005-03-19 Darin Adler <darin@apple.com>
Reviewed by Ken and John.
WebBaseNetscapePluginView *view = (WebBaseNetscapePluginView *)thePluginPointer->ndata;
WebBridge *bridge = [[view webFrame] _bridge];
WebBaseNetscapePluginView *view = (WebBaseNetscapePluginView *)thePluginPointer->ndata;
WebBridge *bridge = [[view webFrame] _bridge];
-
- // Since this is a subresource, we can load any URL (we ignore the return value).
- // But we still want to know whether we should hide the referrer or not, so we call the canLoadURL method.
- [bridge canLoadURL:[theRequest URL] fromReferrer:[bridge referrer] hideReferrer:&hideReferrer];
+ if (![bridge canLoadURL:[theRequest URL] fromReferrer:[bridge referrer] hideReferrer:&hideReferrer])
+ return nil;
if ([self initWithRequestURL:[theRequest URL]
pluginPointer:thePluginPointer
if ([self initWithRequestURL:[theRequest URL]
pluginPointer:thePluginPointer
git://git.webkit.org / WebKit-https.git / commitdiff