2009-09-08 Adam Barth <abarth@webkit.org>
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 Sep 2009 02:54:32 +0000 (02:54 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 Sep 2009 02:54:32 +0000 (02:54 +0000)
        Reviewed by Eric Seidel.

        Missing checkout for getSVGDocument()
        https://bugs.webkit.org/show_bug.cgi?id=29064

        The V8 code generator didn't understand SVGCheckSecurityDocument.

        Tests: http/tests/security/xss-DENIED-getSVGDocument-iframe.html
               http/tests/security/xss-DENIED-getSVGDocument-object.html

        * bindings/scripts/CodeGeneratorV8.pm:
2009-09-08  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Missing checkout for getSVGDocument()
        https://bugs.webkit.org/show_bug.cgi?id=29064

        Add tests that getSVGDocument() has the proper checks.

        * http/tests/security/resources/flag.php: Added.
        * http/tests/security/xss-DENIED-getSVGDocument-iframe-expected.txt: Added.
        * http/tests/security/xss-DENIED-getSVGDocument-iframe.html: Added.
        * http/tests/security/xss-DENIED-getSVGDocument-object-expected.txt: Added.
        * http/tests/security/xss-DENIED-getSVGDocument-object.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@48240 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/resources/empty-svg.php [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-object-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-object.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/bindings/scripts/CodeGeneratorV8.pm

index c2516c4994365bf6c1c93c528da1f79fd2258ef2..a5daba7381acf91081480b4879cd6ae22a90dfc9 100644 (file)
@@ -1,3 +1,18 @@
+2009-09-08  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        Missing checkout for getSVGDocument()
+        https://bugs.webkit.org/show_bug.cgi?id=29064
+
+        Add tests that getSVGDocument() has the proper checks.
+
+        * http/tests/security/resources/flag.php: Added.
+        * http/tests/security/xss-DENIED-getSVGDocument-iframe-expected.txt: Added.
+        * http/tests/security/xss-DENIED-getSVGDocument-iframe.html: Added.
+        * http/tests/security/xss-DENIED-getSVGDocument-object-expected.txt: Added.
+        * http/tests/security/xss-DENIED-getSVGDocument-object.html: Added.
+
 2009-09-09  Cameron McCormack  <cam@mcc.id.au>
 
         Reviewed by Eric Seidel.
diff --git a/LayoutTests/http/tests/security/resources/empty-svg.php b/LayoutTests/http/tests/security/resources/empty-svg.php
new file mode 100644 (file)
index 0000000..55c7765
--- /dev/null
@@ -0,0 +1,4 @@
+<?php\r
+header("Content-Type: image/svg+xml");\r
+?>\r
+<svg xmlns="http://www.w3.org/2000/svg"></svg>\r
diff --git a/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-iframe-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-iframe-expected.txt
new file mode 100644 (file)
index 0000000..fbec124
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/empty-svg.php from frame with URL http://127.0.0.1:8000/security/xss-DENIED-getSVGDocument-iframe.html. Domains, protocols and ports must match.
+
+
+PASS
diff --git a/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-iframe.html b/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-iframe.html
new file mode 100644 (file)
index 0000000..bcca5be
--- /dev/null
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+function runTest() {
+    var svgDoc = document.getElementById("svgobject").getSVGDocument();
+    document.getElementById("output").innerHTML =
+            svgDoc ? "FAIL got SVGDocument: " + svgDoc : "PASS";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body>
+<iframe onload="runTest()"
+        id="svgobject" src="http://localhost:8080/security/resources/empty-svg.php"
+        width="400" height="300"></iframe> 
+<div id="output"></div>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-object-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-object-expected.txt
new file mode 100644 (file)
index 0000000..15588aa
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/empty-svg.php from frame with URL http://127.0.0.1:8000/security/xss-DENIED-getSVGDocument-object.html. Domains, protocols and ports must match.
+
+
+PASS
diff --git a/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-object.html b/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-object.html
new file mode 100644 (file)
index 0000000..f2cbd41
--- /dev/null
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+function runTest() {
+    var svgDoc = document.getElementById("svgobject").getSVGDocument();
+    document.getElementById("output").innerHTML =
+            svgDoc ? "FAIL got SVGDocument: " + svgDoc : "PASS";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body>
+<object onload="runTest()"
+        id="svgobject" data="http://localhost:8080/security/resources/empty-svg.php"
+        type="image/svg+xml" width="400" height="300"></object> 
+<div id="output"></div>
+</body>
+</html>
index 5a2d16f06fc01a799694b9e89fe183f1904f5d51..2e5a19e36a82d90c47452c5c67104494954a8f74 100644 (file)
@@ -1,3 +1,17 @@
+2009-09-08  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        Missing checkout for getSVGDocument()
+        https://bugs.webkit.org/show_bug.cgi?id=29064
+
+        The V8 code generator didn't understand SVGCheckSecurityDocument.
+
+        Tests: http/tests/security/xss-DENIED-getSVGDocument-iframe.html
+               http/tests/security/xss-DENIED-getSVGDocument-object.html
+
+        * bindings/scripts/CodeGeneratorV8.pm:
+
 2009-09-09  Cameron McCormack  <cam@mcc.id.au>
 
         Reviewed by Eric Seidel.
index 0f33ca409fb5444fbba874fb14754eaa34e8d120..f03d6b6d718c09dd6fcff91aca56eb1bd9012e90 100644 (file)
@@ -862,6 +862,11 @@ END
         push(@implContentDecls, "    ScriptCallStack callStack(args, $numParameters);\n");
         $implIncludes{"ScriptCallStack.h"} = 1;
     }
+    if ($function->signature->extendedAttributes->{"SVGCheckSecurityDocument"}) {
+        push(@implContentDecls,
+"    if (!V8Proxy::checkNodeSecurity(imp->getSVGDocument(ec)))\n" .
+"      return v8::Undefined();\n");
+    }
 
     my $paramIndex = 0;
     foreach my $parameter (@{$function->parameters}) {