2009-09-08 Adam Barth <abarth@webkit.org>

author abarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>

Thu, 10 Sep 2009 02:54:32 +0000 (02:54 +0000)

committer abarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>

Thu, 10 Sep 2009 02:54:32 +0000 (02:54 +0000)
author abarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 Sep 2009 02:54:32 +0000 (02:54 +0000)
committer abarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 Sep 2009 02:54:32 +0000 (02:54 +0000)
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog

index c2516c4994365bf6c1c93c528da1f79fd2258ef2..a5daba7381acf91081480b4879cd6ae22a90dfc9 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,18 @@
+2009-09-08  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        Missing checkout for getSVGDocument()
+        https://bugs.webkit.org/show_bug.cgi?id=29064
+
+        Add tests that getSVGDocument() has the proper checks.
+
+        * http/tests/security/resources/flag.php: Added.
+        * http/tests/security/xss-DENIED-getSVGDocument-iframe-expected.txt: Added.
+        * http/tests/security/xss-DENIED-getSVGDocument-iframe.html: Added.
+        * http/tests/security/xss-DENIED-getSVGDocument-object-expected.txt: Added.
+        * http/tests/security/xss-DENIED-getSVGDocument-object.html: Added.
+
  2009-09-09  Cameron McCormack  <cam@mcc.id.au>
  
          Reviewed by Eric Seidel.
diff --git a/LayoutTests/http/tests/security/resources/empty-svg.php b/LayoutTests/http/tests/security/resources/empty-svg.php

new file mode 100644 (file)

index 0000000..55c7765
--- /dev/null
+++ b/LayoutTests/http/tests/security/resources/empty-svg.php
@@ -0,0 +1,4 @@
+<?php\r
+header("Content-Type: image/svg+xml");\r
+?>\r
+<svg xmlns="http://www.w3.org/2000/svg"></svg>\r
diff --git a/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-iframe-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-iframe-expected.txt

new file mode 100644 (file)

index 0000000..fbec124
--- /dev/null
+++ b/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-iframe-expected.txt
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/empty-svg.php from frame with URL http://127.0.0.1:8000/security/xss-DENIED-getSVGDocument-iframe.html. Domains, protocols and ports must match.
+
+
+PASS
diff --git a/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-iframe.html b/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-iframe.html

new file mode 100644 (file)

index 0000000..bcca5be
--- /dev/null
+++ b/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-iframe.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+function runTest() {
+    var svgDoc = document.getElementById("svgobject").getSVGDocument();
+    document.getElementById("output").innerHTML =
+            svgDoc ? "FAIL got SVGDocument: " + svgDoc : "PASS";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body>
+<iframe onload="runTest()"
+        id="svgobject" src="http://localhost:8080/security/resources/empty-svg.php"
+        width="400" height="300"></iframe> 
+<div id="output"></div>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-object-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-object-expected.txt

new file mode 100644 (file)

index 0000000..15588aa
--- /dev/null
+++ b/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-object-expected.txt
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/empty-svg.php from frame with URL http://127.0.0.1:8000/security/xss-DENIED-getSVGDocument-object.html. Domains, protocols and ports must match.
+
+
+PASS
diff --git a/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-object.html b/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-object.html

new file mode 100644 (file)

index 0000000..f2cbd41
--- /dev/null
+++ b/LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-object.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+function runTest() {
+    var svgDoc = document.getElementById("svgobject").getSVGDocument();
+    document.getElementById("output").innerHTML =
+            svgDoc ? "FAIL got SVGDocument: " + svgDoc : "PASS";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body>
+<object onload="runTest()"
+        id="svgobject" data="http://localhost:8080/security/resources/empty-svg.php"
+        type="image/svg+xml" width="400" height="300"></object> 
+<div id="output"></div>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog

index 5a2d16f06fc01a799694b9e89fe183f1904f5d51..2e5a19e36a82d90c47452c5c67104494954a8f74 100644 (file)
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2009-09-08  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        Missing checkout for getSVGDocument()
+        https://bugs.webkit.org/show_bug.cgi?id=29064
+
+        The V8 code generator didn't understand SVGCheckSecurityDocument.
+
+        Tests: http/tests/security/xss-DENIED-getSVGDocument-iframe.html
+               http/tests/security/xss-DENIED-getSVGDocument-object.html
+
+        * bindings/scripts/CodeGeneratorV8.pm:
+
  2009-09-09  Cameron McCormack  <cam@mcc.id.au>
  
          Reviewed by Eric Seidel.
diff --git a/WebCore/bindings/scripts/CodeGeneratorV8.pm b/WebCore/bindings/scripts/CodeGeneratorV8.pm

index 0f33ca409fb5444fbba874fb14754eaa34e8d120..f03d6b6d718c09dd6fcff91aca56eb1bd9012e90 100644 (file)
--- a/WebCore/bindings/scripts/CodeGeneratorV8.pm
+++ b/WebCore/bindings/scripts/CodeGeneratorV8.pm
@@ -862,6 +862,11 @@ END
          push(@implContentDecls, "    ScriptCallStack callStack(args, $numParameters);\n");
          $implIncludes{"ScriptCallStack.h"} = 1;
      }
+    if ($function->signature->extendedAttributes->{"SVGCheckSecurityDocument"}) {
+        push(@implContentDecls,
+"    if (!V8Proxy::checkNodeSecurity(imp->getSVGDocument(ec)))\n" .
+"      return v8::Undefined();\n");
+    }
  
      my $paramIndex = 0;
      foreach my $parameter (@{$function->parameters}) {
author	abarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Thu, 10 Sep 2009 02:54:32 +0000 (02:54 +0000)
committer	abarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Thu, 10 Sep 2009 02:54:32 +0000 (02:54 +0000)
LayoutTests/ChangeLog		patch \| blob \| history
LayoutTests/http/tests/security/resources/empty-svg.php	[new file with mode: 0644]	patch \| blob
LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-iframe-expected.txt	[new file with mode: 0644]	patch \| blob
LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-iframe.html	[new file with mode: 0644]	patch \| blob
LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-object-expected.txt	[new file with mode: 0644]	patch \| blob
LayoutTests/http/tests/security/xss-DENIED-getSVGDocument-object.html	[new file with mode: 0644]	patch \| blob
WebCore/ChangeLog		patch \| blob \| history
WebCore/bindings/scripts/CodeGeneratorV8.pm		patch \| blob \| history