Bug 15811 - WebKit plug-ins can re-enter WebKit under attach()
Summary: WebKit plug-ins can re-enter WebKit under attach()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 523.x (Safari 3)
Hardware: Mac OS X 10.4
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2007-11-02 21:14 PDT by mitz
Modified: 2007-11-22 22:05 PST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description mitz 2007-11-02 21:14:24 PDT
[This is a follow-up to bug 15405 regarding the general case]

HTMLObjectElement::attach() calls RenderPartObject::updateWidget() which lets WebKit plugins execute arbitrary code, potentially re-entering WebKit.

I think at some point the protection against creating widgets when updateWidget() is called by attach() applied to WebKit plug-ins, but later it was restricted to Netscape plug-ins.
Comment 1 mitz 2007-11-02 21:17:35 PDT
<rdar://problem/5577978>
Comment 2 mitz 2007-11-22 22:05:12 PST
Fixed in <http://trac.webkit.org/projects/webkit/changeset/27982>.