16848 2008-01-11 18:19:54 -0800 SecurityOrigin::copy does not copy m_domainWasSetInDOM 2008-04-26 19:01:42 -0700 1 1 1 Unclassified WebKit Platform 528+ (Nightly build) PC OS X 10.4 RESOLVED FIXED P2 Normal --- 1 abarth webkit-unassigned beidson collinj mjs sam oldest_to_newest 66986 0 abarth 2008-01-11 18:19:54 -0800 The new SecurityOrigin::copy method does not copy m_domainWasSetInDOM when making a copy of the security origin. This does not appear to be exploitable currently, but could lead to two classes of bugs: 1) A document sets its document.domain and then tries to access an object that uses a copy() of its SecurityOrigin. It can not access the document because that document's origin has forgotten that it had set its domain property. 2) A malicious document from foo.example.com could set its document.domain property to example.com, then transfer control to an object that uses a copy() of its security origin. Once there, it could script example.com. The copy() method also does not copy m_noAccess, which could lead to similar attacks using data: URLs. 66988 1 18402 abarth 2008-01-11 18:21:22 -0800 Created attachment 18402 Fixes SecurityOrigin::copy method to copy the security origin This patch fixes the SecurityOrigin::copy method to copy the security origin. 66991 2 18402 darin 2008-01-11 18:35:05 -0800 Comment on attachment 18402 Fixes SecurityOrigin::copy method to copy the security origin r=me 67143 3 18402 darin 2008-01-13 12:22:47 -0800 Comment on attachment 18402 Fixes SecurityOrigin::copy method to copy the security origin After further scrutiny, there's another aspect of this patch that I'm not sure about. This removes the copy() calls on the protocol and host. Under normal circumstances, copy() is not needed to copy a WebCore::String, but if we intend to use the string on another thread, we do need a copy(). I'm not sure it's safe to remove the copy() here, because I suspect that the caller does use this on another thread. We either need to prove those copies aren't needed, or create a new version of this patch that retains the calls to copy(). 67261 4 18450 abarth 2008-01-14 17:16:02 -0800 Created attachment 18450 Makes SecurityOriing::copy make a deep copy of SecurityOrigin Here's an updated version of the patch that makes a deep copy. I don't know if the SecurityOrigin::copy method is needed, but it's probably a good idea to actually have it make a copy or remove it. 79014 5 sam 2008-04-26 19:01:42 -0700 Fixed in r32597. 18402 2008-01-11 18:21:22 -0800 2008-01-14 17:16:02 -0800 Fixes SecurityOrigin::copy method to copy the security origin security-origin-copy.patch text/plain 2071 abarth SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiAyOTQyMikKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTQgQEAKKzIwMDgtMDEtMTEgIEFkYW0gQmFydGggIDxoazk1NjVAZ21haWwuY29t PgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEZpeGVk IFNlY3VyaXR5T3JpZ2luOjpjb3B5IHRvIGNvcHkgc2VjdXJpdHkgb3JpZ2luLgorCisgICAgICAg ICogcGxhdGZvcm0vU2VjdXJpdHlPcmlnaW4uY3BwOgorICAgICAgICAoV2ViQ29yZTo6U2VjdXJp dHlPcmlnaW46OlNlY3VyaXR5T3JpZ2luKToKKyAgICAgICAgKFdlYkNvcmU6OlNlY3VyaXR5T3Jp Z2luOjpjb3B5KToKKyAgICAgICAgKiBwbGF0Zm9ybS9TZWN1cml0eU9yaWdpbi5oOgorCiAyMDA4 LTAxLTExICBDaHJpc3RpYW4gRHl3YW4gIDxjaHJpc3RpYW5AaW1lbmRpby5jb20+CiAKICAgICAg ICAgUmV2aWV3ZWQgYnkgQWxwIFRva2VyLgpJbmRleDogV2ViQ29yZS9wbGF0Zm9ybS9TZWN1cml0 eU9yaWdpbi5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PQotLS0gV2ViQ29yZS9wbGF0Zm9ybS9TZWN1cml0eU9yaWdp bi5jcHAJKHJldmlzaW9uIDI5NDIyKQorKysgV2ViQ29yZS9wbGF0Zm9ybS9TZWN1cml0eU9yaWdp bi5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTU1LDYgKzU1LDE2IEBAIFNlY3VyaXR5T3JpZ2luOjpT ZWN1cml0eU9yaWdpbihjb25zdCBTdHIKICAgICAgICAgbV9ub0FjY2VzcyA9IHRydWU7CiB9CiAK K1NlY3VyaXR5T3JpZ2luOjpTZWN1cml0eU9yaWdpbihjb25zdCBTZWN1cml0eU9yaWdpbiYgb3Ro ZXIpCisgICAgOiBtX3Byb3RvY29sKG90aGVyLm1fcHJvdG9jb2wpCisgICAgLCBtX2hvc3Qob3Ro ZXIubV9ob3N0KQorICAgICwgbV9wb3J0KG90aGVyLm1fcG9ydCkKKyAgICAsIG1fcG9ydFNldChv dGhlci5tX3BvcnRTZXQpCisgICAgLCBtX25vQWNjZXNzKG90aGVyLm1fbm9BY2Nlc3MpCisgICAg LCBtX2RvbWFpbldhc1NldEluRE9NKG90aGVyLm1fZG9tYWluV2FzU2V0SW5ET00pCit7Cit9CisK IGJvb2wgU2VjdXJpdHlPcmlnaW46OmlzRW1wdHkoKSBjb25zdAogewogICAgIHJldHVybiBtX3By b3RvY29sLmlzRW1wdHkoKTsKQEAgLTk1LDEwICsxMDUsOSBAQCBQYXNzUmVmUHRyPFNlY3VyaXR5 T3JpZ2luPiBTZWN1cml0eU9yaWdpCiAKIFBhc3NSZWZQdHI8U2VjdXJpdHlPcmlnaW4+IFNlY3Vy aXR5T3JpZ2luOjpjb3B5KCkKIHsKLSAgICByZXR1cm4gY3JlYXRlKG1fcHJvdG9jb2wuY29weSgp LCBtX2hvc3QuY29weSgpLCBtX3BvcnQsIDApOworICAgIHJldHVybiBuZXcgU2VjdXJpdHlPcmln aW4oKnRoaXMpOwogfQogCi0KIHZvaWQgU2VjdXJpdHlPcmlnaW46OnNldERvbWFpbkZyb21ET00o Y29uc3QgU3RyaW5nJiBuZXdEb21haW4pCiB7CiAgICAgbV9kb21haW5XYXNTZXRJbkRPTSA9IHRy dWU7CkluZGV4OiBXZWJDb3JlL3BsYXRmb3JtL1NlY3VyaXR5T3JpZ2luLmgKPT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQot LS0gV2ViQ29yZS9wbGF0Zm9ybS9TZWN1cml0eU9yaWdpbi5oCShyZXZpc2lvbiAyOTQyMikKKysr IFdlYkNvcmUvcGxhdGZvcm0vU2VjdXJpdHlPcmlnaW4uaAkod29ya2luZyBjb3B5KQpAQCAtNjUs NiArNjUsNyBAQCBuYW1lc3BhY2UgV2ViQ29yZSB7CiAgICAgICAgIAogICAgIHByaXZhdGU6CiAg ICAgICAgIFNlY3VyaXR5T3JpZ2luKGNvbnN0IFN0cmluZyYgcHJvdG9jb2wsIGNvbnN0IFN0cmlu ZyYgaG9zdCwgdW5zaWduZWQgc2hvcnQgcG9ydCk7CisgICAgICAgIFNlY3VyaXR5T3JpZ2luKGNv bnN0IFNlY3VyaXR5T3JpZ2luJik7CiAKICAgICAgICAgU3RyaW5nIG1fcHJvdG9jb2w7CiAgICAg ICAgIFN0cmluZyBtX2hvc3Q7Cg== 18450 2008-01-14 17:16:02 -0800 2008-01-14 17:16:02 -0800 Makes SecurityOriing::copy make a deep copy of SecurityOrigin origin-copy-2007-01-14.patch text/plain 2052 abarth SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiAyOTQ4MSkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTQgQEAKKzIwMDgtMDEtMTQgIEFkYW0gQmFydGggIDxoazk1NjVAZ21haWwuY29t PgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEZpeGVk IFNlY3VyaXR5T3JpZ2luOjpjb3B5IHRvIGNvcHkgc2VjdXJpdHkgb3JpZ2luLgorCisgICAgICAg ICogcGxhdGZvcm0vU2VjdXJpdHlPcmlnaW4uY3BwOgorICAgICAgICAoV2ViQ29yZTo6U2VjdXJp dHlPcmlnaW46OlNlY3VyaXR5T3JpZ2luKToKKyAgICAgICAgKFdlYkNvcmU6OlNlY3VyaXR5T3Jp Z2luOjpjb3B5KToKKyAgICAgICAgKiBwbGF0Zm9ybS9TZWN1cml0eU9yaWdpbi5oOgorCiAyMDA4 LTAxLTE0ICBEYXJpbiBBZGxlciAgPGRhcmluQGFwcGxlLmNvbT4KIAogICAgICAgICBSZXZpZXdl ZCBieSBTYW0uCkluZGV4OiBXZWJDb3JlL3BsYXRmb3JtL1NlY3VyaXR5T3JpZ2luLmNwcAo9PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09Ci0tLSBXZWJDb3JlL3BsYXRmb3JtL1NlY3VyaXR5T3JpZ2luLmNwcAkocmV2aXNpb24g Mjk0ODEpCisrKyBXZWJDb3JlL3BsYXRmb3JtL1NlY3VyaXR5T3JpZ2luLmNwcAkod29ya2luZyBj b3B5KQpAQCAtNzYsNiArNzYsMTYgQEAgU2VjdXJpdHlPcmlnaW46OlNlY3VyaXR5T3JpZ2luKGNv bnN0IFN0cgogICAgIH0gICAKIH0KIAorU2VjdXJpdHlPcmlnaW46OlNlY3VyaXR5T3JpZ2luKGNv bnN0IFNlY3VyaXR5T3JpZ2luJiBvdGhlcikKKyAgICA6IG1fcHJvdG9jb2wob3RoZXIubV9wcm90 b2NvbC5jb3B5KCkpCisgICAgLCBtX2hvc3Qob3RoZXIubV9ob3N0LmNvcHkoKSkKKyAgICAsIG1f cG9ydChvdGhlci5tX3BvcnQpCisgICAgLCBtX3BvcnRTZXQob3RoZXIubV9wb3J0U2V0KQorICAg ICwgbV9ub0FjY2VzcyhvdGhlci5tX25vQWNjZXNzKQorICAgICwgbV9kb21haW5XYXNTZXRJbkRP TShvdGhlci5tX2RvbWFpbldhc1NldEluRE9NKQoreworfQorCiBib29sIFNlY3VyaXR5T3JpZ2lu Ojppc0VtcHR5KCkgY29uc3QKIHsKICAgICByZXR1cm4gbV9wcm90b2NvbC5pc0VtcHR5KCk7CkBA IC0xMTYsMTAgKzEyNiw5IEBAIFBhc3NSZWZQdHI8U2VjdXJpdHlPcmlnaW4+IFNlY3VyaXR5T3Jp Z2kKIAogUGFzc1JlZlB0cjxTZWN1cml0eU9yaWdpbj4gU2VjdXJpdHlPcmlnaW46OmNvcHkoKQog ewotICAgIHJldHVybiBjcmVhdGUobV9wcm90b2NvbC5jb3B5KCksIG1faG9zdC5jb3B5KCksIG1f cG9ydCwgMCk7CisgICAgcmV0dXJuIG5ldyBTZWN1cml0eU9yaWdpbigqdGhpcyk7CiB9CiAKLQog dm9pZCBTZWN1cml0eU9yaWdpbjo6c2V0RG9tYWluRnJvbURPTShjb25zdCBTdHJpbmcmIG5ld0Rv bWFpbikKIHsKICAgICBtX2RvbWFpbldhc1NldEluRE9NID0gdHJ1ZTsKSW5kZXg6IFdlYkNvcmUv cGxhdGZvcm0vU2VjdXJpdHlPcmlnaW4uaAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJDb3JlL3BsYXRmb3Jt L1NlY3VyaXR5T3JpZ2luLmgJKHJldmlzaW9uIDI5NDgxKQorKysgV2ViQ29yZS9wbGF0Zm9ybS9T ZWN1cml0eU9yaWdpbi5oCSh3b3JraW5nIGNvcHkpCkBAIC02NSw2ICs2NSw3IEBAIG5hbWVzcGFj ZSBXZWJDb3JlIHsKICAgICAgICAgCiAgICAgcHJpdmF0ZToKICAgICAgICAgU2VjdXJpdHlPcmln aW4oY29uc3QgU3RyaW5nJiBwcm90b2NvbCwgY29uc3QgU3RyaW5nJiBob3N0LCB1bnNpZ25lZCBz aG9ydCBwb3J0KTsKKyAgICAgICAgU2VjdXJpdHlPcmlnaW4oY29uc3QgU2VjdXJpdHlPcmlnaW4m KTsKIAogICAgICAgICBTdHJpbmcgbV9wcm90b2NvbDsKICAgICAgICAgU3RyaW5nIG1faG9zdDsK