26868 2009-06-30 15:28:53 -0700 EventConstructor is being shared between documents 2012-05-10 08:15:58 -0700 1 1 1 Unclassified Security Security 525.x (Nightly build) Mac OS X 10.5 RESOLVED FIXED http://gf3.ca/safari_scope/ InRadar P2 Major --- 1 gianni webkit-security-unassigned abarth ddkilzer eric gianni mjs sam yong.li.webkit oldest_to_newest 129195 0 gianni 2009-06-30 15:28:53 -0700 It seems as if the EventConstructor object is being shared between document scopes, which leads to conflicts when dealing with cross-frame events. Reproduce --------- Compare the Event object between parent and child documents. I've created a test case in the URL attached. There are three assert statements, the assert on the Event object fails in Safari 4. Weirdly enough, if you retrieve the objects via eval on each of the contexts, they return the expected results (thanks to tfluehr for noticing that one). Actual Results ----------- Both references are, in fact, the same object. Expected Results ------------- Each reference should refer to a different object relating to the scope of the document. 129202 1 abarth 2009-06-30 15:54:48 -0700 This sounds like it might be exploitable. We need a better testing plan for finding these kinds of bugs. 142942 2 ddkilzer 2009-08-26 13:02:50 -0700 <rdar://problem/7172579> 143038 3 abarth 2009-08-26 20:40:40 -0700 I bet Eric fixed this as part of his grand cleanup of wrapper constructors. 145457 4 sam 2009-09-08 11:09:10 -0700 The test case is no longer reachable. Can you upload one to the bug if this still manifests? 145577 5 gianni 2009-09-08 15:58:59 -0700 Sorry about that, moved it to a new server. Updated URL. 145578 6 39224 gianni 2009-09-08 16:08:24 -0700 Created attachment 39224 Test case - Outer document 145579 7 39225 gianni 2009-09-08 16:09:20 -0700 Created attachment 39225 Test case - Inner document 145628 8 sam 2009-09-08 18:58:28 -0700 This seems to be fixed in the latest nightlies. 145779 9 ddkilzer 2009-09-09 08:50:21 -0700 (In reply to comment #8) > This seems to be fixed in the latest nightlies. This was fixed by r46068: <http://trac.webkit.org/changeset/46068> That means this bug is a duplicate of Bug 27276, but I'm hesitant to dupe it since this would provide some potentially unwanted information disclosure. 39224 2009-09-08 16:08:24 -0700 2009-09-08 16:08:24 -0700 Test case - Outer document url.txt text/plain 37 gianni aHR0cDovL2dmMy5jYS9zYWZhcmlfc2NvcGUvaW5kZXguaHRtbA== 39225 2009-09-08 16:09:20 -0700 2009-09-08 16:09:20 -0700 Test case - Inner document url.txt text/plain 37 gianni aHR0cDovL2dmMy5jYS9zYWZhcmlfc2NvcGUvaW5uZXIuaHRtbA==