Bug 15811

Summary: WebKit plug-ins can re-enter WebKit under attach()
Product: WebKit Reporter: mitz
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: andersca, bdakin
Priority: P2 Keywords: InRadar
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   

mitz
Reported 2007-11-02 21:14:24 PDT
[This is a follow-up to bug 15405 regarding the general case] HTMLObjectElement::attach() calls RenderPartObject::updateWidget() which lets WebKit plugins execute arbitrary code, potentially re-entering WebKit. I think at some point the protection against creating widgets when updateWidget() is called by attach() applied to WebKit plug-ins, but later it was restricted to Netscape plug-ins.
Attachments
Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2007-11-02 21:17:35 PDT
<rdar://problem/5577978>
mitz
Comment 2 2007-11-22 22:05:12 PST
Fixed in <http://trac.webkit.org/projects/webkit/changeset/27982>.
Note You need to log in before you can comment on or make changes to this bug.