Bug 15811

Summary: WebKit plug-ins can re-enter WebKit under attach()
Product: WebKit Reporter: mitz
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: andersca, bdakin
Priority: P2 Keywords: InRadar
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   

Description mitz 2007-11-02 21:14:24 PDT
[This is a follow-up to bug 15405 regarding the general case]

HTMLObjectElement::attach() calls RenderPartObject::updateWidget() which lets WebKit plugins execute arbitrary code, potentially re-entering WebKit.

I think at some point the protection against creating widgets when updateWidget() is called by attach() applied to WebKit plug-ins, but later it was restricted to Netscape plug-ins.
Comment 1 mitz 2007-11-02 21:17:35 PDT
<rdar://problem/5577978>
Comment 2 mitz 2007-11-22 22:05:12 PST
Fixed in <http://trac.webkit.org/projects/webkit/changeset/27982>.