Bug 18689
| Summary: | Reproducible crash when writing a document into itself | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Mark Piper <mark.piper> |
| Component: | DOM | Assignee: | WebKit Security Group <webkit-security-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Major | CC: | abarth, ap, christopher.reiss, mark.piper, sam |
| Priority: | P1 | Keywords: | InRadar |
| Version: | 312.x | ||
| Hardware: | All | ||
| OS: | OS X 10.5 | ||
Mark Piper
The following script appears to crash any webkit based browser when provided by an HTML file or delivered via a XSS etc. Additional abstract behaviour can be observed by placing a large HTML payload after the body tag.
--- begin script ---
document.writeln(window.document.body.innerHTML);
-- end script --
--- begin html file ---
<body>
AAAAAAAA
<script> document.writeln(window.document.body.innerHTML);</script>
</body>
--- end html file ---
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Mark Rowe (bdash)
<rdar://problem/5888128>
Alexey Proskuryakov
Reproducible crash -> P1.
chris reiss
This appears to have the same root cause as https://bugs.webkit.org/show_bug.cgi?id=15123 - there is no recursion check in WebCore::Document::write( ).
I'll have a patch for 15123 soon, suggest marking this bug as duplicate.
chris reiss
This bug is closed by http://trac.webkit.org/changeset/77333
Adam Barth
*** This bug has been marked as a duplicate of bug 15123 ***