Bug 192997

Summary: Potential infinite recursion in isFrameFamiliarWith(Frame&, Frame&)
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: DOMAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: beidson, cdumez, commit-queue, ews-watchlist, ggaren, koivisto, rniwa, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Archive of layout-test-results from ews101 for mac-sierra
none
Patch none

Chris Dumez
Reported 2018-12-21 14:45:06 PST
Potential infinite recursion in isFrameFamiliarWith(Frame&, Frame&) when there is an opener cycle.
Attachments
Patch (8.26 KB, patch)
2018-12-21 15:01 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews101 for mac-sierra (2.68 MB, application/zip)
2018-12-21 15:56 PST, EWS Watchlist 		no flags
Details
Patch (8.34 KB, patch)
2018-12-21 16:01 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2018-12-21 14:45:23 PST
<rdar://problem/46217271>
Chris Dumez
Comment 2 2018-12-21 15:01:39 PST
Created attachment 357986 [details] Patch
EWS Watchlist
Comment 3 2018-12-21 15:56:13 PST
Comment on attachment 357986 [details] Patch Attachment 357986 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/10512473 New failing tests: http/tests/security/frameNavigation/not-opener.html
EWS Watchlist
Comment 4 2018-12-21 15:56:15 PST
Created attachment 357996 [details] Archive of layout-test-results from ews101 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-sierra Platform: Mac OS X 10.12.6
Chris Dumez
Comment 5 2018-12-21 16:01:36 PST
Created attachment 357998 [details] Patch
Chris Dumez
Comment 6 2019-01-02 09:00:57 PST
Comment on attachment 357998 [details] Patch ping review?
Antti Koivisto
Comment 7 2019-01-03 05:25:46 PST
Comment on attachment 357998 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=357998&action=review > Source/WebCore/ChangeLog:17 > + To address the issue, simplify isFrameFamiliarWith() so that it is no longer recursive. We now > + only check if the frames belong to the same pages or if their openers do. We no longer check > + openers' opener and up. > + > + Note that this function is used to check if a frame is allowed to target another. In practice, > + it is unlikely to be useful to navigate an opener's opener and an openee's openee. Could this behaviour change break something? Why can't we just do simple cycle detection?
Chris Dumez
Comment 8 2019-01-03 08:36:46 PST
Comment on attachment 357998 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=357998&action=review >> Source/WebCore/ChangeLog:17 >> + it is unlikely to be useful to navigate an opener's opener and an openee's openee. > > Could this behaviour change break something? Why can't we just do simple cycle detection? The whole isFrameFamiliarWith() restriction is something I added very recently (not shipped yet) and yes it could break something but we believe it is unlikely and the security benefits are worth the risks. This patch does make isFrameFamiliarWith() a bit stricter, which could add some compatibility risk but as I mentioned in the changelog I do not think it will matter. I'd rather go with the simple / efficient implementation and only go with something more complex (e.g. cycle detection) if it turns out the be an issue.
WebKit Commit Bot
Comment 9 2019-01-03 15:26:04 PST
Comment on attachment 357998 [details] Patch Clearing flags on attachment: 357998 Committed r239600: <https://trac.webkit.org/changeset/239600>
WebKit Commit Bot
Comment 10 2019-01-03 15:26:06 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.