Bug 196525 (CVE-2019-8615)

Summary:

Remove support for -apple-trailing-word

Product:

WebKit

Reporter:

Myles C. Maxfield <mmaxfield>

Component:

New Bugs

Assignee:

Myles C. Maxfield <mmaxfield>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, bfulgham, commit-queue, rniwa, simon.fraser, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

234672

Attachments:

Description	Flags
Patch	none

Description Myles C. Maxfield 2019-04-02 20:39:19 PDT

Remove support for -apple-trailing-word

Comment 1 Myles C. Maxfield 2019-04-02 20:43:04 PDT

Created attachment 366573 [details]
Patch

Comment 2 zalan 2019-04-03 07:28:16 PDT

Comment on attachment 366573 [details]
Patch

Yay, InlineIteratorHistory tricked me a few times in the past.

Comment 3 WebKit Commit Bot 2019-04-03 12:48:04 PDT

Comment on attachment 366573 [details]
Patch

Clearing flags on attachment: 366573

Committed r243819: <https://trac.webkit.org/changeset/243819>

Comment 4 WebKit Commit Bot 2019-04-03 12:48:05 PDT

All reviewed patches have been landed.  Closing bug.

Comment 5 Radar WebKit Bug Importer 2019-04-03 12:49:17 PDT

<rdar://problem/49569237>

Comment 6 Ryosuke Niwa 2019-04-03 12:55:24 PDT

This seems to break Safari detection in https://github.com/cssinjs/css-vendor/blob/41ccf9503d283ee63dd5432595f8902b34f5c2a8/src/prefix.js

Comment 7 Ryosuke Niwa 2019-04-03 12:59:19 PDT

Another example of CSS which uses this CSS property to workaround a bug in Safari:
https://github.com/StackExchange/Stacks/blob/d3a876faf07a13666e6b83220c94ae6a68a58c16/lib/css/components/_stacks-spinner.less

Comment 8 Myles C. Maxfield 2019-04-03 13:22:15 PDT

I wonder if I can make pull requests to those repositories, or at least open issues.

Comment 9 Myles C. Maxfield 2019-04-03 13:23:01 PDT

By the way, things like this are exactly why we should never have exposed this property to the Web in the first place.

Comment 10 Simon Fraser (smfr) 2019-04-03 13:26:14 PDT

I already opened issues.

Comment 11 Simon Fraser (smfr) 2019-04-03 13:29:04 PDT

Comment on attachment 366573 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=366573&action=review

> Source/WebCore/css/CSSProperties.json:-6968
> -        "-apple-trailing-word": {
> -            "inherited": true,
> -            "values": [
> -                "auto",
> -                "-webkit-partially-balanced"
> -            ],
> -            "codegen-properties": {
> -                "name-for-methods": "TrailingWord",
> -                "enable-if": "ENABLE_CSS_TRAILING_WORD"
> -            },
> -            "status": "non-standard"
> -        },

This should have left the property, but marked it "removed" with code-gen disabled.