Bug 21044

Summary:	JSEventTarget* classes assume each listener is a JSEventListener
Product:	WebKit	Reporter:	Nikolas Zimmermann <zimmermann>
Component:	WebCore JavaScript	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	ap, eric, sam
Priority:	P1	Keywords:	InRadar, NeedsReduction
Version:	528+ (Nightly build)
Hardware:	Mac
OS:	OS X 10.5

Nikolas Zimmermann

Reported 2008-09-23 16:22:46 PDT

As the summary, says JSEventTargetNode::getListener function blindly casts an EventListener object to a JSEventListener. This will fail if ie. it's actually an ObjCEventListener. The getListener/setListener functions of the JSEventTarget* classes are only used when calling someElement.onclick = '...' or someElement.onclick.handleEvent(..). The official DOM methods are not affected.

Attachments
Add attachment proposed patch, testcase, etc.

Eric Seidel (no email)

Comment 1 2008-09-23 16:26:56 PDT

This would lead to a crash, so it should be a P1. Any application which registers Obj-C listeners as well as allows pages to run JavaScript would be vulnerable to such a crash.

Mark Rowe (bdash)

Comment 2 2008-09-23 16:32:42 PDT

<rdar://problem/6241522>

Deirdre Saoirse Moen

Comment 3 2009-01-11 19:02:56 PST

A test case would be helpful.

Sam Weinig

Comment 4 2009-07-05 15:00:07 PDT

This is no longer a problem. We now check that it is a JSEventListener before use.

Note You need to log in before you can comment on or make changes to this bug.