Bug 22378

Summary: Crash submitting a form when parsing an XHTML document
Product: Security Reporter: Raghu <raghavendra.deshpande>
Component: SecurityAssignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, ddkilzer, mihnea, tibor.pacaj2, yong.li.webkit
Priority: P1 Keywords: HasReduction, InRadar
Version: 525.x (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on: 24922    
Bug Blocks:    
Attachments:
Description Flags
test case as attachment -- did not crash for me
none
Test content, that crashes the webkit
none
Test page: Form Submit action Doesn't work.
none
HTML: Asserts, may crash
none
some work in progress
none
more work in progress
none
more work in progress
none
almost done
none
event closer to done
none
even closer
none
patch ggaren: review+

Description Raghu 2008-11-20 00:35:52 PST 
I have pasted the test content below.
If this content is present in a .xhtml file, the webkit crashes. (Verified in Safari on Win XP with latest nightly, and in Chrome - It crashes there too.)

But, if the same content is served in a .html file, It works fine.

I am afraid, the XHTML content <--> JS bindings have serious issues in webkit.

Here's the test content:
-------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC 
"-//W3C//DTD XHTML 1.0 Transitional//EN" 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8"/>
<title>Form access </title>
</head>
<body style="background-color:white;border-left:0px;border-top:0px;overflow:hidden;" >
<form name="MyForm" method="POST" action="about:blank">
<input type="hidden" name="name" value=""></input>
</form>

<script type="text/javascript">
document.MyForm.name.value="test";
document.MyForm.setAttribute("action","about:blank");
document.MyForm.submit();
</script>
</body>
</html>
------------------------------------------------------------------
Comment 1 Eric Seidel (no email) 2008-11-20 02:02:25 PST 
Created attachment 25305 [details]
test case as attachment -- did not crash for me
Comment 2 Raghu 2008-11-20 02:13:50 PST 
Created attachment 25306 [details]
Test content, that crashes the webkit
Comment 3 Raghu 2008-11-20 02:34:24 PST 
Hi All,

You are right Eric.

   Sorry.. I found that, on Safari & Chrome...
accessing forms as:
  document.forms.MyForm.name.value= "something";
causes the crash...

But, 

document.MyForm.name.value= "something";
doesn't crash, but doesn't work either.

I see that, the 'form submit' action is NOT happening in .xhtml file.
If you change the file name to .html, it works.
Comment 4 Raghu 2008-11-20 03:02:49 PST 
Created attachment 25309 [details]
Test page: Form Submit action Doesn't work.
Comment 5 Raghu 2008-11-20 03:04:06 PST 
Created attachment 25310 [details]
HTML: Asserts, may crash
Comment 6 Alexey Proskuryakov 2008-11-20 05:23:02 PST 
Confirmed with r38590.

Marking attachments that do not demonstrate the problem as obsolete. This is not related to "document.MyForm" not being a proper way to access elements in XHTML documents in any way.
Comment 7 Alexey Proskuryakov 2008-11-20 05:48:31 PST 
<rdar://problem/6388377>
Comment 8 Alexey Proskuryakov 2009-02-19 05:15:07 PST 
Comment on attachment 25310 [details]
HTML: Asserts, may crash

In fact, the HTML version doesn't work right either - an assertion fails in debug builds, and looking at the code, we have the same problem with using a destroyed object.
Comment 9 Darin Adler 2009-03-25 10:09:30 PDT 
Created attachment 28932 [details]
some work in progress
Comment 10 Darin Adler 2009-03-26 09:46:38 PDT 
Created attachment 28971 [details]
more work in progress
Comment 11 Darin Adler 2009-03-27 11:31:45 PDT 
Created attachment 29017 [details]
more work in progress
Comment 12 Darin Adler 2009-03-27 14:18:47 PDT 
Alexey thinks there may be security impact, so moving to the security product.
Comment 13 Darin Adler 2009-03-29 12:29:45 PDT 
Created attachment 29047 [details]
almost done

This patch is almost ready to go.

Here's what remains:

    1) A few layout tests are failing. Two of them are failing because our behavior now matches Firefox, tests for a crash when submitting a form from an onunload handler. Not sure how to fix those two. One other is failing because back/forward is working differently. Not sure if it's a regression or progression, and how to fix it if it's a progression.

    2) No change log yet.

    3) Haven't changed the test case into a regression test yet.
Comment 14 Darin Adler 2009-03-31 18:01:14 PDT 
Created attachment 29149 [details]
event closer to done
Comment 15 Darin Adler 2009-04-01 09:47:30 PDT 
Created attachment 29161 [details]
even closer
Comment 16 Darin Adler 2009-04-01 14:23:51 PDT 
Created attachment 29178 [details]
patch
Comment 17 Geoffrey Garen 2009-04-01 14:47:05 PDT 
Comment on attachment 29178 [details]
patch

r=me
Comment 18 Darin Adler 2009-04-01 18:02:29 PDT 
http://trac.webkit.org/changeset/42158