Bug 22378

Summary:

Crash submitting a form when parsing an XHTML document

Product:

Security

Reporter:

Raghu <raghavendra.deshpande>

Component:

Security

Assignee:

Darin Adler <darin>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, chchkchk236, ddkilzer, mihnea, tibor.pacaj2, yong.li.webkit

Priority:

Keywords:

HasReduction, InRadar

Version:

525.x (Nightly build)

Hardware:

All

OS:

All

Bug Depends on:

24922

Bug Blocks:

Attachments:

Description	Flags
test case as attachment -- did not crash for me	none
Test content, that crashes the webkit	none
Test page: Form Submit action Doesn't work.	none
HTML: Asserts, may crash	none
some work in progress	none
more work in progress	none
more work in progress	none
almost done	none
event closer to done	none
even closer	none
patch	ggaren: review+

Raghu

Reported 2008-11-20 00:35:52 PST

I have pasted the test content below. If this content is present in a .xhtml file, the webkit crashes. (Verified in Safari on Win XP with latest nightly, and in Chrome - It crashes there too.) But, if the same content is served in a .html file, It works fine. I am afraid, the XHTML content <--> JS bindings have serious issues in webkit. Here's the test content: ------------------------------- <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8"/> <title>Form access </title> </head> <body style="background-color:white;border-left:0px;border-top:0px;overflow:hidden;" > <form name="MyForm" method="POST" action="about:blank"> <input type="hidden" name="name" value=""></input> </form> <script type="text/javascript"> document.MyForm.name.value="test"; document.MyForm.setAttribute("action","about:blank"); document.MyForm.submit(); </script> </body> </html> ------------------------------------------------------------------

Attachments
test case as attachment -- did not crash for me (731 bytes, application/xhtml+xml) 2008-11-20 02:02 PST, Eric Seidel (no email)	no flags	Details
Test content, that crashes the webkit (788 bytes, application/xhtml+xml) 2008-11-20 02:13 PST, Raghu	no flags	Details
Test page: Form Submit action Doesn't work. (768 bytes, application/xhtml+xml) 2008-11-20 03:02 PST, Raghu	no flags	Details
HTML: Asserts, may crash (768 bytes, text/html) 2008-11-20 03:04 PST, Raghu	no flags	Details
some work in progress (24.40 KB, patch) 2009-03-25 10:09 PDT, Darin Adler	no flags	Details Formatted Diff Diff
more work in progress (40.77 KB, patch) 2009-03-26 09:46 PDT, Darin Adler	no flags	Details Formatted Diff Diff
more work in progress (124.04 KB, patch) 2009-03-27 11:31 PDT, Darin Adler	no flags	Details Formatted Diff Diff
almost done (48.66 KB, patch) 2009-03-29 12:29 PDT, Darin Adler	no flags	Details Formatted Diff Diff
event closer to done (79.41 KB, patch) 2009-03-31 18:01 PDT, Darin Adler	no flags	Details Formatted Diff Diff
even closer (86.47 KB, patch) 2009-04-01 09:47 PDT, Darin Adler	no flags	Details Formatted Diff Diff
patch (92.16 KB, patch) 2009-04-01 14:23 PDT, Darin Adler	ggaren: review+	Details Formatted Diff Diff
Show Obsolete (8) View All Add attachment proposed patch, testcase, etc.

Eric Seidel (no email)

Comment 1 2008-11-20 02:02:25 PST

Created attachment 25305 [details] test case as attachment -- did not crash for me

Raghu

Comment 2 2008-11-20 02:13:50 PST

Created attachment 25306 [details] Test content, that crashes the webkit

Raghu

Comment 3 2008-11-20 02:34:24 PST

Hi All, You are right Eric. Sorry.. I found that, on Safari & Chrome... accessing forms as: document.forms.MyForm.name.value= "something"; causes the crash... But, document.MyForm.name.value= "something"; doesn't crash, but doesn't work either. I see that, the 'form submit' action is NOT happening in .xhtml file. If you change the file name to .html, it works.

Raghu

Comment 4 2008-11-20 03:02:49 PST

Created attachment 25309 [details] Test page: Form Submit action Doesn't work.

Raghu

Comment 5 2008-11-20 03:04:06 PST

Created attachment 25310 [details] HTML: Asserts, may crash

Alexey Proskuryakov

Comment 6 2008-11-20 05:23:02 PST

Confirmed with r38590. Marking attachments that do not demonstrate the problem as obsolete. This is not related to "document.MyForm" not being a proper way to access elements in XHTML documents in any way.

Alexey Proskuryakov

Comment 7 2008-11-20 05:48:31 PST

<rdar://problem/6388377>

Alexey Proskuryakov

Comment 8 2009-02-19 05:15:07 PST

Comment on attachment 25310 [details] HTML: Asserts, may crash In fact, the HTML version doesn't work right either - an assertion fails in debug builds, and looking at the code, we have the same problem with using a destroyed object.

Darin Adler

Comment 9 2009-03-25 10:09:30 PDT

Created attachment 28932 [details] some work in progress

Darin Adler

Comment 10 2009-03-26 09:46:38 PDT

Created attachment 28971 [details] more work in progress

Darin Adler

Comment 11 2009-03-27 11:31:45 PDT

Created attachment 29017 [details] more work in progress

Darin Adler

Comment 12 2009-03-27 14:18:47 PDT

Alexey thinks there may be security impact, so moving to the security product.

Darin Adler

Comment 13 2009-03-29 12:29:45 PDT

Created attachment 29047 [details] almost done This patch is almost ready to go. Here's what remains: 1) A few layout tests are failing. Two of them are failing because our behavior now matches Firefox, tests for a crash when submitting a form from an onunload handler. Not sure how to fix those two. One other is failing because back/forward is working differently. Not sure if it's a regression or progression, and how to fix it if it's a progression. 2) No change log yet. 3) Haven't changed the test case into a regression test yet.

Darin Adler

Comment 14 2009-03-31 18:01:14 PDT

Created attachment 29149 [details] event closer to done

Darin Adler

Comment 15 2009-04-01 09:47:30 PDT

Created attachment 29161 [details] even closer

Darin Adler

Comment 16 2009-04-01 14:23:51 PDT

Created attachment 29178 [details] patch

Geoffrey Garen

Comment 17 2009-04-01 14:47:05 PDT

Comment on attachment 29178 [details] patch r=me

Darin Adler

Comment 18 2009-04-01 18:02:29 PDT

http://trac.webkit.org/changeset/42158

Note You need to log in before you can comment on or make changes to this bug.