Bug 26868

Summary: EventConstructor is being shared between documents
Product: Security Reporter: Gianni Chiappetta <gianni>
Component: SecurityAssignee: WebKit Security Group <webkit-security-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: abarth, ddkilzer, eric, gianni, mjs, sam, yong.li.webkit
Priority: P2 Keywords: InRadar
Version: 525.x (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
URL: http://gf3.ca/safari_scope/
Attachments:
Description Flags
Test case - Outer document
none
Test case - Inner document none

Gianni Chiappetta
Reported 2009-06-30 15:28:53 PDT
It seems as if the EventConstructor object is being shared between document scopes, which leads to conflicts when dealing with cross-frame events. Reproduce --------- Compare the Event object between parent and child documents. I've created a test case in the URL attached. There are three assert statements, the assert on the Event object fails in Safari 4. Weirdly enough, if you retrieve the objects via eval on each of the contexts, they return the expected results (thanks to tfluehr for noticing that one). Actual Results ----------- Both references are, in fact, the same object. Expected Results ------------- Each reference should refer to a different object relating to the scope of the document.
Attachments
Test case - Outer document (37 bytes, text/plain)
2009-09-08 16:08 PDT, Gianni Chiappetta 		no flags
Details
Test case - Inner document (37 bytes, text/plain)
2009-09-08 16:09 PDT, Gianni Chiappetta 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2009-06-30 15:54:48 PDT
This sounds like it might be exploitable. We need a better testing plan for finding these kinds of bugs.
David Kilzer (:ddkilzer)
Comment 2 2009-08-26 13:02:50 PDT
<rdar://problem/7172579>
Adam Barth
Comment 3 2009-08-26 20:40:40 PDT
I bet Eric fixed this as part of his grand cleanup of wrapper constructors.
Sam Weinig
Comment 4 2009-09-08 11:09:10 PDT
The test case is no longer reachable. Can you upload one to the bug if this still manifests?
Gianni Chiappetta
Comment 5 2009-09-08 15:58:59 PDT
Sorry about that, moved it to a new server. Updated URL.
Gianni Chiappetta
Comment 6 2009-09-08 16:08:24 PDT
Created attachment 39224 [details] Test case - Outer document
Gianni Chiappetta
Comment 7 2009-09-08 16:09:20 PDT
Created attachment 39225 [details] Test case - Inner document
Sam Weinig
Comment 8 2009-09-08 18:58:28 PDT
This seems to be fixed in the latest nightlies.
David Kilzer (:ddkilzer)
Comment 9 2009-09-09 08:50:21 PDT
(In reply to comment #8) > This seems to be fixed in the latest nightlies. This was fixed by r46068: <http://trac.webkit.org/changeset/46068> That means this bug is a duplicate of Bug 27276, but I'm hesitant to dupe it since this would provide some potentially unwanted information disclosure.
Note You need to log in before you can comment on or make changes to this bug.