Bug 283771
| Summary: | [Streams API] Commit pull-into descriptors after filling from queue | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Mattias Buelens <mattias.buelens> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Mattias Buelens
In GHSA-p5g2-876g-95h9, we discovered that in Chromium, a user could run JavaScript code *synchronously* during `ReadableStreamFulfillReadIntoRequest` by patching `Object.prototype.then`, and use this gadget to break some invariants within `ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue`. Fortunately, Safari seems unaffected, see https://github.com/whatwg/streams/security/advisories/GHSA-p5g2-876g-95h9#advisory-comment-109294.
The Streams standard has been updated with a proper fix for this case. We now postpone all calls to `ReadableByteStreamControllerCommitPullIntoDescriptor` until *after* all pull-into descriptors have been filled up by `ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue`. This way, we won't trigger any patched `then()` method until the stream is in a stable state.
* Original report: https://github.com/whatwg/streams/security/advisories/GHSA-p5g2-876g-95h9
* Specification change: https://github.com/whatwg/streams/pull/1326
* WPT tests: https://github.com/web-platform-tests/wpt/pull/48085
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/140936151>