Bug 58610

Summary:

CSP should block string arguments to setTimeout and setInterval unless options eval-script

Product:

WebKit

Reporter:

Adam Barth <abarth>

Component:

New Bugs

Assignee:

Adam Barth <abarth>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

aroben, commit-queue, eric, pnormand

Priority:

Version:

528+ (Nightly build)

Hardware:

Other

OS:

OS X 10.5

Bug Depends on:

Bug Blocks:

53572

Attachments:

Description	Flags
Patch	none
Patch for landing	none

Adam Barth

Reported 2011-04-14 17:27:55 PDT

CSP should block string arguments to setTimeout and setInterval unless options eval-script

Attachments
Patch (16.66 KB, patch) 2011-04-14 17:29 PDT, Adam Barth	no flags	Details Formatted Diff Diff
Patch for landing (15.91 KB, patch) 2011-04-15 13:51 PDT, Adam Barth	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Adam Barth

Comment 1 2011-04-14 17:29:59 PDT

Created attachment 89697 [details] Patch

Eric Seidel (no email)

Comment 2 2011-04-14 20:33:47 PDT

Comment on attachment 89697 [details] Patch OK.

Adam Barth

Comment 3 2011-04-15 00:39:44 PDT

Comment on attachment 89697 [details] Patch Clearing flags on attachment: 89697 Committed r83954: <http://trac.webkit.org/changeset/83954>

Adam Barth

Comment 4 2011-04-15 00:39:48 PDT

All reviewed patches have been landed. Closing bug.

Philippe Normand

Comment 5 2011-04-15 02:07:49 PDT

I think this patch broke fast/dom/Window/timer-null-script-execution-context.html on GTK: http://webkit-bots.igalia.com/amd64/svn_83958.core-when_1302857706-_-who_DumpRenderTree-_-why_11.trace.html Thread 1 (Thread 5107): #0 0x00002b40f4742876 in WTF::RefPtr<WebCore::ContentSecurityPolicy>::get (this=0x13d8) at ../../Source/JavaScriptCore/wtf/RefPtr.h:60 #1 0x00002b40f4742146 in WebCore::Document::contentSecurityPolicy (this=0x0) at ../../Source/WebCore/dom/Document.h:1106 #2 0x00002b40f4741479 in WebCore::JSDOMWindow::setTimeout (this=0x2b41488259d0, exec=0x2b4148012130) at ../../Source/WebCore/bindings/js/JSDOMWindowCustom.cpp:735 #3 0x00002b40f5224e70 in WebCore::jsDOMWindowPrototypeFunctionSetTimeout (exec=0x2b4148012130) at DerivedSources/WebCore/JSDOMWindow.cpp:9692 #4 0x00002b40f54f2975 in JSC::Interpreter::executeCall (this=0x15a0db0, callFrame=0x2b41480120b0, function=0x2b414bd3b210, callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:872 #5 0x00002b40f557f77c in JSC::call (exec=0x2b41480120b0, functionObject=..., callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:38 #6 0x00002b40f55908b5 in JSC::functionProtoFuncCall (exec=0x2b41480120b0) at ../../Source/JavaScriptCore/runtime/FunctionPrototype.cpp:146 #7 0x00002b41080001e8 in ?? () #8 0x00007ffff87ea2b0 in ?? () #9 0x00002b410805b52e in ?? () #10 0x00007ffff87ea240 in ?? () #11 0x00002b414bd3b210 in ?? () #12 0x0000000004167800 in ?? () #13 0x00002b4100000001 in ?? () #14 0x00002b414882f3a0 in ?? () #15 0x00007ffff87ea260 in ?? () #16 0x00007ffff87ea270 in ?? () #17 0x00002b40f45fa03d in JSC::JSValue::decode (ptr=0x2b40f94f4170) at ../../Source/JavaScriptCore/runtime/JSValueInlineMethods.h:369 #18 0x00002b40f54f5779 in JSC::JITCode::execute (this=0x2b414bcdcb68, registerFile=0x15a0dc8, callFrame=0x2b4148012038, globalData=0xfc6050) at ../../Source/JavaScriptCore/jit/JITCode.h:77 #19 0x00002b40f54f2723 in JSC::Interpreter::executeCall (this=0x15a0db0, callFrame=0x2b4148826bd8, function=0x2b414bcfb710, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:844 #20 0x00002b40f557f77c in JSC::call (exec=0x2b4148826bd8, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:38 #21 0x00002b40f471fc6b in WebCore::JSMainThreadExecState::call (exec=0x2b4148826bd8, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:48 #22 0x00002b40f4784b46 in WebCore::ScheduledAction::executeFunctionInContext (this=0x43c7f90, globalObject=0x2b4148826b50, thisValue=..., context=0x4130500) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:109 #23 0x00002b40f4784d3b in WebCore::ScheduledAction::execute (this=0x43c7f90, document=0x4130320) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:131 #24 0x00002b40f4784902 in WebCore::ScheduledAction::execute (this=0x43c7f90, context=0x4130500) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:79 #25 0x00002b40f4cd62fd in WebCore::DOMTimer::fired (this=0x43c7fd0) at ../../Source/WebCore/page/DOMTimer.cpp:148 #26 0x00002b40f4e06160 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0xfcdbb0) at ../../Source/WebCore/platform/ThreadTimers.cpp:112 #27 0x00002b40f4e06097 in WebCore::ThreadTimers::sharedTimerFired () at ../../Source/WebCore/platform/ThreadTimers.cpp:90 #28 0x00002b40f45b485a in WebCore::timeout_cb () at ../../Source/WebCore/platform/gtk/SharedTimerGtk.cpp:49 #29 0x00002b40f9253dbb in g_timeout_dispatch (source=0x41d8650, callback=0x2b4148012130, user_data=0x2b4148012130) at /tmp/buildd/glib2.0-2.27.91/./glib/gmain.c:3877 #30 0x00002b40f9253362 in g_main_dispatch (context=0xffff000000000002) at /tmp/buildd/glib2.0-2.27.91/./glib/gmain.c:2440 #31 g_main_context_dispatch (context=0xffff000000000002) at /tmp/buildd/glib2.0-2.27.91/./glib/gmain.c:3013 #32 0x00002b40f9257a28 in g_main_context_iterate (context=0xf27a30, block=<value optimized out>, dispatch=<value optimized out>, self=<value optimized out>) at /tmp/buildd/glib2.0-2.27.91/./glib/gmain.c:3091 #33 0x00002b40f9257f35 in g_main_loop_run (loop=0x4121c90) at /tmp/buildd/glib2.0-2.27.91/./glib/gmain.c:3299 #34 0x00002b40f71c6657 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 #35 0x0000000000421360 in runTest (testPathOrURL=...) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:702 #36 0x00000000004209fd in runTestingServerLoop () at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:494 #37 0x0000000000422cbf in main (argc=2, argv=0x7ffff87eb438) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:1179

Philippe Normand

Comment 6 2011-04-15 02:08:30 PDT

Forgot a bit: Program terminated with signal 11, Segmentation fault. #0 0x00002b40f4742876 in WTF::RefPtr<WebCore::ContentSecurityPolicy>::get (this=0x13d8) at ../../Source/JavaScriptCore/wtf/RefPtr.h:60 60 T* get() const { return m_ptr; }

Adam Roben (:aroben)

Comment 7 2011-04-15 05:03:54 PDT

Windows, too: http://build.webkit.org/results/Windows%20XP%20Debug%20%28Tests%29/r83954%20(27657)/fast/dom/Window/timer-null-script-execution-context-crash-log.txt

Adam Roben (:aroben)

Comment 8 2011-04-15 06:14:02 PDT

I rolled this out in r83963 to stop the crashing on the bots.

Adam Barth

Comment 9 2011-04-15 11:02:02 PDT

(In reply to comment #8) > I rolled this out in r83963 to stop the crashing on the bots. Thanks! Sorry I went to sleep. :(

Adam Barth

Comment 10 2011-04-15 13:51:31 PDT

Created attachment 89847 [details] Patch for landing

WebKit Commit Bot

Comment 11 2011-04-15 19:33:31 PDT

Comment on attachment 89847 [details] Patch for landing Clearing flags on attachment: 89847 Committed r84073: <http://trac.webkit.org/changeset/84073>

WebKit Commit Bot

Comment 12 2011-04-15 19:33:37 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.