Bug 70168

Summary: Calling WKPageLoadAlternateHTMLString() where baseURL does not point to a directory causes an invalid message to be returned from WebProcess
Product: WebKit Reporter: Ada Chan <adachan>
Component: WebKit2Assignee: Ada Chan <adachan>
Status: RESOLVED FIXED    
Severity: Normal CC: ap
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch ap: review+

Description Ada Chan 2011-10-14 22:45:12 PDT 
Calling WKPageLoadAlternateHTMLString() where baseURL does not point to a directory causes an invalid message to be returned from WebProcess, which then terminates the WebProcess.

In WebPageProxy::loadAlternateHTMLString(), it calls WebProcessProxy::assumeReadAccessToBaseURL() which adds the baseURL argument to the list of local directories that have read access (m_localPathsWithAssumedReadAccess). But if that URL actually points to a file, we just add its file path to that list without removing its last path component. So any subresource that's in the same folder as that file will fail the URL check in WebProcessProxy::checkURLReceivedFromWebProcess() during load because it does not reside in any directories specified in m_localPathsWithAssumedReadAccess. If the URL check fails, the message ends up being marked as invalid, causing the WebProcess to terminate.

One possible fix is in WebProcessProxy::assumeReadAccessToBaseURL(), we can get the base URL of the passed in URL, and then add its path to m_localPathsWithAssumedReadAccess. If the passed in URL is a directory, the behavior remains the same. If the URL points to a file though, we'll add the path to the containing directory to m_localPathsWithAssumedReadAccess instead.
Comment 1 Ada Chan 2011-10-14 22:46:35 PDT 
<rdar://problem/10289392>
Comment 2 Alexey Proskuryakov 2011-10-14 22:56:08 PDT 
> If the passed in URL is a directory, the behavior remains the same. If the URL points to a file though, we'll add the path to the containing directory to m_localPathsWithAssumedReadAccess instead.

That would match the behavior of HTML <base> tag, and thus makes good sense to me.
Comment 3 Ada Chan 2011-10-14 23:01:04 PDT 
> In WebPageProxy::loadAlternateHTMLString(), it calls WebProcessProxy::assumeReadAccessToBaseURL() which adds the baseURL argument to the list of local directories that have read access 
I meant the *urlString* argument.
Comment 4 Ada Chan 2011-10-14 23:09:40 PDT 
Created attachment 111126 [details]
Patch
Comment 5 Alexey Proskuryakov 2011-10-15 00:08:13 PDT 
Comment on attachment 111126 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=111126&action=review

> Source/WebCore/ChangeLog:8
> +        No new tests. (OOPS!)

The patch cannot be landed with this line.

> Source/WebCore/ChangeLog:10
> +        * WebCore.exp.in:

Please describe what's changed.
Comment 6 Ada Chan 2011-10-17 11:01:24 PDT 
(In reply to comment #5)
> (From update of attachment 111126 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=111126&action=review
> 
> > Source/WebCore/ChangeLog:8
> > +        No new tests. (OOPS!)
> 
> The patch cannot be landed with this line.

Fixed.

> 
> > Source/WebCore/ChangeLog:10
> > +        * WebCore.exp.in:
> 
> Please describe what's changed.

Fixed.

Thanks for reviewing!

Patch has been landed: http://trac.webkit.org/changeset/97633