Bug 70168

Summary: Calling WKPageLoadAlternateHTMLString() where baseURL does not point to a directory causes an invalid message to be returned from WebProcess
Product: WebKit Reporter: Ada Chan <adachan>
Component: WebKit2Assignee: Ada Chan <adachan>
Status: RESOLVED FIXED    
Severity: Normal CC: ap
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch ap: review+

Ada Chan
Reported 2011-10-14 22:45:12 PDT
Calling WKPageLoadAlternateHTMLString() where baseURL does not point to a directory causes an invalid message to be returned from WebProcess, which then terminates the WebProcess. In WebPageProxy::loadAlternateHTMLString(), it calls WebProcessProxy::assumeReadAccessToBaseURL() which adds the baseURL argument to the list of local directories that have read access (m_localPathsWithAssumedReadAccess). But if that URL actually points to a file, we just add its file path to that list without removing its last path component. So any subresource that's in the same folder as that file will fail the URL check in WebProcessProxy::checkURLReceivedFromWebProcess() during load because it does not reside in any directories specified in m_localPathsWithAssumedReadAccess. If the URL check fails, the message ends up being marked as invalid, causing the WebProcess to terminate. One possible fix is in WebProcessProxy::assumeReadAccessToBaseURL(), we can get the base URL of the passed in URL, and then add its path to m_localPathsWithAssumedReadAccess. If the passed in URL is a directory, the behavior remains the same. If the URL points to a file though, we'll add the path to the containing directory to m_localPathsWithAssumedReadAccess instead.
Attachments
Patch (11.30 KB, patch)
2011-10-14 23:09 PDT, Ada Chan 		ap: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ada Chan
Comment 1 2011-10-14 22:46:35 PDT
<rdar://problem/10289392>
Alexey Proskuryakov
Comment 2 2011-10-14 22:56:08 PDT
> If the passed in URL is a directory, the behavior remains the same. If the URL points to a file though, we'll add the path to the containing directory to m_localPathsWithAssumedReadAccess instead. That would match the behavior of HTML <base> tag, and thus makes good sense to me.
Ada Chan
Comment 3 2011-10-14 23:01:04 PDT
> In WebPageProxy::loadAlternateHTMLString(), it calls WebProcessProxy::assumeReadAccessToBaseURL() which adds the baseURL argument to the list of local directories that have read access I meant the *urlString* argument.
Ada Chan
Comment 4 2011-10-14 23:09:40 PDT
Created attachment 111126 [details] Patch
Alexey Proskuryakov
Comment 5 2011-10-15 00:08:13 PDT
Comment on attachment 111126 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=111126&action=review > Source/WebCore/ChangeLog:8 > + No new tests. (OOPS!) The patch cannot be landed with this line. > Source/WebCore/ChangeLog:10 > + * WebCore.exp.in: Please describe what's changed.
Ada Chan
Comment 6 2011-10-17 11:01:24 PDT
(In reply to comment #5) > (From update of attachment 111126 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=111126&action=review > > > Source/WebCore/ChangeLog:8 > > + No new tests. (OOPS!) > > The patch cannot be landed with this line. Fixed. > > > Source/WebCore/ChangeLog:10 > > + * WebCore.exp.in: > > Please describe what's changed. Fixed. Thanks for reviewing! Patch has been landed: http://trac.webkit.org/changeset/97633
Note You need to log in before you can comment on or make changes to this bug.