Bug 14610 - Security problem in DOMWindow
Summary: Security problem in DOMWindow
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 523.x (Safari 3)
Hardware: All All
: P1 Normal
Assignee: Nobody
URL:
Keywords: EasyFix, HasReduction, InRadar
Depends on:
Blocks:
 
Reported: 2007-07-13 11:12 PDT by Feng Qian
Modified: 2007-07-17 22:44 PDT (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Feng Qian 2007-07-13 11:12:42 PDT
The problem was introduced by recent code refactoring in kjs_window
and DOMWindow. When navigating to a new page, DOMWindow does nott
clear up its DOMSelection object.

To show the problem, save following text into a file, say 'selection.html':

<html><script>
var child;
var sel;

function openwin() {
 child = open("hello.html");
}
function getsel() {
 sel = child.getSelection();
}
function reloadwin() {
 child.location="world.html";
}
function check() {
 var selected = sel.anchorNode;
 var new_doc = selected.ownerDocument;
 alert(new_doc.baseURI);
}

</script>
<body>
<button onclick="openwin()">open</button>
<button onclick="getsel()">get selection</button>
<button onclick="reloadwin()">reload</button>
<button onclick="check()">check</button>
</body></html>

Also create two files called hello.html, and world.html.
<html><body>hello</body></html>
<html><body>world</body></html>


Put selection.html and hello.html in the same domain, and put
world.html in a different domain (you need to change URLs of
hello.html and world.html in selection.html).

Do following steps:
1. load 'selection.html' in a new window;
2. click the 'open' button, it opens a child window;
3. select "hello" text in the child window;
4. click the 'get selection' in the parent window;
5. click the 'check' button, an alert window pops up and displays the
URL of 'hello.html'.

So far so good.

6. click the 'reload' button in the parent window, it loads
'world.html' page in the child window.
   Note that now, the parent window and the child window are in
different domains.
7. select 'world' in the child window;
8. click the 'check' button in the first window. an alert window pops
up, and displays the URL of 'world.html'.  At this point, the parent
window has full access to the Document object and DOM nodes under it
in the child window even they are from different domains.

I will make a patch later.
Comment 1 Sam Weinig 2007-07-13 11:27:15 PDT
<rdar://problem/5333782>
Comment 2 Sam Weinig 2007-07-17 22:44:01 PDT
Fixed in r24398.