RESOLVED FIXED 155710
CVE-2016-4758 showModalDialog code runs with “first window” set to wrong window 
https://bugs.webkit.org/show_bug.cgi?id=155710
Summary showModalDialog code runs with “first window” set to wrong window
Darin Adler
Reported 2016-03-20 21:27:10 PDT
Code inside showModalDialog runs with an incorrect "first window", which can lead to security vulnerability. I have a patch for this, but a regression test is trickier to create.
Attachments
Patch (1.89 KB, patch)
2016-03-20 21:32 PDT, Darin Adler 		no flags
DetailsFormatted DiffDiff
Patch (1.89 KB, patch)
2016-03-20 21:33 PDT, Darin Adler 		bfulgham: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Darin Adler
Comment 1 2016-03-20 21:29:31 PDT
<rdar://problem/21449949> Could use advice both on creating a regression test and on possible more-elegant ways to fix this.
Darin Adler
Comment 2 2016-03-20 21:32:47 PDT
Created attachment 274574 [details] Patch
Darin Adler
Comment 3 2016-03-20 21:33:58 PDT
Created attachment 274575 [details] Patch
Brady Eidson
Comment 4 2016-03-21 09:38:49 PDT
Comment on attachment 274575 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=274575&action=review No insight into writing a test yet. > Source/WebCore/ChangeLog:3 > + showModalDialog code runs with âfirst windowâ set to wrong window Fancy quotes.
Brent Fulgham
Comment 5 2016-03-21 11:26:17 PDT
Comment on attachment 274575 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=274575&action=review I think this change looks good, though the comment about the JSC context makes me wonder if we need to tighten the lifetime of the nullptr JSC scope. Otherwise, I think this change is good. I've asked John W. to help us create a test. Perhaps we could land that test in a separate commit? > Source/WebCore/page/Chrome.cpp:227 > + Your comment here makes it seem like we want the JSC context for 'fireTimersInNestedEventLoop' to be different than the script code for this modal dialog. However, as written we get a new scope for the timers, and this same scope is used for 'runModal'. It's quite likely that you did mean for it to work this way, but if so I think the comment might be misleading. If not, we should control the scope of the new JSC context so that we "pop" back to the original JSC when invoking runModal.
Darin Adler
Comment 6 2016-03-21 11:39:46 PDT
Comment on attachment 274575 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=274575&action=review >> Source/WebCore/ChangeLog:3 >> + showModalDialog code runs with âfirst windowâ set to wrong window > > Fancy quotes. Fancy quotes are bad in our review tool, but are they bad in ChangeLog? >> Source/WebCore/page/Chrome.cpp:227 >> + > > Your comment here makes it seem like we want the JSC context for 'fireTimersInNestedEventLoop' to be different than the script code for this modal dialog. However, as written we get a new scope for the timers, and this same scope is used for 'runModal'. It's quite likely that you did mean for it to work this way, but if so I think the comment might be misleading. > > If not, we should control the scope of the new JSC context so that we "pop" back to the original JSC when invoking runModal. JavaScript context has no effect on fireTimersInNestedEventLoop and it doesn’t matter if we do this work before or after calling fireTimersInNestedEventLoop. The name fireTimersInNestedEventLoop might sound like is a function that could execute some JavaScript, but it could not. Calling that function makes sure that run loop timers fire, inside the run loop, instead of waiting for an exit of the outer run loop. All three of the setup steps—PageGroupLoadDeferrer, entryScope, fireTimersInNestedEventLoop—could be done in any order. There are no dependencies between them.
Darin Adler
Comment 7 2016-03-22 21:16:45 PDT
Committed r198575: <http://trac.webkit.org/changeset/198575>
Brent Fulgham
Comment 8 2016-03-22 21:25:40 PDT
Thank you for fixing this, Darin!
Note You need to log in before you can comment on or make changes to this bug.