Bug 21044 - JSEventTarget* classes assume each listener is a JSEventListener
Summary: JSEventTarget* classes assume each listener is a JSEventListener
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P1 Normal
Assignee: Nobody
URL:
Keywords: InRadar, NeedsReduction
Depends on:
Blocks:
 
Reported: 2008-09-23 16:22 PDT by Nikolas Zimmermann
Modified: 2009-07-05 15:00 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nikolas Zimmermann 2008-09-23 16:22:46 PDT 
As the summary, says JSEventTargetNode::getListener function blindly casts an EventListener object to a JSEventListener. This will fail if ie. it's actually an ObjCEventListener.

The getListener/setListener functions of the JSEventTarget* classes are only used when calling someElement.onclick = '...' or someElement.onclick.handleEvent(..). The official DOM methods are not affected.
Comment 1 Eric Seidel (no email) 2008-09-23 16:26:56 PDT 
This would lead to a crash, so it should be a P1.  Any application which registers Obj-C listeners as well as allows pages to run JavaScript would be vulnerable to such a crash.
Comment 2 Mark Rowe (bdash) 2008-09-23 16:32:42 PDT 
<rdar://problem/6241522>
Comment 3 Deirdre Saoirse Moen 2009-01-11 19:02:56 PST 
A test case would be helpful.
Comment 4 Sam Weinig 2009-07-05 15:00:07 PDT 
This is no longer a problem.  We now check that it is a JSEventListener before use.