21044 – JSEventTarget* classes assume each listener is a JSEventListener

RESOLVED FIXED 21044

JSEventTarget* classes assume each listener is a JSEventListener

https://bugs.webkit.org/show_bug.cgi?id=21044

Summary JSEventTarget* classes assume each listener is a JSEventListener

Nikolas Zimmermann

Reported 2008-09-23 16:22:46 PDT

As the summary, says JSEventTargetNode::getListener function blindly casts an EventListener object to a JSEventListener. This will fail if ie. it's actually an ObjCEventListener. The getListener/setListener functions of the JSEventTarget* classes are only used when calling someElement.onclick = '...' or someElement.onclick.handleEvent(..). The official DOM methods are not affected.

Attachments
Add attachment proposed patch, testcase, etc.

Eric Seidel (no email)

Comment 1 2008-09-23 16:26:56 PDT

This would lead to a crash, so it should be a P1. Any application which registers Obj-C listeners as well as allows pages to run JavaScript would be vulnerable to such a crash.

Mark Rowe (bdash)

Comment 2 2008-09-23 16:32:42 PDT

<rdar://problem/6241522>

Deirdre Saoirse Moen

Comment 3 2009-01-11 19:02:56 PST

A test case would be helpful.

Sam Weinig

Comment 4 2009-07-05 15:00:07 PDT

This is no longer a problem. We now check that it is a JSEventListener before use.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Mac

OS OS X 10.5

Product WebKit

Component WebCore JavaScript

Assignee

Nobody

Reported

2008-09-23 16:22 PDT

Modified

2009-07-05 15:00 PDT History

CC List

3 users Show

URL

Keywords InRadar, NeedsReduction

Depends on

Blocks