70168 – Calling WKPageLoadAlternateHTMLString() where baseURL does not point to a directory causes an invalid message to be returned from WebProcess

Bug 70168 - Calling WKPageLoadAlternateHTMLString() where baseURL does not point to a directory causes an invalid message to be returned from WebProcess

Summary: Calling WKPageLoadAlternateHTMLString() where baseURL does not point to a dir...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ada Chan

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2011-10-14 22:45 PDT by Ada Chan
Modified:	2011-10-17 11:01 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Patch (11.30 KB, patch) 2011-10-14 23:09 PDT, Ada Chan	ap: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ada Chan 2011-10-14 22:45:12 PDT

Calling WKPageLoadAlternateHTMLString() where baseURL does not point to a directory causes an invalid message to be returned from WebProcess, which then terminates the WebProcess.

In WebPageProxy::loadAlternateHTMLString(), it calls WebProcessProxy::assumeReadAccessToBaseURL() which adds the baseURL argument to the list of local directories that have read access (m_localPathsWithAssumedReadAccess). But if that URL actually points to a file, we just add its file path to that list without removing its last path component. So any subresource that's in the same folder as that file will fail the URL check in WebProcessProxy::checkURLReceivedFromWebProcess() during load because it does not reside in any directories specified in m_localPathsWithAssumedReadAccess. If the URL check fails, the message ends up being marked as invalid, causing the WebProcess to terminate.

One possible fix is in WebProcessProxy::assumeReadAccessToBaseURL(), we can get the base URL of the passed in URL, and then add its path to m_localPathsWithAssumedReadAccess. If the passed in URL is a directory, the behavior remains the same. If the URL points to a file though, we'll add the path to the containing directory to m_localPathsWithAssumedReadAccess instead.

Comment 1 Ada Chan 2011-10-14 22:46:35 PDT

<rdar://problem/10289392>

Comment 2 Alexey Proskuryakov 2011-10-14 22:56:08 PDT

> If the passed in URL is a directory, the behavior remains the same. If the URL points to a file though, we'll add the path to the containing directory to m_localPathsWithAssumedReadAccess instead.

That would match the behavior of HTML <base> tag, and thus makes good sense to me.

Comment 3 Ada Chan 2011-10-14 23:01:04 PDT

> In WebPageProxy::loadAlternateHTMLString(), it calls WebProcessProxy::assumeReadAccessToBaseURL() which adds the baseURL argument to the list of local directories that have read access 
I meant the *urlString* argument.

Comment 4 Ada Chan 2011-10-14 23:09:40 PDT

Created attachment 111126 [details]
Patch

Comment 5 Alexey Proskuryakov 2011-10-15 00:08:13 PDT

Comment on attachment 111126 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=111126&action=review

> Source/WebCore/ChangeLog:8
> +        No new tests. (OOPS!)

The patch cannot be landed with this line.

> Source/WebCore/ChangeLog:10
> +        * WebCore.exp.in:

Please describe what's changed.

Comment 6 Ada Chan 2011-10-17 11:01:24 PDT

(In reply to comment #5)
> (From update of attachment 111126 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=111126&action=review
> 
> > Source/WebCore/ChangeLog:8
> > +        No new tests. (OOPS!)
> 
> The patch cannot be landed with this line.

Fixed.

> 
> > Source/WebCore/ChangeLog:10
> > +        * WebCore.exp.in:
> 
> Please describe what's changed.

Fixed.

Thanks for reviewing!

Patch has been landed: http://trac.webkit.org/changeset/97633