description: fix cve-2010-2646 author: Michael Gilbert origin: http://trac.webkit.org/changeset/58873 Index: webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp =================================================================== --- webkit-1.2.4.orig/WebCore/storage/StorageEventDispatcher.cpp 2010-09-07 01:13:45.000000000 -0400 +++ webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp 2010-09-07 01:14:42.000000000 -0400 @@ -54,8 +54,12 @@ frames.append(frame); } - for (unsigned i = 0; i < frames.size(); ++i) - frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), frames[i]->domWindow()->sessionStorage())); + for (unsigned i = 0; i < frames.size(); ++i) { + ExceptionCode ec = 0; + Storage* storage = frames[i]->domWindow()->sessionStorage(ec); + if (!ec) + frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), storage)); + } } else { // Send events to every page. const HashSet& pages = page->group().pages(); Index: webkit-1.2.4/WebCore/page/DOMWindow.h =================================================================== --- webkit-1.2.4.orig/WebCore/page/DOMWindow.h 2010-09-07 01:13:45.000000000 -0400 +++ webkit-1.2.4/WebCore/page/DOMWindow.h 2010-09-07 01:14:42.000000000 -0400 @@ -206,7 +206,7 @@ #if ENABLE(DOM_STORAGE) // HTML 5 key/value storage - Storage* sessionStorage() const; + Storage* sessionStorage(ExceptionCode&) const; Storage* localStorage(ExceptionCode&) const; #endif Index: webkit-1.2.4/WebCore/page/DOMWindow.cpp =================================================================== --- webkit-1.2.4.orig/WebCore/page/DOMWindow.cpp 2010-09-07 01:13:45.000000000 -0400 +++ webkit-1.2.4/WebCore/page/DOMWindow.cpp 2010-09-07 01:14:42.000000000 -0400 @@ -567,7 +567,7 @@ } #if ENABLE(DOM_STORAGE) -Storage* DOMWindow::sessionStorage() const +Storage* DOMWindow::sessionStorage(ExceptionCode& ec) const { if (m_sessionStorage) return m_sessionStorage.get(); @@ -576,6 +576,11 @@ if (!document) return 0; + if (!document->securityOrigin()->canAccessLocalStorage()) { + ec = SECURITY_ERR; + return 0; + } + Page* page = document->page(); if (!page) return 0; @@ -593,16 +598,16 @@ { if (m_localStorage) return m_localStorage.get(); - + Document* document = this->document(); if (!document) return 0; - + if (!document->securityOrigin()->canAccessLocalStorage()) { ec = SECURITY_ERR; return 0; } - + Page* page = document->page(); if (!page) return 0; Index: webkit-1.2.4/WebCore/page/SecurityOrigin.h =================================================================== --- webkit-1.2.4.orig/WebCore/page/SecurityOrigin.h 2010-09-07 01:13:45.000000000 -0400 +++ webkit-1.2.4/WebCore/page/SecurityOrigin.h 2010-09-07 01:14:42.000000000 -0400 @@ -120,6 +120,11 @@ bool canAccessLocalStorage() const { return !isUnique(); } bool canAccessCookies() const { return !isUnique(); } + // Technically, we should always allow access to sessionStorage, but we + // currently don't handle creating a sessionStorage area for unique + // origins. + bool canAccessSessionStorage() const { return !isUnique(); } + bool isSecureTransitionTo(const KURL&) const; // The local SecurityOrigin is the most privileged SecurityOrigin. Index: webkit-1.2.4/WebCore/page/DOMWindow.idl =================================================================== --- webkit-1.2.4.orig/WebCore/page/DOMWindow.idl 2010-09-07 01:14:36.000000000 -0400 +++ webkit-1.2.4/WebCore/page/DOMWindow.idl 2010-09-07 01:14:42.000000000 -0400 @@ -164,7 +164,8 @@ raises(DOMException); #endif #if defined(ENABLE_DOM_STORAGE) && ENABLE_DOM_STORAGE - readonly attribute [EnabledAtRuntime] Storage sessionStorage; + readonly attribute [EnabledAtRuntime] Storage sessionStorage + getter raises(DOMException); readonly attribute [EnabledAtRuntime] Storage localStorage getter raises(DOMException); #endif