diff options
Diffstat (limited to 'main/webkit/cve-2010-2646.patch')
| -rw-r--r-- | main/webkit/cve-2010-2646.patch | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/main/webkit/cve-2010-2646.patch b/main/webkit/cve-2010-2646.patch new file mode 100644 index 000000000..40568164c --- /dev/null +++ b/main/webkit/cve-2010-2646.patch @@ -0,0 +1,110 @@ +description: fix cve-2010-2646 +author: Michael Gilbert <michael.s.gilbert@gmail.com> +origin: http://trac.webkit.org/changeset/58873 +Index: webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp +=================================================================== +--- webkit-1.2.4.orig/WebCore/storage/StorageEventDispatcher.cpp 2010-09-07 01:13:45.000000000 -0400 ++++ webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp 2010-09-07 01:14:42.000000000 -0400 +@@ -54,8 +54,12 @@ + frames.append(frame); + } + +- for (unsigned i = 0; i < frames.size(); ++i) +- frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), frames[i]->domWindow()->sessionStorage())); ++ for (unsigned i = 0; i < frames.size(); ++i) { ++ ExceptionCode ec = 0; ++ Storage* storage = frames[i]->domWindow()->sessionStorage(ec); ++ if (!ec) ++ frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), storage)); ++ } + } else { + // Send events to every page. + const HashSet<Page*>& pages = page->group().pages(); +Index: webkit-1.2.4/WebCore/page/DOMWindow.h +=================================================================== +--- webkit-1.2.4.orig/WebCore/page/DOMWindow.h 2010-09-07 01:13:45.000000000 -0400 ++++ webkit-1.2.4/WebCore/page/DOMWindow.h 2010-09-07 01:14:42.000000000 -0400 +@@ -206,7 +206,7 @@ + + #if ENABLE(DOM_STORAGE) + // HTML 5 key/value storage +- Storage* sessionStorage() const; ++ Storage* sessionStorage(ExceptionCode&) const; + Storage* localStorage(ExceptionCode&) const; + #endif + +Index: webkit-1.2.4/WebCore/page/DOMWindow.cpp +=================================================================== +--- webkit-1.2.4.orig/WebCore/page/DOMWindow.cpp 2010-09-07 01:13:45.000000000 -0400 ++++ webkit-1.2.4/WebCore/page/DOMWindow.cpp 2010-09-07 01:14:42.000000000 -0400 +@@ -567,7 +567,7 @@ + } + + #if ENABLE(DOM_STORAGE) +-Storage* DOMWindow::sessionStorage() const ++Storage* DOMWindow::sessionStorage(ExceptionCode& ec) const + { + if (m_sessionStorage) + return m_sessionStorage.get(); +@@ -576,6 +576,11 @@ + if (!document) + return 0; + ++ if (!document->securityOrigin()->canAccessLocalStorage()) { ++ ec = SECURITY_ERR; ++ return 0; ++ } ++ + Page* page = document->page(); + if (!page) + return 0; +@@ -593,16 +598,16 @@ + { + if (m_localStorage) + return m_localStorage.get(); +- ++ + Document* document = this->document(); + if (!document) + return 0; +- ++ + if (!document->securityOrigin()->canAccessLocalStorage()) { + ec = SECURITY_ERR; + return 0; + } +- ++ + Page* page = document->page(); + if (!page) + return 0; +Index: webkit-1.2.4/WebCore/page/SecurityOrigin.h +=================================================================== +--- webkit-1.2.4.orig/WebCore/page/SecurityOrigin.h 2010-09-07 01:13:45.000000000 -0400 ++++ webkit-1.2.4/WebCore/page/SecurityOrigin.h 2010-09-07 01:14:42.000000000 -0400 +@@ -120,6 +120,11 @@ + bool canAccessLocalStorage() const { return !isUnique(); } + bool canAccessCookies() const { return !isUnique(); } + ++ // Technically, we should always allow access to sessionStorage, but we ++ // currently don't handle creating a sessionStorage area for unique ++ // origins. ++ bool canAccessSessionStorage() const { return !isUnique(); } ++ + bool isSecureTransitionTo(const KURL&) const; + + // The local SecurityOrigin is the most privileged SecurityOrigin. +Index: webkit-1.2.4/WebCore/page/DOMWindow.idl +=================================================================== +--- webkit-1.2.4.orig/WebCore/page/DOMWindow.idl 2010-09-07 01:14:36.000000000 -0400 ++++ webkit-1.2.4/WebCore/page/DOMWindow.idl 2010-09-07 01:14:42.000000000 -0400 +@@ -164,7 +164,8 @@ + raises(DOMException); + #endif + #if defined(ENABLE_DOM_STORAGE) && ENABLE_DOM_STORAGE +- readonly attribute [EnabledAtRuntime] Storage sessionStorage; ++ readonly attribute [EnabledAtRuntime] Storage sessionStorage ++ getter raises(DOMException); + readonly attribute [EnabledAtRuntime] Storage localStorage + getter raises(DOMException); + #endif |