description: fix cve-2010-2646
author: Michael Gilbert <michael.s.gilbert@gmail.com>
origin: http://trac.webkit.org/changeset/58873
Index: webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/storage/StorageEventDispatcher.cpp	2010-09-07 01:13:45.000000000 -0400
+++ webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp	2010-09-07 01:14:42.000000000 -0400
@@ -54,8 +54,12 @@
                 frames.append(frame);
         }
 
-        for (unsigned i = 0; i < frames.size(); ++i)
-            frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), frames[i]->domWindow()->sessionStorage()));
+        for (unsigned i = 0; i < frames.size(); ++i) {
+            ExceptionCode ec = 0;
+            Storage* storage = frames[i]->domWindow()->sessionStorage(ec);
+            if (!ec)
+                frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), storage));
+        }
     } else {
         // Send events to every page.
         const HashSet<Page*>& pages = page->group().pages();
Index: webkit-1.2.4/WebCore/page/DOMWindow.h
===================================================================
--- webkit-1.2.4.orig/WebCore/page/DOMWindow.h	2010-09-07 01:13:45.000000000 -0400
+++ webkit-1.2.4/WebCore/page/DOMWindow.h	2010-09-07 01:14:42.000000000 -0400
@@ -206,7 +206,7 @@
 
 #if ENABLE(DOM_STORAGE)
         // HTML 5 key/value storage
-        Storage* sessionStorage() const;
+        Storage* sessionStorage(ExceptionCode&) const;
         Storage* localStorage(ExceptionCode&) const;
 #endif
 
Index: webkit-1.2.4/WebCore/page/DOMWindow.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/page/DOMWindow.cpp	2010-09-07 01:13:45.000000000 -0400
+++ webkit-1.2.4/WebCore/page/DOMWindow.cpp	2010-09-07 01:14:42.000000000 -0400
@@ -567,7 +567,7 @@
 }
 
 #if ENABLE(DOM_STORAGE)
-Storage* DOMWindow::sessionStorage() const
+Storage* DOMWindow::sessionStorage(ExceptionCode& ec) const
 {
     if (m_sessionStorage)
         return m_sessionStorage.get();
@@ -576,6 +576,11 @@
     if (!document)
         return 0;
 
+    if (!document->securityOrigin()->canAccessLocalStorage()) {
+        ec = SECURITY_ERR;
+        return 0;
+    }
+
     Page* page = document->page();
     if (!page)
         return 0;
@@ -593,16 +598,16 @@
 {
     if (m_localStorage)
         return m_localStorage.get();
-    
+
     Document* document = this->document();
     if (!document)
         return 0;
-    
+
     if (!document->securityOrigin()->canAccessLocalStorage()) {
         ec = SECURITY_ERR;
         return 0;
     }
-        
+
     Page* page = document->page();
     if (!page)
         return 0;
Index: webkit-1.2.4/WebCore/page/SecurityOrigin.h
===================================================================
--- webkit-1.2.4.orig/WebCore/page/SecurityOrigin.h	2010-09-07 01:13:45.000000000 -0400
+++ webkit-1.2.4/WebCore/page/SecurityOrigin.h	2010-09-07 01:14:42.000000000 -0400
@@ -120,6 +120,11 @@
     bool canAccessLocalStorage() const { return !isUnique(); }
     bool canAccessCookies() const { return !isUnique(); }
 
+    // Technically, we should always allow access to sessionStorage, but we
+    // currently don't handle creating a sessionStorage area for unique
+    // origins.
+    bool canAccessSessionStorage() const { return !isUnique(); }
+
     bool isSecureTransitionTo(const KURL&) const;
 
     // The local SecurityOrigin is the most privileged SecurityOrigin.
Index: webkit-1.2.4/WebCore/page/DOMWindow.idl
===================================================================
--- webkit-1.2.4.orig/WebCore/page/DOMWindow.idl	2010-09-07 01:14:36.000000000 -0400
+++ webkit-1.2.4/WebCore/page/DOMWindow.idl	2010-09-07 01:14:42.000000000 -0400
@@ -164,7 +164,8 @@
             raises(DOMException);
 #endif
 #if defined(ENABLE_DOM_STORAGE) && ENABLE_DOM_STORAGE
-        readonly attribute [EnabledAtRuntime] Storage sessionStorage;
+        readonly attribute [EnabledAtRuntime] Storage sessionStorage
+            getter raises(DOMException);
         readonly attribute [EnabledAtRuntime] Storage localStorage
             getter raises(DOMException);
 #endif