[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.1.15-1-40151-g37bb677

mjs mjs at 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Sat Sep 26 08:22:40 UTC 2009 

The following commit has been merged in the debian/unstable branch:
commit a165eb3c19d1295e4b2533c8305851ea3b7188ff
Author: mjs <mjs at 268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Jan 20 00:58:24 2004 +0000

            Reviewed by John, Ken, Dave.
    
    	<rdar://problem/3533319>: Safari allows upload of arbitrary local files w/o user's knowledge or permission
    
    	* khtml/html/html_formimpl.cpp:
            (HTMLInputElementImpl::value): Don't fall back to the value
    	attribute for file inputs, since that way malicious HTML could
    	force the user to upload files unexpectedly.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@5929 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebCore/ChangeLog-2005-08-23 b/WebCore/ChangeLog-2005-08-23
index 49009a0..d0db18b 100644
--- a/WebCore/ChangeLog-2005-08-23
+++ b/WebCore/ChangeLog-2005-08-23
@@ -1,3 +1,14 @@
+2004-01-19  Maciej Stachowiak  <mjs at apple.com>
+
+        Reviewed by John, Ken, Dave.
+
+	<rdar://problem/3533319>: Safari allows upload of arbitrary local files w/o user's knowledge or permission
+        
+	* khtml/html/html_formimpl.cpp:
+        (HTMLInputElementImpl::value): Don't fall back to the value
+	attribute for file inputs, since that way malicious HTML could
+	force the user to upload files unexpectedly.
+
 2004-01-18  David Hyatt  <hyatt at apple.com>
 
 	Fix for 3532569, bugzilla patch viewer doesn't work.  My previous fix for 3531983 caused moves to happen
diff --git a/WebCore/khtml/html/html_formimpl.cpp b/WebCore/khtml/html/html_formimpl.cpp
index 7f3f200..e3dae73 100644
--- a/WebCore/khtml/html/html_formimpl.cpp
+++ b/WebCore/khtml/html/html_formimpl.cpp
@@ -1737,7 +1737,10 @@ DOMString HTMLInputElementImpl::value() const
         return val;
     }
 
-    if (m_value.isNull())
+    // It's important *not* to fall back to the value attribute for file inputs,
+    // because that would allow a malicious web page to upload files by setting the
+    // value attribute in markup.
+    if (m_value.isNull() && m_type != FILE)
         return getAttribute(ATTR_VALUE);
     return m_value;
 }

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list