[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.1.15-1-40151-g37bb677

cblu cblu at 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Sat Sep 26 08:48:59 UTC 2009 

The following commit has been merged in the debian/unstable branch:
commit ea3a1e7bc16fcc6dea042720a829524d4127cda6
Author: cblu <cblu at 268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Jul 6 23:11:23 2004 +0000

    	Fixed: <rdar://problem/3715785> multiple frame injection vulnerability reported by Secunia, affects almost all browsers
    
            Reviewed by john, trey, kocienda.
    
            * WebCoreSupport.subproj/WebBridge.m:
            (-[WebBridge canTargetLoadInFrame:]): new method, return YES if the requesting frame is local, the target frame is an entire window or if the domain of the parent of the targeted frame equals this domain
            (-[WebBridge loadURL:referrer:reload:userGesture:target:triggeringEvent:form:formValues:]): call canTargetLoadInFrame: to make sure we can load the request
            (-[WebBridge postWithURL:referrer:target:data:contentType:triggeringEvent:form:formValues:]): ditto
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@6968 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebKit/ChangeLog b/WebKit/ChangeLog
index e8c3188..fa64dda 100644
--- a/WebKit/ChangeLog
+++ b/WebKit/ChangeLog
@@ -1,3 +1,14 @@
+2004-07-06  Chris Blumenberg  <cblu at apple.com>
+
+	Fixed: <rdar://problem/3715785> multiple frame injection vulnerability reported by Secunia, affects almost all browsers
+	
+        Reviewed by john, trey, kocienda.
+
+        * WebCoreSupport.subproj/WebBridge.m:
+        (-[WebBridge canTargetLoadInFrame:]): new method, return YES if the requesting frame is local, the target frame is an entire window or if the domain of the parent of the targeted frame equals this domain
+        (-[WebBridge loadURL:referrer:reload:userGesture:target:triggeringEvent:form:formValues:]): call canTargetLoadInFrame: to make sure we can load the request
+        (-[WebBridge postWithURL:referrer:target:data:contentType:triggeringEvent:form:formValues:]): ditto
+
 2004-07-06  John Sullivan  <sullivan at apple.com>
 
         Reviewed by Trey.
diff --git a/WebKit/WebCoreSupport.subproj/WebBridge.m b/WebKit/WebCoreSupport.subproj/WebBridge.m
index 0f02aa6..06d5588 100644
--- a/WebKit/WebCoreSupport.subproj/WebBridge.m
+++ b/WebKit/WebCoreSupport.subproj/WebBridge.m
@@ -13,6 +13,7 @@
 #import <WebKit/WebDataSourcePrivate.h>
 #import <WebKit/WebDefaultResourceLoadDelegate.h>
 #import <WebKit/WebDefaultUIDelegate.h>
+#import <WebKit/DOMHTML.h>
 #import <WebKit/WebEditingDelegate.h>
 #import <WebKit/WebFileButton.h>
 #import <WebKit/WebFormDelegate.h>
@@ -591,6 +592,32 @@ NSString *WebPluginContainerKey =   @"WebPluginContainer";
     [[self dataSource] _setIconURL:URL withType:type];
 }
 
+- (BOOL)canTargetLoadInFrame:(WebFrame *)targetFrame
+{
+    // This method prevents this exploit:
+    // <rdar://problem/3715785> multiple frame injection vulnerability reported by Secunia, affects almost all browsers
+    
+    NSString *thisDomain = [(DOMHTMLDocument *)[_frame DOMDocument] domain];
+    if ([thisDomain length] == 0) {
+        // Allow if the request is made from a local file.
+        return YES;
+    }
+    
+    WebFrame *parentFrame = [targetFrame parentFrame];
+    if (parentFrame == nil) {
+        // Allow if target is an entire window.
+        return YES;
+    }
+    
+    NSString *parentDomain = [(DOMHTMLDocument *)[parentFrame DOMDocument] domain];
+    if (parentDomain != nil && [thisDomain _web_isCaseInsensitiveEqualToString:parentDomain]) {
+        // Allow if the domain of the parent of the targeted frame equals this domain.
+        return YES;
+    }
+
+    return NO;
+}
+
 - (void)loadURL:(NSURL *)URL referrer:(NSString *)referrer reload:(BOOL)reload userGesture:(BOOL)forUser target:(NSString *)target triggeringEvent:(NSEvent *)event form:(DOMElement *)form formValues:(NSDictionary *)values
 {
     if ([target length] == 0) {
@@ -598,6 +625,10 @@ NSString *WebPluginContainerKey =   @"WebPluginContainer";
     }
 
     WebFrame *targetFrame = [_frame findFrameNamed:target];
+    if (![self canTargetLoadInFrame:targetFrame]) {
+        return;
+    }
+    
     WebFrameLoadType loadType;
     
     if (reload)
@@ -620,6 +651,9 @@ NSString *WebPluginContainerKey =   @"WebPluginContainer";
     }
 
     WebFrame *targetFrame = [_frame findFrameNamed:target];
+    if (![self canTargetLoadInFrame:targetFrame]) {
+        return;
+    }
 
     [_frame _postWithURL:URL referrer:(NSString *)referrer target:target data:data contentType:contentType triggeringEvent:event form:form formValues:values];
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list