Issue 71163005: Prevent recursive call of Document::execCommand() to protect from attack code

Issue 71163005: Prevent recursive call of Document::execCommand() to protect from attack code (Closed)

Created:
7 years, 1 month ago by yosin_UTC9

Modified:
7 years, 1 month ago

Reviewers:
Hajime Morrita, leviw_travelin_and_unemployed, eseidel

CC:
blink-reviews, abarth-chromium

Base URL:
svn://svn.chromium.org/blink/trunk

Visibility:
Public.

More Reviews

Description

Prevent recursive call of Document::execCommand() to protect from attack code This patch prevents recursive call of Document::execCommand() to protect from attack code, e.g. executing editing operation in <iframe onload="... editing command">, <iframe src="javascript:...">. Before this patch, editing operations moving iframe executes JavaScript script, specified in load event handler or src with javascript protocol. Although, implementation of editing operations don't handle DOM tree modification during executing editing operation. Note: This change reduces security risk but introduces browser incompatibility to Blink. However, compatibility risk is low because use case of recursive execution of Document::execCommand() is very tricky and the result is different in each browser. We've seen usage of this in attack code only so far. BUG=314609 TEST=LayoutTests/editing/execCommand/apply-style-iframe-crash.html Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=162080

Patch Set 1 : 2013-11-13T18:35:41 #

Total comments: 1

Patch Set 2 : 2013-11-14T13:56:25 #

Total comments: 1

Patch Set 3 : 2013-11-15T12:44:04 #

Total comments: 4

Created: 7 years, 1 month ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+47 lines, -0 lines)			Patch
A	LayoutTests/editing/execCommand/apply-style-iframe-crash.html	View		1 chunk	+20 lines, -0 lines	2 comments	Download
A +	LayoutTests/editing/execCommand/apply-style-iframe-crash-expected.txt	View		0 chunks	+-1 lines, --1 lines	0 comments	Download
M	Source/core/editing/CompositeEditCommand.cpp	View	1 2	3 chunks	+28 lines, -1 line	2 comments	Download

Messages

Total messages: 13 (0 generated)

Expand Messages | Collapse Messages

leviw_travelin_and_unemployed

https://codereview.chromium.org/71163005/diff/40001/Source/core/editing/CompositeEditCommand.cpp File Source/core/editing/CompositeEditCommand.cpp (right): https://codereview.chromium.org/71163005/diff/40001/Source/core/editing/CompositeEditCommand.cpp#newcode191 Source/core/editing/CompositeEditCommand.cpp:191: ++applyNestingCounter; I like the idea... Can we make this ...

7 years, 1 month ago (2013-11-13 21:16:18 UTC) #3

Hajime Morrita

Yeah, let's define a scope class. I'm not sure if it is enough to prevent ...

7 years, 1 month ago (2013-11-14 04:18:38 UTC) #4

Hajime Morrita

lgtm. https://codereview.chromium.org/71163005/diff/120001/Source/core/editing/CompositeEditCommand.cpp File Source/core/editing/CompositeEditCommand.cpp (right): https://codereview.chromium.org/71163005/diff/120001/Source/core/editing/CompositeEditCommand.cpp#newcode77 Source/core/editing/CompositeEditCommand.cpp:77: class PreventRecursiveApply { Nit: Let's name more noun-like

7 years, 1 month ago (2013-11-14 07:00:24 UTC) #6

yosin_UTC9

On 2013/11/14 07:00:24, morrita1 wrote: > Source/core/editing/CompositeEditCommand.cpp:77: class PreventRecursiveApply { > Nit: Let's name more ...

7 years, 1 month ago (2013-11-14 07:15:45 UTC) #7

leviw_travelin_and_unemployed

On 2013/11/14 07:15:45, Yoshi wrote: > On 2013/11/14 07:00:24, morrita1 wrote: > > Source/core/editing/CompositeEditCommand.cpp:77: class ...

7 years, 1 month ago (2013-11-14 18:15:09 UTC) #8

yosin_UTC9

On 2013/11/14 18:15:09, Levi wrote: > On 2013/11/14 07:15:45, Yoshi wrote: > > On 2013/11/14 ...

7 years, 1 month ago (2013-11-15 05:31:51 UTC) #9

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/yosin@chromium.org/71163005/200001

7 years, 1 month ago (2013-11-15 05:33:36 UTC) #10

eseidel

https://codereview.chromium.org/71163005/diff/200001/LayoutTests/editing/execCommand/apply-style-iframe-crash.html File LayoutTests/editing/execCommand/apply-style-iframe-crash.html (right): https://codereview.chromium.org/71163005/diff/200001/LayoutTests/editing/execCommand/apply-style-iframe-crash.html#newcode3 LayoutTests/editing/execCommand/apply-style-iframe-crash.html:3: </h1><input><iframe xonload=" why is this xonload? https://codereview.chromium.org/71163005/diff/200001/Source/core/editing/CompositeEditCommand.cpp File Source/core/editing/CompositeEditCommand.cpp ...

7 years, 1 month ago (2013-11-15 07:29:51 UTC) #12

yosin_UTC9

7 years, 1 month ago (2013-11-15 09:35:16 UTC) #13

Message was sent while issue was closed.

I submitted other patches:

Fix typo https://codereview.chromium.org/73873002
Guard http://crrev.com/72463005

https://codereview.chromium.org/71163005/diff/200001/LayoutTests/editing/exec...
File LayoutTests/editing/execCommand/apply-style-iframe-crash.html (right):

https://codereview.chromium.org/71163005/diff/200001/LayoutTests/editing/exec...
LayoutTests/editing/execCommand/apply-style-iframe-crash.html:3:
</h1><input><iframe xonload="
On 2013/11/15 07:29:52, eseidel wrote:
> why is this xonload?
Oops, I forgot to restore the test.
Fix in https://codereview.chromium.org/73873002/

https://codereview.chromium.org/71163005/diff/200001/Source/core/editing/Comp...
File Source/core/editing/CompositeEditCommand.cpp (right):

https://codereview.chromium.org/71163005/diff/200001/Source/core/editing/Comp...
Source/core/editing/CompositeEditCommand.cpp:77: class ReentrancyGuard {
On 2013/11/15 07:29:52, eseidel wrote:
> We don't have one of these already somewhere?
No. How about using Locker<T>? See http://crrev.com/72463005

Expand Messages | Collapse Messages