Chromium Code Reviews Chromium Code Reviews
Issue 71163005:
Prevent recursive call of Document::execCommand() to protect from attack code (Closed)
Base URL: svn://svn.chromium.org/blink/trunk| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2005, 2006, 2007, 2008 Apple Inc. All rights reserved. | 2 * Copyright (C) 2005, 2006, 2007, 2008 Apple Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
| 8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
| 10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
| (...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 66 #include "core/rendering/InlineTextBox.h" | 66 #include "core/rendering/InlineTextBox.h" |
| 67 #include "core/rendering/RenderBlock.h" | 67 #include "core/rendering/RenderBlock.h" |
| 68 #include "core/rendering/RenderText.h" | 68 #include "core/rendering/RenderText.h" |
| 69 | 69 |
| 70 using namespace std; | 70 using namespace std; |
| 71 | 71 |
| 72 namespace WebCore { | 72 namespace WebCore { |
| 73 | 73 |
| 74 using namespace HTMLNames; | 74 using namespace HTMLNames; |
| 75 | 75 |
| 76 namespace { | |
| 77 class ReentrancyGuard { | |
|
eseidel
2013/11/15 07:29:52
We don't have one of these already somewhere?
yosin_UTC9
2013/11/15 09:35:17
No. How about using Locker<T>? See http://crrev.co
| |
| 78 public: | |
| 79 static bool isRecursiveCall() { return s_nestingCounter; } | |
| 80 | |
| 81 class Scope { | |
| 82 public: | |
| 83 Scope() { ++s_nestingCounter; } | |
| 84 ~Scope() { --s_nestingCounter; } | |
| 85 }; | |
| 86 friend class Scope; | |
| 87 | |
| 88 private: | |
| 89 static int s_nestingCounter; | |
| 90 }; | |
| 91 int ReentrancyGuard::s_nestingCounter; | |
| 92 } | |
| 93 | |
| 76 PassRefPtr<EditCommandComposition> EditCommandComposition::create(Document* docu ment, | 94 PassRefPtr<EditCommandComposition> EditCommandComposition::create(Document* docu ment, |
| 77 const VisibleSelection& startingSelection, const VisibleSelection& endingSel ection, EditAction editAction) | 95 const VisibleSelection& startingSelection, const VisibleSelection& endingSel ection, EditAction editAction) |
| 78 { | 96 { |
| 79 return adoptRef(new EditCommandComposition(document, startingSelection, endi ngSelection, editAction)); | 97 return adoptRef(new EditCommandComposition(document, startingSelection, endi ngSelection, editAction)); |
| 80 } | 98 } |
| 81 | 99 |
| 82 EditCommandComposition::EditCommandComposition(Document* document, const Visible Selection& startingSelection, const VisibleSelection& endingSelection, EditActio n editAction) | 100 EditCommandComposition::EditCommandComposition(Document* document, const Visible Selection& startingSelection, const VisibleSelection& endingSelection, EditActio n editAction) |
| 83 : m_document(document) | 101 : m_document(document) |
| 84 , m_startingSelection(startingSelection) | 102 , m_startingSelection(startingSelection) |
| 85 , m_endingSelection(endingSelection) | 103 , m_endingSelection(endingSelection) |
| (...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 151 { | 169 { |
| 152 } | 170 } |
| 153 | 171 |
| 154 CompositeEditCommand::~CompositeEditCommand() | 172 CompositeEditCommand::~CompositeEditCommand() |
| 155 { | 173 { |
| 156 ASSERT(isTopLevelCommand() || !m_composition); | 174 ASSERT(isTopLevelCommand() || !m_composition); |
| 157 } | 175 } |
| 158 | 176 |
| 159 void CompositeEditCommand::apply() | 177 void CompositeEditCommand::apply() |
| 160 { | 178 { |
| 179 // We don't allow recusrive |apply()| to protect against attack code. | |
| 180 // Recursive call of |apply()| could be happened by moving iframe | |
| 181 // with script triggered by insertion, e.g. <iframe src="javascript:..."> | |
| 182 // <iframe onload="...">. This usage is valid as of the specification | |
| 183 // although, it isn't common use case, rather it is used as attack code. | |
| 184 if (ReentrancyGuard::isRecursiveCall()) | |
| 185 return; | |
| 186 | |
| 161 if (!endingSelection().isContentRichlyEditable()) { | 187 if (!endingSelection().isContentRichlyEditable()) { |
| 162 switch (editingAction()) { | 188 switch (editingAction()) { |
| 163 case EditActionTyping: | 189 case EditActionTyping: |
| 164 case EditActionPaste: | 190 case EditActionPaste: |
| 165 case EditActionDrag: | 191 case EditActionDrag: |
| 166 case EditActionSetWritingDirection: | 192 case EditActionSetWritingDirection: |
| 167 case EditActionCut: | 193 case EditActionCut: |
| 168 case EditActionUnspecified: | 194 case EditActionUnspecified: |
| 169 break; | 195 break; |
| 170 default: | 196 default: |
| 171 ASSERT_NOT_REACHED(); | 197 ASSERT_NOT_REACHED(); |
| 172 return; | 198 return; |
| 173 } | 199 } |
| 174 } | 200 } |
| 175 ensureComposition(); | 201 ensureComposition(); |
| 176 | 202 |
| 177 // Changes to the document may have been made since the last editing operati on that require a layout, as in <rdar://problem/5658603>. | 203 // Changes to the document may have been made since the last editing operati on that require a layout, as in <rdar://problem/5658603>. |
| 178 // Low level operations, like RemoveNodeCommand, don't require a layout beca use the high level operations that use them perform one | 204 // Low level operations, like RemoveNodeCommand, don't require a layout beca use the high level operations that use them perform one |
| 179 // if one is necessary (like for the creation of VisiblePositions). | 205 // if one is necessary (like for the creation of VisiblePositions). |
| 180 document().updateLayoutIgnorePendingStylesheets(); | 206 document().updateLayoutIgnorePendingStylesheets(); |
| 181 | 207 |
| 182 Frame* frame = document().frame(); | 208 Frame* frame = document().frame(); |
| 183 ASSERT(frame); | 209 ASSERT(frame); |
| 184 { | 210 { |
| 185 EventQueueScope scope; | 211 EventQueueScope eventQueueScope; |
| 212 ReentrancyGuard::Scope reentrancyGuardScope; | |
| 186 doApply(); | 213 doApply(); |
| 187 } | 214 } |
| 188 | 215 |
| 189 // Only need to call appliedEditing for top-level commands, | 216 // Only need to call appliedEditing for top-level commands, |
| 190 // and TypingCommands do it on their own (see TypingCommand::typingAddedToOp enCommand). | 217 // and TypingCommands do it on their own (see TypingCommand::typingAddedToOp enCommand). |
| 191 if (!isTypingCommand()) | 218 if (!isTypingCommand()) |
| 192 frame->editor().appliedEditing(this); | 219 frame->editor().appliedEditing(this); |
| 193 setShouldRetainAutocorrectionIndicator(false); | 220 setShouldRetainAutocorrectionIndicator(false); |
| 194 } | 221 } |
| 195 | 222 |
| (...skipping 1267 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1463 return node.release(); | 1490 return node.release(); |
| 1464 } | 1491 } |
| 1465 | 1492 |
| 1466 PassRefPtr<Element> createBlockPlaceholderElement(Document& document) | 1493 PassRefPtr<Element> createBlockPlaceholderElement(Document& document) |
| 1467 { | 1494 { |
| 1468 RefPtr<Element> breakNode = document.createElement(brTag, false); | 1495 RefPtr<Element> breakNode = document.createElement(brTag, false); |
| 1469 return breakNode.release(); | 1496 return breakNode.release(); |
| 1470 } | 1497 } |
| 1471 | 1498 |
| 1472 } // namespace WebCore | 1499 } // namespace WebCore |
| OLD | NEW |
