Source/core/editing/CompositeEditCommand.cpp - Issue 71163005: Prevent recursive call of Document::execCommand() to protect from attack code

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: Source/core/editing/CompositeEditCommand.cpp

Issue 71163005: Prevent recursive call of Document::execCommand() to protect from attack code (Closed) Base URL: svn://svn.chromium.org/blink/trunk

Patch Set: 2013-11-15T12:44:04 Created 7 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« LayoutTests/editing/execCommand/apply-style-iframe-crash.html ('K') | « LayoutTests/editing/execCommand/apply-style-iframe-crash-expected.txt ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: Source/core/editing/CompositeEditCommand.cpp

diff --git a/Source/core/editing/CompositeEditCommand.cpp b/Source/core/editing/CompositeEditCommand.cpp

index 4db2fe86342c16860200307aa8539f6c2eb0c379..08f76c548f8afb1db4f3cf5f69f601b1def1a79e 100644

--- a/Source/core/editing/CompositeEditCommand.cpp

+++ b/Source/core/editing/CompositeEditCommand.cpp

@@ -73,6 +73,24 @@ namespace WebCore {

using namespace HTMLNames;

+namespace {

+class ReentrancyGuard {

eseidel 2013/11/15 07:29:52 We don't have one of these already somewhere?

yosin_UTC9 2013/11/15 09:35:17 No. How about using Locker<T>? See http://crrev.co

+public:

+ static bool isRecursiveCall() { return s_nestingCounter; }

+ class Scope {

+ public:

+ Scope() { ++s_nestingCounter; }

+ ~Scope() { --s_nestingCounter; }

+ };

+ friend class Scope;

+private:

+ static int s_nestingCounter;

+};

+int ReentrancyGuard::s_nestingCounter;

PassRefPtr<EditCommandComposition> EditCommandComposition::create(Document* document,

const VisibleSelection& startingSelection, const VisibleSelection& endingSelection, EditAction editAction)

{

@@ -158,6 +176,14 @@ CompositeEditCommand::~CompositeEditCommand()

void CompositeEditCommand::apply()

{

+ // We don't allow recusrive |apply()| to protect against attack code.

+ // Recursive call of |apply()| could be happened by moving iframe

+ // with script triggered by insertion, e.g. <iframe src="javascript:...">

+ // <iframe onload="...">. This usage is valid as of the specification

+ // although, it isn't common use case, rather it is used as attack code.

+ if (ReentrancyGuard::isRecursiveCall())

+ return;

if (!endingSelection().isContentRichlyEditable()) {

switch (editingAction()) {

case EditActionTyping:

@@ -182,7 +208,8 @@ void CompositeEditCommand::apply()

Frame* frame = document().frame();

ASSERT(frame);

{

- EventQueueScope scope;

+ EventQueueScope eventQueueScope;

+ ReentrancyGuard::Scope reentrancyGuardScope;

doApply();

}