[webkit-changes] [WebKit/WebKit] 663387: REGRESSION (269108@main): Same-origin XSLT documen...

Wed, 24 Apr 2024 08:23:17 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 66338748251c4f55d2b29e32e4851add3ed40f0e
      
https://github.com/WebKit/WebKit/commit/66338748251c4f55d2b29e32e4851add3ed40f0e
  Author: David Kilzer <ddkil...@apple.com>
  Date:   2024-04-24 (Wed, 24 Apr 2024)

  Changed paths:
    R LayoutTests/http/tests/security/resources/xslt-external-entity.svg
    R LayoutTests/http/tests/security/resources/xslt2.py
    A 
LayoutTests/http/tests/security/resources/xss-ALLOWED-xsl-external-entity-xslt-docloader.py
    A 
LayoutTests/http/tests/security/resources/xss-ALLOWED-xsl-external-entity-xslt-docloader.svg
    A 
LayoutTests/http/tests/security/resources/xss-ALLOWED-xsl-external-entity-xslt-docloader.xml
    A 
LayoutTests/http/tests/security/resources/xss-DENIED-xsl-external-entity-xslt-docloader.py
    A 
LayoutTests/http/tests/security/resources/xss-DENIED-xsl-external-entity-xslt-docloader.svg
    R LayoutTests/http/tests/security/xslt-external-entity-expected.txt
    R LayoutTests/http/tests/security/xslt-external-entity.html
    A 
LayoutTests/http/tests/security/xss-ALLOWED-xsl-external-entity-xslt-docloader-expected.txt
    A 
LayoutTests/http/tests/security/xss-ALLOWED-xsl-external-entity-xslt-docloader.html
    A 
LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader-expected.txt
    A 
LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader.html
    R 
LayoutTests/platform/mac-monterey/http/tests/security/xslt-external-entity-expected.txt
    A 
LayoutTests/platform/mac-monterey/http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader-expected.txt
    M Source/WebCore/xml/XSLTProcessorLibxslt.cpp
    M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

  Log Message:
  -----------
  REGRESSION (269108@main): Same-origin XSLT document() loads fail
https://bugs.webkit.org/show_bug.cgi?id=273106
<rdar://126897034>

Reviewed by Alex Christensen.

Prior to this change, all external entity loads using docLoaderFunc() in
XSLTProcessorLibxslt.cpp would fail in shouldAllowExternalLoad() because
XMLDocumentParserScope::currentCachedResourceLoader was nullptr.  This
caused both cross-origin loads and same-origin loads to fail.

The fix is to make use of XMLDocumentParserScope in docLoaderFunc() to
set XMLDocumentParserScope::currentCachedResourceLoader so that the
same-origin policy is applied.

We keep the check added to shouldAllowExternalLoad() from 269108@main in
case a load is initiated without using XMLDocumentParserScope, and this
change adds a Debug assert to catch those cases before the load fails.

Tests:
    http/tests/security/xss-ALLOWED-xsl-external-entity-xslt-docloader.html
    http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader.html

* 
LayoutTests/http/tests/security/resources/xss-ALLOWED-xsl-external-entity-xslt-docloader.py:
 Add.
* 
LayoutTests/http/tests/security/resources/xss-ALLOWED-xsl-external-entity-xslt-docloader.svg:
 Copy from LayoutTests/http/tests/security/resources/xslt-external-entity.svg.
* 
LayoutTests/http/tests/security/resources/xss-ALLOWED-xsl-external-entity-xslt-docloader.xml:
 Add.
* 
LayoutTests/http/tests/security/resources/xss-DENIED-xsl-external-entity-xslt-docloader.py:
 Rename from LayoutTests/http/tests/security/resources/xslt2.py.
* 
LayoutTests/http/tests/security/resources/xss-DENIED-xsl-external-entity-xslt-docloader.svg:
 Rename from LayoutTests/http/tests/security/resources/xslt-external-entity.svg.
* 
LayoutTests/http/tests/security/xss-ALLOWED-xsl-external-entity-xslt-docloader-expected.txt:
 Add.
* 
LayoutTests/http/tests/security/xss-ALLOWED-xsl-external-entity-xslt-docloader.html:
 Copy from LayoutTests/http/tests/security/xslt-external-entity.html.
* 
LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader-expected.txt:
 Rename from LayoutTests/http/tests/security/xslt-external-entity-expected.txt.
- Update results with denied console messages.  This change is the
  result of the bug fix.
* 
LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader.html:
 Rename from LayoutTests/http/tests/security/xslt-external-entity.html.
- Add xss-ALLOWED-xsl-external-entity-xslt-docloader.html to test the
  same-origin case.  This test failed before this fix.
- Rename http/tests/security/xslt-external-entity.html to
  xss-DENIED-xsl-external-entity-xslt-docloader.html to match similar
  test cases.
* 
LayoutTests/platform/mac-monterey/http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader-expected.txt:
 Rename from 
LayoutTests/platform/mac-monterey/http/tests/security/xslt-external-entity-expected.txt.
- Update results with denied console messages.  This change is the
  result of the bug fix.

* Source/WebCore/xml/XSLTProcessorLibxslt.cpp:
(WebCore::docLoaderFunc):
- Make use of WebCore::XMLDocumentParserScope to fix the bug.

* Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::shouldAllowExternalLoad):
- Add Debug assert to catch failures where XMLDocumentParserScope is
  missing, or a non-WebKit, in-process libxml2 load occurs.

Canonical link: https://commits.webkit.org/277924@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to