[webkit-changes] [WebKit/WebKit] 7b1fb0: [WK1] WebKit XML parsing can deny external entity ...

Tue, 30 Apr 2024 08:20:57 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 7b1fb05b974f0c50874da628b5388cca5b7292e2
      
https://github.com/WebKit/WebKit/commit/7b1fb05b974f0c50874da628b5388cca5b7292e2
  Author: David Kilzer <ddkil...@apple.com>
  Date:   2024-04-30 (Tue, 30 Apr 2024)

  Changed paths:
    M Source/WebCore/dom/ProcessingInstruction.cpp
    M Source/WebCore/xml/XSLTProcessorLibxslt.cpp
    M Source/WebCore/xml/parser/XMLDocumentParser.h
    M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
    M Source/WebCore/xml/parser/XMLDocumentParserScope.cpp
    M Source/WebCore/xml/parser/XMLDocumentParserScope.h

  Log Message:
  -----------
  [WK1] WebKit XML parsing can deny external entity loads from other in-process 
libxml2 clients
https://bugs.webkit.org/show_bug.cgi?id=273045
<rdar://126476952>

Reviewed by Alex Christensen and Michael Catanzaro.

The fix for Bug 259235 replaced the default libxml2 external entity
loader function with one from WebKit that implements a same-origin
policy for the web, but that means that WebKit1 clients that use libxml2
for parsing independent of WebKit also start using this function, which
can cause external entity load failures depending on the libxml2 API
used.

Fix this by setting the external entity loader using
XMLDocumentParserScope, then unsetting it when that object is
deallocated.

Add two more places where XMLDocumentParserScope was missing in
WebCore::XMLDocumentParser::appendFragmentSource() and
WebCore::parseAttributes().

Covered by these tests (among others):
    fast/xsl/xslt-bad-import-uri.html
    http/tests/misc/xslt-bad-import.html
    http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html
    http/tests/security/cross-origin-xsl-redirect-BLOCKED.html
    http/tests/security/xss-ALLOWED-xsl-external-entity-xslt-docloader.html
    http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader.html

* Source/WebCore/dom/ProcessingInstruction.cpp:
(WebCore::ProcessingInstruction::checkStyleSheet):
- Move Ref variable for Document to top of method instead of calling
  document() repeatedly.
- Pass extra argument added to WebCore::parseAttributes().

* Source/WebCore/xml/XSLTProcessorLibxslt.cpp:
(WebCore::docLoaderFunc):
- Minor clean-up to inline return statement.
* Source/WebCore/xml/parser/XMLDocumentParser.h:
(WebCore::XMLParserContext::XMLParserContext): Remove.
(WebCore::XMLDocumentParser::XMLDocumentParser): Remove.
- Delete default constructors.
(WebCore::externalEntityLoader): Add declaration.
(WebCore::parseAttributes):
- Add WebCore::CachedResourceLoader to argument list.
* Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::externalEntityLoader):
- Remove 'static' keyword as this function is referenced outside this
  source file.
(WebCore::initializeXMLParser):
- Don't set external entity loader here since it will be set by
  XMLDocumentParserScope instead.
- Add RELEASE_ASSERT() that the external entity loader isn't already set
  to WebCore::externalEntityLoader.  This indicates that an
  XMLDocumentParserScope was created too early, and that external entity
  loading will result in a stack recursion crash later.
(WebCore::XMLDocumentParser::initializeParserContext):
- Remove unneeded XMLDocumentParserScope object.
(WebCore::XMLDocumentParser::appendFragmentSource):
- Add missing XMLDocumentParserScope object.
(WebCore::parseAttributes):
- Add WebCore::CachedResourceLoader to argument list so that an
  XMLDocumentParserScope object can be created before calling libxml2 to
  parse XML content.
* Source/WebCore/xml/parser/XMLDocumentParserScope.cpp:
(WebCore::XMLDocumentParserScope::XMLDocumentParserScope):
(WebCore::XMLDocumentParserScope::~XMLDocumentParserScope):
- Update to save the current external entity loader and set WebKit's
  external entity loader function.
* Source/WebCore/xml/parser/XMLDocumentParserScope.h:
(WebCore::XMLDocumentParserScope::m_oldEntityLoader): Add.
- Add instance variable for saving and restoring the external entity
  loader.

Canonical link: https://commits.webkit.org/278168@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to