Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 7b1fb05b974f0c50874da628b5388cca5b7292e2 https://github.com/WebKit/WebKit/commit/7b1fb05b974f0c50874da628b5388cca5b7292e2 Author: David Kilzer <ddkil...@apple.com> Date: 2024-04-30 (Tue, 30 Apr 2024)
Changed paths: M Source/WebCore/dom/ProcessingInstruction.cpp M Source/WebCore/xml/XSLTProcessorLibxslt.cpp M Source/WebCore/xml/parser/XMLDocumentParser.h M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp M Source/WebCore/xml/parser/XMLDocumentParserScope.cpp M Source/WebCore/xml/parser/XMLDocumentParserScope.h Log Message: ----------- [WK1] WebKit XML parsing can deny external entity loads from other in-process libxml2 clients https://bugs.webkit.org/show_bug.cgi?id=273045 <rdar://126476952> Reviewed by Alex Christensen and Michael Catanzaro. The fix for Bug 259235 replaced the default libxml2 external entity loader function with one from WebKit that implements a same-origin policy for the web, but that means that WebKit1 clients that use libxml2 for parsing independent of WebKit also start using this function, which can cause external entity load failures depending on the libxml2 API used. Fix this by setting the external entity loader using XMLDocumentParserScope, then unsetting it when that object is deallocated. Add two more places where XMLDocumentParserScope was missing in WebCore::XMLDocumentParser::appendFragmentSource() and WebCore::parseAttributes(). Covered by these tests (among others): fast/xsl/xslt-bad-import-uri.html http/tests/misc/xslt-bad-import.html http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html http/tests/security/cross-origin-xsl-redirect-BLOCKED.html http/tests/security/xss-ALLOWED-xsl-external-entity-xslt-docloader.html http/tests/security/xss-DENIED-xsl-external-entity-xslt-docloader.html * Source/WebCore/dom/ProcessingInstruction.cpp: (WebCore::ProcessingInstruction::checkStyleSheet): - Move Ref variable for Document to top of method instead of calling document() repeatedly. - Pass extra argument added to WebCore::parseAttributes(). * Source/WebCore/xml/XSLTProcessorLibxslt.cpp: (WebCore::docLoaderFunc): - Minor clean-up to inline return statement. * Source/WebCore/xml/parser/XMLDocumentParser.h: (WebCore::XMLParserContext::XMLParserContext): Remove. (WebCore::XMLDocumentParser::XMLDocumentParser): Remove. - Delete default constructors. (WebCore::externalEntityLoader): Add declaration. (WebCore::parseAttributes): - Add WebCore::CachedResourceLoader to argument list. * Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp: (WebCore::externalEntityLoader): - Remove 'static' keyword as this function is referenced outside this source file. (WebCore::initializeXMLParser): - Don't set external entity loader here since it will be set by XMLDocumentParserScope instead. - Add RELEASE_ASSERT() that the external entity loader isn't already set to WebCore::externalEntityLoader. This indicates that an XMLDocumentParserScope was created too early, and that external entity loading will result in a stack recursion crash later. (WebCore::XMLDocumentParser::initializeParserContext): - Remove unneeded XMLDocumentParserScope object. (WebCore::XMLDocumentParser::appendFragmentSource): - Add missing XMLDocumentParserScope object. (WebCore::parseAttributes): - Add WebCore::CachedResourceLoader to argument list so that an XMLDocumentParserScope object can be created before calling libxml2 to parse XML content. * Source/WebCore/xml/parser/XMLDocumentParserScope.cpp: (WebCore::XMLDocumentParserScope::XMLDocumentParserScope): (WebCore::XMLDocumentParserScope::~XMLDocumentParserScope): - Update to save the current external entity loader and set WebKit's external entity loader function. * Source/WebCore/xml/parser/XMLDocumentParserScope.h: (WebCore::XMLDocumentParserScope::m_oldEntityLoader): Add. - Add instance variable for saving and restoring the external entity loader. Canonical link: https://commits.webkit.org/278168@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes