Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog (197281 => 197282)
--- releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog 2016-02-28 13:23:58 UTC (rev 197281)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog 2016-02-28 13:27:47 UTC (rev 197282)
@@ -1,3 +1,29 @@
+2015-05-29 Brady Eidson <beid...@apple.com>
+
+ Review feedback followup for r185003.
+ https://bugs.webkit.org/show_bug.cgi?id=145463
+
+ Reviewed by Darin Adler.
+
+ * platform/sql/SQLiteDatabase.cpp:
+ (WebCore::SQLiteDatabase::overrideUnauthorizedFunctions): `static const` one thing, c++-style cast another.
+
+2015-05-29 Brady Eidson <beid...@apple.com>
+
+ WebSQL default functions can bypass authorizer.
+ <rdar://problem/21048994> and https://bugs.webkit.org/show_bug.cgi?id=145463
+
+ Reviewed by Sam Weinig and Alexey Proskuryakov.
+
+ No new tests yet.
+
+ * platform/sql/SQLiteDatabase.cpp:
+ (WebCore::unauthorizedSQLFunction): Function to install into SQLite to override some built-in functions.
+ (WebCore::SQLiteDatabase::open):
+ (WebCore::SQLiteDatabase::overrideUnauthorizedFunctions): Install function overrides for functions that
+ take arbitrary input that are also meant to be disabled by virtue of them not being whitelisted.
+ * platform/sql/SQLiteDatabase.h:
+
2015-06-09 Said Abou-Hallawa <sabouhall...@apple.com>
feComposite filter does not clip the paint rect to its effect rect when the operator is 'in' or 'atop'
Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/sql/SQLiteDatabase.cpp (197281 => 197282)
--- releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/sql/SQLiteDatabase.cpp 2016-02-28 13:23:58 UTC (rev 197281)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/sql/SQLiteDatabase.cpp 2016-02-28 13:27:47 UTC (rev 197282)
@@ -50,6 +50,13 @@
static const char notOpenErrorMessage[] = "database is not open";
+static void unauthorizedSQLFunction(sqlite3_context *context, int, sqlite3_value **)
+{
+ const char* functionName = (const char*)sqlite3_user_data(context);
+ String errorMessage = String::format("Function %s is unauthorized", functionName);
+ sqlite3_result_error(context, errorMessage.utf8().data(), -1);
+}
+
SQLiteDatabase::SQLiteDatabase()
: m_db(0)
, m_pageSize(-1)
@@ -82,6 +89,8 @@
return false;
}
+ overrideUnauthorizedFunctions();
+
m_openError = sqlite3_extended_result_codes(m_db, 1);
if (m_openError != SQLITE_OK) {
m_openErrorMessage = sqlite3_errmsg(m_db);
@@ -133,6 +142,22 @@
m_openErrorMessage = CString();
}
+void SQLiteDatabase::overrideUnauthorizedFunctions()
+{
+ static const std::pair<const char*, int> functionParameters[] = {
+ { "rtreenode", 2 },
+ { "rtreedepth", 1 },
+ { "eval", 1 },
+ { "eval", 2 },
+ { "printf", -1 },
+ { "fts3_tokenizer", 1 },
+ { "fts3_tokenizer", 2 },
+ };
+
+ for (auto& functionParameter : functionParameters)
+ sqlite3_create_function(m_db, functionParameter.first, functionParameter.second, SQLITE_UTF8, const_cast<char*>(functionParameter.first), unauthorizedSQLFunction, 0, 0);
+}
+
void SQLiteDatabase::interrupt()
{
m_interrupted = true;
Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/sql/SQLiteDatabase.h (197281 => 197282)
--- releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/sql/SQLiteDatabase.h 2016-02-28 13:23:58 UTC (rev 197281)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/sql/SQLiteDatabase.h 2016-02-28 13:27:47 UTC (rev 197282)
@@ -148,7 +148,9 @@
void enableAuthorizer(bool enable);
int pageSize();
-
+
+ void overrideUnauthorizedFunctions();
+
sqlite3* m_db;
int m_pageSize;