Commit 01a17e2f authored by abarth@webkit.org's avatar abarth@webkit.org

Block SVG external references pending a security review

https://bugs.webkit.org/show_bug.cgi?id=100635

Reviewed by Eric Seidel.

Source/WebCore:

We need to do a security review of loading external SVG references
before we're sure that it is safe.

* css/StyleResolver.cpp:
(WebCore::StyleResolver::createFilterOperations):
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::canRequest):

Source/WTF:

We need to do a security review of loading external SVG references
before we're sure that it is safe.

* wtf/Platform.h:

LayoutTests:

Skip tests that depend on external SVG references.

* platform/chromium/TestExpectations:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@132849 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 90438d49
2012-10-29 Adam Barth <abarth@webkit.org>
Block SVG external references pending a security review
https://bugs.webkit.org/show_bug.cgi?id=100635
Reviewed by Eric Seidel.
Skip tests that depend on external SVG references.
* platform/chromium/TestExpectations:
2012-10-29 Chris Rogers <crogers@google.com>
Unreviewed rebaseline of webaudio/audiobuffersource-loop-points
......@@ -1354,9 +1354,6 @@ webkit.org/b/84230 svg/as-image/img-preserveAspectRatio-support-1.html [ ImageOn
webkit.org/b/84719 [ Win ] svg/text/select-text-svgfont.html [ Failure Pass ]
webkit.org/b/84854 [ Android Linux ] svg/batik/text/textOnPath.svg [ ImageOnlyFailure Pass ]
webkit.org/b/84854 [ Android Linux ] svg/batik/text/verticalTextOnPath.svg [ ImageOnlyFailure Pass ]
webkit.org/b/85107 svg/as-image/svg-as-relative-image-with-explicit-size.html [ ImageOnlyFailure Pass ]
webkit.org/b/85107 svg/as-image/animated-svg-as-image.html [ ImageOnlyFailure Pass ]
......@@ -2134,8 +2131,6 @@ crbug.com/40680 fast/media/media-query-list-05.html
crbug.com/40680 fast/media/media-query-list-06.html
crbug.com/40680 fast/media/media-query-list-07.html
crbug.com/117597 svg/batik/filters/feTile.svg [ ImageOnlyFailure ]
# Caused by http://trac.webkit.org/changeset/56394.
crbug.com/143475 [ Win ] http/tests/xmlhttprequest/xmlhttprequest-50ms-download-dispatch.html [ Failure Pass Timeout ]
......@@ -3902,6 +3897,41 @@ crbug.com/152953 [ Mac ] platform/chromium/virtual/softwarecompositing/scrollbar
crbug.com/152953 [ Mac Win ] platform/chromium/virtual/softwarecompositing/absolute-position-changed-with-composited-parent-layer.html [ Skip ]
crbug.com/152953 [ Win ] platform/chromium/virtual/softwarecompositing/iframes/composited-iframe-alignment.html [ ImageOnlyFailure ]
# These tests disabled pending a security review of external SVG references.
webkit.org/b/100635 css3/filters/effect-reference-external.html [ ImageOnlyFailure ]
webkit.org/b/100635 svg/W3C-SVG-1.2-Tiny/struct-use-recursion-02-t.svg [ Failure ]
webkit.org/b/100635 svg/W3C-SVG-1.2-Tiny/struct-use-recursion-03-t.svg [ Failure ]
webkit.org/b/100635 svg/batik/filters/feTile.svg [ Failure ImageOnlyFailure ]
webkit.org/b/100635 svg/batik/filters/filterRegions.svg [ Failure ]
webkit.org/b/100635 svg/batik/masking/maskRegions.svg [ Failure ]
webkit.org/b/100635 svg/batik/paints/patternPreserveAspectRatioA.svg [ Failure ]
webkit.org/b/100635 svg/batik/paints/patternRegionA.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/longTextOnPath.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/smallFonts.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/textAnchor.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/textDecoration.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/textEffect2.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/textFeatures.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/textLayout.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/textLayout2.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/textLength.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/textOnPath.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/textOnPathSpaces.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/textPosition.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/textPosition2.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/textProperties.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/textProperties2.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/textStyles.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/verticalText.svg [ Failure ]
webkit.org/b/100635 svg/batik/text/verticalTextOnPath.svg [ Failure ]
webkit.org/b/100635 svg/custom/use-extern-href.svg [ Failure ]
webkit.org/b/100635 svg/custom/use-referencing-indirectly-itself.svg [ ImageOnlyFailure ]
webkit.org/b/100635 svg/dynamic-updates/SVGUseElement-dom-href1-attr.html [ Timeout ]
webkit.org/b/100635 svg/dynamic-updates/SVGUseElement-dom-href2-attr.html [ Timeout ]
webkit.org/b/100635 svg/dynamic-updates/SVGUseElement-svgdom-href1-prop.html [ Timeout ]
webkit.org/b/100635 svg/dynamic-updates/SVGUseElement-svgdom-href2-prop.html [ Timeout ]
webkit.org/b/100635 svg/hixie/error/014.xml [ Failure ]
webkit.org/b/100635 svg/hixie/use/002.xml [ Failure ]
# Render surfaces do not draw anything in the software compositor.
crbug.com/150010 platform/chromium/virtual/softwarecompositing/culling/filter-occlusion-alpha-large.html [ ImageOnlyFailure ]
......
2012-10-29 Adam Barth <abarth@webkit.org>
Block SVG external references pending a security review
https://bugs.webkit.org/show_bug.cgi?id=100635
Reviewed by Eric Seidel.
We need to do a security review of loading external SVG references
before we're sure that it is safe.
* wtf/Platform.h:
2012-10-29 Michael Saboff <msaboff@apple.com>
String::split(UChar, Vector<String>&) shouldn't create a temporary String
......
......@@ -1181,6 +1181,10 @@
#define ENABLE_TEXT_NOTIFICATIONS_ONLY 1
#endif
#if !defined(ENABLE_EXTERNAL_SVG_REFERENCES) && !PLATFORM(CHROMIUM)
#define ENABLE_EXTERNAL_SVG_REFERENCES 1
#endif
#if !defined(WTF_USE_ZLIB) && !PLATFORM(QT)
#define WTF_USE_ZLIB 1
#endif
......
2012-10-29 Adam Barth <abarth@webkit.org>
Block SVG external references pending a security review
https://bugs.webkit.org/show_bug.cgi?id=100635
Reviewed by Eric Seidel.
We need to do a security review of loading external SVG references
before we're sure that it is safe.
* css/StyleResolver.cpp:
(WebCore::StyleResolver::createFilterOperations):
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::canRequest):
2012-10-29 Joshua Bell <jsbell@chromium.org>
IndexedDB: Crash on checking version of corrupt backing store
......@@ -4933,7 +4933,7 @@ bool StyleResolver::createFilterOperations(CSSValue* inValue, RenderStyle* style
if (SVGURIReference::isExternalURIReference(svgDocumentValue->url(), m_element->document())) {
if (!svgDocumentValue->loadRequested())
m_pendingSVGDocuments.set(operation.get(), svgDocumentValue);
else
else if (svgDocumentValue->cachedSVGDocument())
operation->setData(adoptPtr(new CachedSVGDocumentReference(svgDocumentValue->cachedSVGDocument())));
}
operations.operations().append(operation);
......
......@@ -306,6 +306,11 @@ bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url
return 0;
}
#if ENABLE(SVG) && !ENABLE(BLOCK_SVG_EXTERNAL_REFERENCES)
if (type == CachedResource::SVGDocumentResource)
return false;
#endif
// Some types of resources can be loaded only from the same origin. Other
// types of resources, like Images, Scripts, and CSS, can be loaded from
// any URL.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment