Changeset 144549 in webkit

Timestamp:

Mar 2, 2013 5:45:58 PM (11 years ago)

Author:

abarth@webkit.org

Message:

XSSAuditor has a subtle race condition when used with the threaded HTML parser
​https://bugs.webkit.org/show_bug.cgi?id=111253

Reviewed by Eric Seidel.

We were refing and derefing a StringImpl for a main-thread
AtomicString. Using QualifiedNames on the background thread is very
fragile and we should figure out a more robust solution.

• html/parser/XSSAuditor.cpp:

(WebCore::findAttributeWithName):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• html/parser/XSSAuditor.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-03-02  Adam Barth  <abarth@webkit.org>
+
+        XSSAuditor has a subtle race condition when used with the threaded HTML parser
+        https://bugs.webkit.org/show_bug.cgi?id=111253
+
+        Reviewed by Eric Seidel.
+
+        We were refing and derefing a StringImpl for a main-thread
+        AtomicString. Using QualifiedNames on the background thread is very
+        fragile and we should figure out a more robust solution.
+
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::findAttributeWithName):
+
 2013-03-02  Benjamin Poulain  <bpoulain@apple.com>
 

trunk/Source/WebCore/html/parser/XSSAuditor.cpp

@@ -128 +128 @@
 static bool findAttributeWithName(const HTMLToken& token, const QualifiedName& name, size_t& indexOfMatchingAttribute)
 {
-    String attrName = name.localName().string();
-
-    if (name.namespaceURI() == XLinkNames::xlinkNamespaceURI)
-        attrName = "xlink:" + attrName;
+    // Notice that we're careful not to ref the StringImpl here because we might be on a background thread.
+    const String& attrName = name.namespaceURI() == XLinkNames::xlinkNamespaceURI ? "xlink:" + name.localName().string() : name.localName().string();
 
     for (size_t i = 0; i < token.attributes().size(); ++i) {