Context Navigation

← Previous Changeset
Next Changeset →

Changeset 163242 in webkit

Timestamp:

Feb 1, 2014 8:32:11 AM (10 years ago)

Author:

ddkilzer@apple.com

Message:

Add security-checked casts for all WebCore::CachedResource subclasses
<http://webkit.org/b/127988>

Reviewed by Darin Adler.

inspector/InspectorPageAgent.cpp:

(WebCore::InspectorPageAgent::cachedResourceContent):

inspector/InspectorResourceAgent.cpp:

(WebCore::InspectorResourceAgent::didLoadResourceFromMemoryCache):

Switch from static_cast<>() to security-checked cast.

loader/cache/CachedCSSStyleSheet.h:

(WebCore::toCachedCSSStyleSheet): Add.

loader/cache/CachedFont.h:

(WebCore::toCachedFont): Add.

loader/cache/CachedImage.h: Make CachedImageManual final.

loader/cache/CachedRawResource.cpp:

(WebCore::CachedRawResource::CachedRawResource): Add assert that
only MainResource or RawResource types are used to construct a
CachedRawResource. This may be a security issue depending on
what code exists that uses the type() value to cast to a
CachedResource subclass.
(WebCore::CachedRawResource::switchClientsToRevalidatedResource):
Switch from static_cast<>() to toCachedRawResource().

loader/cache/CachedRawResource.h:

(WebCore::toCachedRawResource): Add.

loader/cache/CachedResource.h:

(WebCore::CachedResource::isMainOrRawResource): Add. A
CachedRawResource could be either a MainResource or a
RawResource. Currently only used in assertions.

loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::requestFont):
(WebCore::CachedResourceLoader::requestTextTrack):
(WebCore::CachedResourceLoader::requestCSSStyleSheet):
(WebCore::CachedResourceLoader::requestUserCSSStyleSheet):
(WebCore::CachedResourceLoader::requestScript):
(WebCore::CachedResourceLoader::requestXSLStyleSheet):
(WebCore::CachedResourceLoader::requestSVGDocument):
(WebCore::CachedResourceLoader::requestRawResource):
(WebCore::CachedResourceLoader::requestMainResource):

Switch from static_cast<>() to security-checked cast.

loader/cache/CachedSVGDocument.h:

(WebCore::toCachedSVGDocument): Add.

loader/cache/CachedScript.h:

(WebCore::toCachedScript): Add.

loader/cache/CachedTextTrack.h:

(WebCore::toCachedTextTrack): Add.

loader/cache/CachedXSLStyleSheet.h:

(WebCore::toCachedXSLStyleSheet): Add.

Location:

trunk/Source/WebCore

Files:

: 14 edited

ChangeLog (modified) (1 diff)
inspector/InspectorPageAgent.cpp (modified) (1 diff)
inspector/InspectorResourceAgent.cpp (modified) (1 diff)
loader/cache/CachedCSSStyleSheet.h (modified) (1 diff)
loader/cache/CachedFont.h (modified) (1 diff)
loader/cache/CachedImage.h (modified) (1 diff)
loader/cache/CachedRawResource.cpp (modified) (2 diffs)
loader/cache/CachedRawResource.h (modified) (1 diff)
loader/cache/CachedResource.h (modified) (1 diff)
loader/cache/CachedResourceLoader.cpp (modified) (8 diffs)
loader/cache/CachedSVGDocument.h (modified) (1 diff)
loader/cache/CachedScript.h (modified) (1 diff)
loader/cache/CachedTextTrack.h (modified) (1 diff)
loader/cache/CachedXSLStyleSheet.h (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/WebCore/ChangeLog

-                      r163240
+                      r163242
+-02-01  David Kilzer  <ddkilzer@apple.com>
+        Add security-checked casts for all WebCore::CachedResource subclasses
+        <http://webkit.org/b/127988>
+        Reviewed by Darin Adler.
+        * inspector/InspectorPageAgent.cpp:
+        (WebCore::InspectorPageAgent::cachedResourceContent):
+        * inspector/InspectorResourceAgent.cpp:
+        (WebCore::InspectorResourceAgent::didLoadResourceFromMemoryCache):
+        - Switch from static_cast<>() to security-checked cast.
+        * loader/cache/CachedCSSStyleSheet.h:
+        (WebCore::toCachedCSSStyleSheet): Add.
+        * loader/cache/CachedFont.h:
+        (WebCore::toCachedFont): Add.
+        * loader/cache/CachedImage.h: Make CachedImageManual final.
+        * loader/cache/CachedRawResource.cpp:
+        (WebCore::CachedRawResource::CachedRawResource): Add assert that
+        only MainResource or RawResource types are used to construct a
+        CachedRawResource.  This may be a security issue depending on
+        what code exists that uses the type() value to cast to a
+        CachedResource subclass.
+        (WebCore::CachedRawResource::switchClientsToRevalidatedResource):
+        Switch from static_cast<>() to toCachedRawResource().
+        * loader/cache/CachedRawResource.h:
+        (WebCore::toCachedRawResource): Add.
+        * loader/cache/CachedResource.h:
+        (WebCore::CachedResource::isMainOrRawResource): Add.  A
+        CachedRawResource could be either a MainResource or a
+        RawResource.  Currently only used in assertions.
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::requestFont):
+        (WebCore::CachedResourceLoader::requestTextTrack):
+        (WebCore::CachedResourceLoader::requestCSSStyleSheet):
+        (WebCore::CachedResourceLoader::requestUserCSSStyleSheet):
+        (WebCore::CachedResourceLoader::requestScript):
+        (WebCore::CachedResourceLoader::requestXSLStyleSheet):
+        (WebCore::CachedResourceLoader::requestSVGDocument):
+        (WebCore::CachedResourceLoader::requestRawResource):
+        (WebCore::CachedResourceLoader::requestMainResource):
+        - Switch from static_cast<>() to security-checked cast.
+        * loader/cache/CachedSVGDocument.h:
+        (WebCore::toCachedSVGDocument): Add.
+        * loader/cache/CachedScript.h:
+        (WebCore::toCachedScript): Add.
+        * loader/cache/CachedTextTrack.h:
+        (WebCore::toCachedTextTrack): Add.
+        * loader/cache/CachedXSLStyleSheet.h:
+        (WebCore::toCachedXSLStyleSheet): Add.
 -02-01  Xabier Rodriguez Calvar  <calvaris@igalia.com>

trunk/Source/WebCore/inspector/InspectorPageAgent.cpp

-                      r162692
+                      r163242
         switch (cachedResource->type()) {
         case CachedResource::CSSStyleSheet:
             *result = static_cast<CachedCSSStyleSheet*>(cachedResource)->sheetText(false);
+            *result = toCachedCSSStyleSheet(cachedResource)->sheetText(false);
             return true;
         case CachedResource::Script:
             *result = static_cast<CachedScript*>(cachedResource)->script();
+            *result = toCachedScript(cachedResource)->script();
             return true;
         case CachedResource::RawResource: {

trunk/Source/WebCore/inspector/InspectorResourceAgent.cpp

r163089	r163242
335	335	m_resourcesData->addCachedResource(requestId, resource);
336	336	if (resource->type() == CachedResource::RawResource) {
337		CachedRawResource* rawResource = ~~static_cast<CachedRawResource*>~~(resource);
	337	CachedRawResource* rawResource = toCachedRawResource(resource);
338	338	String rawRequestId = IdentifiersFactory::requestId(rawResource->identifier());
339	339	m_resourcesData->reuseXHRReplayData(requestId, rawRequestId);

trunk/Source/WebCore/loader/cache/CachedCSSStyleSheet.h

r162158	r163242
68	68	};
69	69
	70	CACHED_RESOURCE_TYPE_CASTS(CachedCSSStyleSheet, CachedResource, CachedResource::CSSStyleSheet)
	71
70	72	}
71	73

trunk/Source/WebCore/loader/cache/CachedFont.h

r162897	r163242
79	79	};
80	80
	81	CACHED_RESOURCE_TYPE_CASTS(CachedFont, CachedResource, CachedResource::FontResource)
	82
81	83	} // namespace WebCore
82	84

trunk/Source/WebCore/loader/cache/CachedImage.h

r163148	r163242
150	150	// into CachedImage or find a better place for this class.
151	151	// FIXME: Remove the USE(CF) once we make MemoryCache::addImageToCache() platform-independent.
152		class CachedImageManual : public CachedImage {
	152	class CachedImageManual final : public CachedImage {
153	153	public:
154	154	CachedImageManual(const URL&, Image*);

trunk/Source/WebCore/loader/cache/CachedRawResource.cpp

r163089	r163242
40	40	, m_identifier(0)
41	41	{
	42	// FIXME: The wrong CachedResource::Type here may cause a bad cast elsewhere.
	43	ASSERT(isMainOrRawResource());
42	44	}
43	45
…	…
182	184	// If we're in the middle of a successful revalidation, responseReceived() hasn't been called, so we haven't set m_identifier.
183	185	ASSERT(!m_identifier);
184		~~static_cast<CachedRawResource*>~~(resourceToRevalidate())->m_identifier = m_loader->identifier();
	186	toCachedRawResource(resourceToRevalidate())->m_identifier = m_loader->identifier();
185	187	CachedResource::switchClientsToRevalidatedResource();
186	188	}

trunk/Source/WebCore/loader/cache/CachedRawResource.h

r162158	r163242
89	89	};
90	90
	91	TYPE_CASTS_BASE(CachedRawResource, CachedResource, resource, resource->isMainOrRawResource(), resource.isMainOrRawResource())
	92
91	93	}
92	94

trunk/Source/WebCore/loader/cache/CachedResource.h

r163148	r163242
157	157
158	158	bool isImage() const { return type() == ImageResource; }
	159	// FIXME: CachedRawResource could be either a main resource or a raw XHR resource.
	160	bool isMainOrRawResource() const { return type() == MainResource \|\| type() == RawResource; }
159	161	bool ignoreForRequestCount() const
160	162	{

trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp

r163148	r163242
166	166	CachedResourceHandle<CachedFont> CachedResourceLoader::requestFont(CachedResourceRequest& request)
167	167	{
168		return ~~static_cast<CachedFont*>~~(requestResource(CachedResource::FontResource, request).get());
	168	return toCachedFont(requestResource(CachedResource::FontResource, request).get());
169	169	}
170	170
…	…
172	172	CachedResourceHandle<CachedTextTrack> CachedResourceLoader::requestTextTrack(CachedResourceRequest& request)
173	173	{
174		return ~~static_cast<CachedTextTrack*>~~(requestResource(CachedResource::TextTrackResource, request).get());
	174	return toCachedTextTrack(requestResource(CachedResource::TextTrackResource, request).get());
175	175	}
176	176	#endif
…	…
178	178	CachedResourceHandle<CachedCSSStyleSheet> CachedResourceLoader::requestCSSStyleSheet(CachedResourceRequest& request)
179	179	{
180		return ~~static_cast<CachedCSSStyleSheet*>~~(requestResource(CachedResource::CSSStyleSheet, request).get());
	180	return toCachedCSSStyleSheet(requestResource(CachedResource::CSSStyleSheet, request).get());
181	181	}
182	182
…	…
191	191	if (CachedResource* existing = memoryCache()->resourceForRequest(request.resourceRequest())) {
192	192	if (existing->type() == CachedResource::CSSStyleSheet)
193		return ~~static_cast<CachedCSSStyleSheet*>~~(existing);
	193	return toCachedCSSStyleSheet(existing);
194	194	memoryCache()->remove(existing);
195	195	}
…	…
209	209	CachedResourceHandle<CachedScript> CachedResourceLoader::requestScript(CachedResourceRequest& request)
210	210	{
211		return ~~static_cast<CachedScript*>~~(requestResource(CachedResource::Script, request).get());
	211	return toCachedScript(requestResource(CachedResource::Script, request).get());
212	212	}
213	213
…	…
215	215	CachedResourceHandle<CachedXSLStyleSheet> CachedResourceLoader::requestXSLStyleSheet(CachedResourceRequest& request)
216	216	{
217		return ~~static_cast<CachedXSLStyleSheet*>~~(requestResource(CachedResource::XSLStyleSheet, request).get());
	217	return toCachedXSLStyleSheet(requestResource(CachedResource::XSLStyleSheet, request).get());
218	218	}
219	219	#endif
…	…
222	222	CachedResourceHandle<CachedSVGDocument> CachedResourceLoader::requestSVGDocument(CachedResourceRequest& request)
223	223	{
224		return ~~static_cast<CachedSVGDocument*>~~(requestResource(CachedResource::SVGDocumentResource, request).get());
	224	return toCachedSVGDocument(requestResource(CachedResource::SVGDocumentResource, request).get());
225	225	}
226	226	#endif
…	…
237	237	CachedResourceHandle<CachedRawResource> CachedResourceLoader::requestRawResource(CachedResourceRequest& request)
238	238	{
239		return ~~static_cast<CachedRawResource*>~~(requestResource(CachedResource::RawResource, request).get());
	239	return toCachedRawResource(requestResource(CachedResource::RawResource, request).get());
240	240	}
241	241
242	242	CachedResourceHandle<CachedRawResource> CachedResourceLoader::requestMainResource(CachedResourceRequest& request)
243	243	{
244		return ~~static_cast<CachedRawResource*>~~(requestResource(CachedResource::MainResource, request).get());
	244	return toCachedRawResource(requestResource(CachedResource::MainResource, request).get());
245	245	}
246	246

trunk/Source/WebCore/loader/cache/CachedSVGDocument.h

r162158	r163242
50	50	};
51	51
	52	CACHED_RESOURCE_TYPE_CASTS(CachedSVGDocument, CachedResource, CachedResource::SVGDocumentResource)
	53
52	54	} // namespace WebCore
53	55

trunk/Source/WebCore/loader/cache/CachedScript.h

-                      r162158
+                      r163242
         RefPtr<TextResourceDecoder> m_decoder;
     };
+CACHED_RESOURCE_TYPE_CASTS(CachedScript, CachedResource, CachedResource::Script)
+}

trunk/Source/WebCore/loader/cache/CachedTextTrack.h

r162158	r163242
45	45	};
46	46
	47	CACHED_RESOURCE_TYPE_CASTS(CachedTextTrack, CachedResource, CachedResource::TextTrackResource)
	48
47	49	}
48	50

trunk/Source/WebCore/loader/cache/CachedXSLStyleSheet.h

r162158	r163242
58	58	};
59	59
	60	CACHED_RESOURCE_TYPE_CASTS(CachedXSLStyleSheet, CachedResource, CachedResource::XSLStyleSheet)
	61
60	62	#endif
61	63

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 163242 in webkit

Legend:

Download in other formats: