Skip to content
Permalink
Browse files
2011-02-20 Anders Carlsson <andersca@apple.com>
        Reviewed by Maciej Stachowiak.

        Crash when a plug-in requests a javascript: url that destroys the plug-in
        https://bugs.webkit.org/show_bug.cgi?id=54837
        <rdar://problem/9005475>

        Add new plug-in test.

        * DumpRenderTree/DumpRenderTree.gypi:
        * DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj:
        * DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp:
        (PluginTest::NPN_GetURL):
        * DumpRenderTree/TestNetscapePlugIn/PluginTest.h:
        * DumpRenderTree/TestNetscapePlugIn/Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp: Added.
        (GetURLWithJavaScriptURLDestroyingPlugin::GetURLWithJavaScriptURLDestroyingPlugin):
        (GetURLWithJavaScriptURLDestroyingPlugin::NPP_New):
        * DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj:
        * DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro:
2011-02-20  Anders Carlsson  <andersca@apple.com>

        Reviewed by Maciej Stachowiak.

        Crash when a plug-in requests a javascript: url that destroys the plug-in
        https://bugs.webkit.org/show_bug.cgi?id=54837
        <rdar://problem/9005475>

        Add test.

        * plugins/get-url-with-javascript-destroying-plugin-expected.txt: Added.
        * plugins/get-url-with-javascript-destroying-plugin.html: Added.
2011-02-20  Anders Carlsson  <andersca@apple.com>

        Reviewed by Maciej Stachowiak.

        Crash when a plug-in requests a javascript: url that destroys the plug-in
        https://bugs.webkit.org/show_bug.cgi?id=54837
        <rdar://problem/9005475>

        * WebProcess/Plugins/PluginProxy.cpp:
        (WebKit::PluginProxy::destroy):
        Null out m_pluginController.

        * WebProcess/Plugins/PluginView.cpp:
        (WebKit::PluginView::performJavaScriptURLRequest):
        Don't access the frame through m_pluginElement since it will be nulled out
        when the plug-in is destroyed.


Canonical link: https://commits.webkit.org/69090@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@79157 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
Anders Carlsson committed Feb 21, 2011
1 parent 4324301 commit 1469e4976b922e2b7a591d9b9da74ceb1e148a76
@@ -1,3 +1,16 @@
2011-02-20 Anders Carlsson <andersca@apple.com>

Reviewed by Maciej Stachowiak.

Crash when a plug-in requests a javascript: url that destroys the plug-in
https://bugs.webkit.org/show_bug.cgi?id=54837
<rdar://problem/9005475>

Add test.

* plugins/get-url-with-javascript-destroying-plugin-expected.txt: Added.
* plugins/get-url-with-javascript-destroying-plugin.html: Added.

2011-02-20 Dirk Schulze <krit@webkit.org>

Reviewed by Nikolas Zimmermann.
@@ -0,0 +1,3 @@
This tests that evaluating JS that calls NPN_GetURL to evaluate a javascript: URL that destroys the plug-in doesn't crash.

SUCCESS
@@ -0,0 +1,19 @@
<script>
function removePlugin() {
var plugin = document.getElementById('plugin');
plugin.parentNode.removeChild(plugin);

document.getElementById('console').innerText = 'SUCCESS';
if (window.layoutTestController)
layoutTestController.notifyDone();
}

if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.waitUntilDone();
}
</script>
<body>
<embed id="plugin" type="application/x-webkit-test-netscape" test="get-url-with-javascript-url-destroying-plugin" width=100 height=100></embed>
<p id="description">This tests that evaluating JS that calls NPN_GetURL to evaluate a javascript: URL that destroys the plug-in doesn't crash.</p>
<div id="console">FAILURE</div>
@@ -1,3 +1,20 @@
2011-02-20 Anders Carlsson <andersca@apple.com>

Reviewed by Maciej Stachowiak.

Crash when a plug-in requests a javascript: url that destroys the plug-in
https://bugs.webkit.org/show_bug.cgi?id=54837
<rdar://problem/9005475>

* WebProcess/Plugins/PluginProxy.cpp:
(WebKit::PluginProxy::destroy):
Null out m_pluginController.

* WebProcess/Plugins/PluginView.cpp:
(WebKit::PluginView::performJavaScriptURLRequest):
Don't access the frame through m_pluginElement since it will be nulled out
when the plug-in is destroyed.

2011-02-20 Anders Carlsson <andersca@apple.com>

Reviewed by Sam Weinig.
@@ -117,6 +117,8 @@ void PluginProxy::destroy()
m_connection->connection()->sendSync(Messages::WebProcessConnection::DestroyPlugin(m_pluginInstanceID), Messages::WebProcessConnection::DestroyPlugin::Reply(), 0);

m_isStarted = false;
m_pluginController = 0;

m_connection->removePluginProxy(this);
}

@@ -738,15 +738,15 @@ void PluginView::performJavaScriptURLRequest(URLRequest* request)
bool oldAllowPopups = frame->script()->allowPopupsFromPlugin();
frame->script()->setAllowPopupsFromPlugin(request->allowPopups());

ScriptValue result = m_pluginElement->document()->frame()->script()->executeScript(jsString);
ScriptValue result = frame->script()->executeScript(jsString);

frame->script()->setAllowPopupsFromPlugin(oldAllowPopups);

// Check if evaluating the JavaScript destroyed the plug-in.
if (!plugin->controller())
return;

ScriptState* scriptState = m_pluginElement->document()->frame()->script()->globalObject(pluginWorld())->globalExec();
ScriptState* scriptState = frame->script()->globalObject(pluginWorld())->globalExec();
String resultString;
result.getString(scriptState, resultString);

@@ -1,3 +1,24 @@
2011-02-20 Anders Carlsson <andersca@apple.com>

Reviewed by Maciej Stachowiak.

Crash when a plug-in requests a javascript: url that destroys the plug-in
https://bugs.webkit.org/show_bug.cgi?id=54837
<rdar://problem/9005475>

Add new plug-in test.

* DumpRenderTree/DumpRenderTree.gypi:
* DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj:
* DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp:
(PluginTest::NPN_GetURL):
* DumpRenderTree/TestNetscapePlugIn/PluginTest.h:
* DumpRenderTree/TestNetscapePlugIn/Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp: Added.
(GetURLWithJavaScriptURLDestroyingPlugin::GetURLWithJavaScriptURLDestroyingPlugin):
(GetURLWithJavaScriptURLDestroyingPlugin::NPP_New):
* DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj:
* DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro:

2011-02-19 Patrick Gansterer <paroga@webkit.org>

Reviewed by Andreas Kling.
@@ -54,6 +54,7 @@
'TestNetscapePlugIn/TestObject.h',
'TestNetscapePlugIn/Tests/DocumentOpenInDestroyStream.cpp',
'TestNetscapePlugIn/Tests/EvaluateJSAfterRemovingPluginElement.cpp',
'TestNetscapePlugIn/Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp',
'TestNetscapePlugIn/Tests/GetUserAgentWithNullNPPFromNPPNew.cpp',
'TestNetscapePlugIn/Tests/NPRuntimeObjectFromDestroyedPlugin.cpp',
'TestNetscapePlugIn/Tests/NPRuntimeRemoveProperty.cpp',
@@ -36,6 +36,7 @@
1A215A8211F2609C008AD0F5 /* PluginTest.h in Headers */ = {isa = PBXBuildFile; fileRef = 1A215A8011F2609C008AD0F5 /* PluginTest.h */; };
1A215BE711F27658008AD0F5 /* DocumentOpenInDestroyStream.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1A215A7511F26072008AD0F5 /* DocumentOpenInDestroyStream.cpp */; };
1A24BAA9120734EE00FBB059 /* NPRuntimeObjectFromDestroyedPlugin.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1A24BAA8120734EE00FBB059 /* NPRuntimeObjectFromDestroyedPlugin.cpp */; };
1A3E28AA1311D73B00501349 /* GetURLWithJavaScriptURLDestroyingPlugin.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1A3E28A91311D73B00501349 /* GetURLWithJavaScriptURLDestroyingPlugin.cpp */; };
1A8F02E80BB9B4EC008CFA34 /* TestObject.h in Headers */ = {isa = PBXBuildFile; fileRef = 1A8F024C0BB9B056008CFA34 /* TestObject.h */; };
1AC6C8490D07638600CD3161 /* main.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1AC6C77F0D07589B00CD3161 /* main.cpp */; };
1AC6C84A0D07638600CD3161 /* PluginObject.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1AC6C7800D07589B00CD3161 /* PluginObject.cpp */; };
@@ -205,6 +206,7 @@
1A215A7F11F2609C008AD0F5 /* PluginTest.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PluginTest.cpp; sourceTree = "<group>"; };
1A215A8011F2609C008AD0F5 /* PluginTest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PluginTest.h; sourceTree = "<group>"; };
1A24BAA8120734EE00FBB059 /* NPRuntimeObjectFromDestroyedPlugin.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NPRuntimeObjectFromDestroyedPlugin.cpp; sourceTree = "<group>"; };
1A3E28A91311D73B00501349 /* GetURLWithJavaScriptURLDestroyingPlugin.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = GetURLWithJavaScriptURLDestroyingPlugin.cpp; sourceTree = "<group>"; };
1A8F024C0BB9B056008CFA34 /* TestObject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TestObject.h; sourceTree = "<group>"; };
1AC6C77F0D07589B00CD3161 /* main.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = main.cpp; sourceTree = "<group>"; };
1AC6C7800D07589B00CD3161 /* PluginObject.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PluginObject.cpp; sourceTree = "<group>"; };
@@ -467,6 +469,7 @@
children = (
1A215A7511F26072008AD0F5 /* DocumentOpenInDestroyStream.cpp */,
C0E720741281C828004EF533 /* EvaluateJSAfterRemovingPluginElement.cpp */,
1A3E28A91311D73B00501349 /* GetURLWithJavaScriptURLDestroyingPlugin.cpp */,
1AD4CB2012A6D1350027A7AF /* GetUserAgentWithNullNPPFromNPPNew.cpp */,
1A24BAA8120734EE00FBB059 /* NPRuntimeObjectFromDestroyedPlugin.cpp */,
1AC77DCE120605B6005C19EF /* NPRuntimeRemoveProperty.cpp */,
@@ -759,6 +762,7 @@
C0EC3C9C12787F0500939164 /* NullNPPGetValuePointer.cpp in Sources */,
C0E720751281C828004EF533 /* EvaluateJSAfterRemovingPluginElement.cpp in Sources */,
1AD4CB2212A6D1350027A7AF /* GetUserAgentWithNullNPPFromNPPNew.cpp in Sources */,
1A3E28AA1311D73B00501349 /* GetURLWithJavaScriptURLDestroyingPlugin.cpp in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -84,6 +84,11 @@ void PluginTest::NPN_InvalidateRect(NPRect* invalidRect)
browser->invalidaterect(m_npp, invalidRect);
}

NPError PluginTest::NPN_GetURL(const char* url, const char* target)
{
return browser->geturl(m_npp, url, target);
}

NPIdentifier PluginTest::NPN_GetStringIdentifier(const NPUTF8 *name)
{
return browser->getstringidentifier(name);
@@ -62,6 +62,8 @@ class PluginTest {
virtual NPError NPP_SetWindow(NPP, NPWindow*);

// NPN functions.
NPError NPN_GetURL(const char* url, const char* target);

void NPN_InvalidateRect(NPRect* invalidRect);
NPIdentifier NPN_GetStringIdentifier(const NPUTF8* name);
NPIdentifier NPN_GetIntIdentifier(int32_t intid);
@@ -0,0 +1,48 @@
/*
* Copyright (C) 2011 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*/

#include "PluginTest.h"

using namespace std;

// From NPP_New, call NPN_GetURL to evaluate JavaScript that destroys the plug-in.

class GetURLWithJavaScriptURLDestroyingPlugin : public PluginTest {
public:
GetURLWithJavaScriptURLDestroyingPlugin(NPP npp, const string& identifier)
: PluginTest(npp, identifier)
{
}

private:

virtual NPError NPP_New(NPMIMEType pluginType, uint16_t mode, int16_t argc, char *argn[], char *argv[], NPSavedData *saved)
{
NPN_GetURL("javascript:removePlugin()", 0);
return NPERR_NO_ERROR;
}
};

static PluginTest::Register<GetURLWithJavaScriptURLDestroyingPlugin> getURLWithJavaScriptURLDestroyingPlugin("get-url-with-javascript-url-destroying-plugin");
@@ -401,6 +401,10 @@
RelativePath="..\Tests\GetUserAgentWithNullNPPFromNPPNew.cpp"
>
</File>
<File
RelativePath="..\Tests\GetURLWithJavaScriptURLDestroyingPlugin.cpp"
>
</File>
<File
RelativePath="..\Tests\NPRuntimeObjectFromDestroyedPlugin.cpp"
>
@@ -30,6 +30,7 @@ SOURCES = PluginObject.cpp \
TestObject.cpp \
Tests/DocumentOpenInDestroyStream.cpp \
Tests/EvaluateJSAfterRemovingPluginElement.cpp \
Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp \
Tests/GetUserAgentWithNullNPPFromNPPNew.cpp \
Tests/NPRuntimeObjectFromDestroyedPlugin.cpp \
Tests/NPRuntimeRemoveProperty.cpp \

0 comments on commit 1469e49

Please sign in to comment.