diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y 2010-02-25 17:07:29.114742034 +0100
@@ -416,7 +416,9 @@ valid_rule:
;
rule:
- valid_rule
+ valid_rule {
+ static_cast<CSSParser*>(parser)->m_hadSyntacticallyValidCSSRule = true;
+ }
| invalid_rule
| invalid_at
| invalid_import
@@ -1517,8 +1519,12 @@ invalid_rule:
;
invalid_block:
- '{' error invalid_block_list error closing_brace
- | '{' error closing_brace
+ '{' error invalid_block_list error closing_brace {
+ static_cast<CSSParser*>(parser)->invalidBlockHit();
+ }
+ | '{' error closing_brace {
+ static_cast<CSSParser*>(parser)->invalidBlockHit();
+ }
;
invalid_block_list:
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp 2010-02-25 17:13:34.292803953 +0100
@@ -25,6 +25,7 @@
#include "CachedCSSStyleSheet.h"
#include "DocLoader.h"
#include "Document.h"
+#include "SecurityOrigin.h"
#include "MediaList.h"
#include "Settings.h"
#include <wtf/StdLibExtras.h>
@@ -60,11 +61,21 @@ void CSSImportRule::setCSSStyleSheet(con
m_styleSheet->setParent(0);
m_styleSheet = CSSStyleSheet::create(this, url, charset);
+ bool crossOriginCSS = false;
+ bool validMIMEType = false;
CSSStyleSheet* parent = parentStyleSheet();
bool strict = !parent || parent->useStrictParsing();
- String sheetText = sheet->sheetText(strict);
+ bool enforceMIMEType = strict;
+
+ String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType);
m_styleSheet->parseString(sheetText, strict);
+ if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
+ crossOriginCSS = true;
+
+ if (crossOriginCSS && !validMIMEType && !m_styleSheet->hasSyntacticallyValidCSSHeader())
+ m_styleSheet = CSSStyleSheet::create(this, url, charset);
+
if (strict && parent && parent->doc() && parent->doc()->settings() && parent->doc()->settings()->needsSiteSpecificQuirks()) {
// Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css"));
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-25 17:07:29.101741771 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp 2010-02-25 17:07:29.117741744 +0100
@@ -139,6 +139,7 @@ CSSParser::CSSParser(bool strictParsing)
, m_currentShorthand(0)
, m_implicitShorthand(false)
, m_hasFontFaceOnlyValues(false)
+ , m_hadSyntacticallyValidCSSRule(false)
, m_defaultNamespace(starAtom)
, m_data(0)
, yy_start(1)
@@ -5175,6 +5176,12 @@ WebKitCSSKeyframeRule* CSSParser::create
return keyframePtr;
}
+void CSSParser::invalidBlockHit()
+{
+ if (m_styleSheet && !m_hadSyntacticallyValidCSSRule)
+ m_styleSheet->setHasSyntacticallyValidCSSHeader(false);
+}
+
static int cssPropertyID(const UChar* propertyName, unsigned length)
{
if (!length)
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h 2010-02-25 17:07:29.117741744 +0100
@@ -191,6 +191,7 @@ namespace WebCore {
bool addVariableDeclarationBlock(const CSSParserString&);
bool checkForVariables(CSSParserValueList*);
void addUnresolvedProperty(int propId, bool important);
+ void invalidBlockHit();
Vector<CSSSelector*>* reusableSelectorVector() { return &m_reusableSelectorVector; }
@@ -212,6 +213,7 @@ namespace WebCore {
bool m_implicitShorthand;
bool m_hasFontFaceOnlyValues;
+ bool m_hadSyntacticallyValidCSSRule;
Vector<String> m_variableNames;
Vector<RefPtr<CSSValue> > m_variableValues;
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp 2010-02-25 17:07:29.118741824 +0100
@@ -41,6 +41,7 @@ CSSStyleSheet::CSSStyleSheet(CSSStyleShe
, m_loadCompleted(false)
, m_strictParsing(!parentSheet || parentSheet->useStrictParsing())
, m_isUserStyleSheet(parentSheet ? parentSheet->isUserStyleSheet() : false)
+ , m_hasSyntacticallyValidCSSHeader(true)
{
}
@@ -52,6 +53,7 @@ CSSStyleSheet::CSSStyleSheet(Node* paren
, m_loadCompleted(false)
, m_strictParsing(false)
, m_isUserStyleSheet(false)
+ , m_hasSyntacticallyValidCSSHeader(true)
{
}
@@ -61,6 +63,7 @@ CSSStyleSheet::CSSStyleSheet(CSSRule* ow
, m_charset(charset)
, m_loadCompleted(false)
, m_strictParsing(!ownerRule || ownerRule->useStrictParsing())
+ , m_hasSyntacticallyValidCSSHeader(true)
{
CSSStyleSheet* parentSheet = ownerRule ? ownerRule->parentStyleSheet() : 0;
m_doc = parentSheet ? parentSheet->doc() : 0;
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h 2010-02-25 17:07:29.118741824 +0100
@@ -95,6 +95,8 @@ public:
void setIsUserStyleSheet(bool b) { m_isUserStyleSheet = b; }
bool isUserStyleSheet() const { return m_isUserStyleSheet; }
+ void setHasSyntacticallyValidCSSHeader(bool b) { m_hasSyntacticallyValidCSSHeader = b; }
+ bool hasSyntacticallyValidCSSHeader() const { return m_hasSyntacticallyValidCSSHeader; }
private:
CSSStyleSheet(Node* ownerNode, const String& href, const String& charset);
@@ -110,6 +112,7 @@ private:
bool m_loadCompleted : 1;
bool m_strictParsing : 1;
bool m_isUserStyleSheet : 1;
+ bool m_hasSyntacticallyValidCSSHeader : 1;
};
} // namespace
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp 2010-02-25 17:07:29.118741824 +0100
@@ -203,7 +203,10 @@ void ProcessingInstruction::setCSSStyleS
#endif
RefPtr<CSSStyleSheet> newSheet = CSSStyleSheet::create(this, url, charset);
m_sheet = newSheet;
- parseStyleSheet(sheet->sheetText());
+ // We don't need the cross-origin security check here because we are
+ // getting the sheet text in "strict" mode. This enforces a valid CSS MIME
+ // type.
+ parseStyleSheet(sheet->sheetText(true));
newSheet->setTitle(m_title);
newSheet->setMedia(MediaList::create(newSheet.get(), m_media));
newSheet->setDisabled(m_alternate);
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp 2010-02-25 17:07:29.119741915 +0100
@@ -260,14 +260,27 @@ void HTMLLinkElement::setCSSStyleSheet(c
bool strictParsing = !document()->inCompatMode();
bool enforceMIMEType = strictParsing;
+ bool crossOriginCSS = false;
+ bool validMIMEType = false;
// Check to see if we should enforce the MIME type of the CSS resource in strict mode.
// Running in iWeb 2 is one example of where we don't want to - <rdar://problem/6099748>
if (enforceMIMEType && document()->page() && !document()->page()->settings()->enforceCSSMIMETypeInStrictMode())
enforceMIMEType = false;
- String sheetText = sheet->sheetText(enforceMIMEType);
+ String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType);
m_sheet->parseString(sheetText, strictParsing);
+ // If we're loading a stylesheet cross-origin, and the MIME type is not
+ // standard, require the CSS to at least start with a syntactically
+ // valid CSS rule.
+ // This prevents an attacker playing games by injecting CSS strings into
+ // HTML, XML, JSON, etc. etc.
+ if (!document()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
+ crossOriginCSS = true;
+
+ if (crossOriginCSS && !validMIMEType && !m_sheet->hasSyntacticallyValidCSSHeader())
+ m_sheet = CSSStyleSheet::create(this, url, charset);
+
if (strictParsing && document()->settings() && document()->settings()->needsSiteSpecificQuirks()) {
// Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css"));
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp 2010-02-25 17:07:29.119741915 +0100
@@ -71,11 +71,11 @@ String CachedCSSStyleSheet::encoding() c
return m_decoder->encoding().name();
}
-const String CachedCSSStyleSheet::sheetText(bool enforceMIMEType) const
+const String CachedCSSStyleSheet::sheetText(bool enforceMIMEType, bool* hasValidMIMEType) const
{
ASSERT(!isPurgeable());
- if (!m_data || m_data->isEmpty() || !canUseSheet(enforceMIMEType))
+ if (!m_data || m_data->isEmpty() || !canUseSheet(enforceMIMEType, hasValidMIMEType))
return String();
if (!m_decodedSheetText.isNull())
@@ -122,12 +122,12 @@ void CachedCSSStyleSheet::error()
checkNotify();
}
-bool CachedCSSStyleSheet::canUseSheet(bool enforceMIMEType) const
+bool CachedCSSStyleSheet::canUseSheet(bool enforceMIMEType, bool* hasValidMIMEType) const
{
if (errorOccurred())
return false;
- if (!enforceMIMEType)
+ if (!enforceMIMEType && !hasValidMIMEType)
return true;
// This check exactly matches Firefox. Note that we grab the Content-Type
@@ -138,7 +138,12 @@ bool CachedCSSStyleSheet::canUseSheet(bo
// This code defaults to allowing the stylesheet for non-HTTP protocols so
// folks can use standards mode for local HTML documents.
String mimeType = extractMIMETypeFromMediaType(response().httpHeaderField("Content-Type"));
- return mimeType.isEmpty() || equalIgnoringCase(mimeType, "text/css") || equalIgnoringCase(mimeType, "application/x-unknown-content-type");
+ bool typeOK = mimeType.isEmpty() || equalIgnoringCase(mimeType, "text/css") || equalIgnoringCase(mimeType, "application/x-unknown-content-type");
+ if (hasValidMIMEType)
+ *hasValidMIMEType = typeOK;
+ if (!enforceMIMEType)
+ return true;
+ return typeOK;
}
}
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h 2010-02-25 17:07:29.120741848 +0100
@@ -40,7 +40,7 @@ namespace WebCore {
CachedCSSStyleSheet(const String& URL, const String& charset);
virtual ~CachedCSSStyleSheet();
- const String sheetText(bool enforceMIMEType = true) const;
+ const String sheetText(bool enforceMIMEType = true, bool* hasValidMIMEType = 0) const;
virtual void didAddClient(CachedResourceClient*);
@@ -56,7 +56,7 @@ namespace WebCore {
void checkNotify();
private:
- bool canUseSheet(bool enforceMIMEType) const;
+ bool canUseSheet(bool enforceMIMEType, bool* hasValidMIMEType) const;
protected:
RefPtr<TextResourceDecoder> m_decoder;