WebCore should not send invalid URLs to client createWindow methods.

        https://bugs.webkit.org/show_bug.cgi?id=39017

        Reviewed by Sam Weinig.

        Test: fast/dom/window/open-invalid-url.html

        * page/DOMWindow.cpp: (WebCore::DOMWindow::createWindow): Bail out early for invalid URLs.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@105548 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index f5cb944..b4101b7 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2012-01-20  Alexey Proskuryakov  <ap@apple.com>
+
+        WebCore should not send invalid URLs to client createWindow methods.
+        https://bugs.webkit.org/show_bug.cgi?id=39017
+
+        Reviewed by Sam Weinig.
+
+        * fast/dom/window/open-invalid-url-expected.txt: Added.
+        * fast/dom/window/open-invalid-url.html: Added.
+
 2012-01-20  Julien Chaffraix  <jchaffraix@webkit.org>
 
         Crash in RenderTable::borderBefore

diff --git a/LayoutTests/fast/dom/Window/open-invalid-url-expected.txt b/LayoutTests/fast/dom/Window/open-invalid-url-expected.txt
new file mode 100644 (file)
index 0000000..22762a0
--- /dev/null
+++ b/LayoutTests/fast/dom/Window/open-invalid-url-expected.txt
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Unable to open a window with invalid URL '/'.
+
+ALERT: PASS
+

diff --git a/LayoutTests/fast/dom/Window/open-invalid-url.html b/LayoutTests/fast/dom/Window/open-invalid-url.html
new file mode 100644 (file)
index 0000000..c29d5c4
--- /dev/null
+++ b/LayoutTests/fast/dom/Window/open-invalid-url.html
@@ -0,0 +1,19 @@
+<html>
+<head>
+</head>
+<body>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setCanOpenWindows();
+}
+
+var a = window.open("about:blank","moonshine")
+function mountainGoat() {
+        a.window.eval('setTimeout("alert(window.open(\'/\') ? \'FAIL\' : \'PASS\'); if (window.layoutTestController) layoutTestController.notifyDone()", 0)')
+}
+setTimeout("mountainGoat()", 0)
+</script>
+</body>
+</html>

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 65a091a..0dba3cd 100755 (executable)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,14 @@
+2012-01-20  Alexey Proskuryakov  <ap@apple.com>
+
+        WebCore should not send invalid URLs to client createWindow methods.
+        https://bugs.webkit.org/show_bug.cgi?id=39017
+
+        Reviewed by Sam Weinig.
+
+        Test: fast/dom/window/open-invalid-url.html
+
+        * page/DOMWindow.cpp: (WebCore::DOMWindow::createWindow): Bail out early for invalid URLs.
+
 2012-01-20  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>
 
         Remove unused variable in RenderReplaced after r105513

diff --git a/Source/WebCore/page/DOMWindow.cpp b/Source/WebCore/page/DOMWindow.cpp
index 5d3fd13..a6a64c8 100644 (file)
--- a/Source/WebCore/page/DOMWindow.cpp
+++ b/Source/WebCore/page/DOMWindow.cpp
@@ -1773,6 +1773,12 @@ Frame* DOMWindow::createWindow(const String& urlString, const AtomicString& fram
     String referrer = firstFrame->loader()->outgoingReferrer();
 
     KURL completedURL = urlString.isEmpty() ? KURL(ParsedURLString, emptyString()) : firstFrame->document()->completeURL(urlString);
+    if (!completedURL.isValid()) {
+        // Don't expose client code to invalid URLs.
+        activeWindow->printErrorMessage("Unable to open a window with invalid URL '" + completedURL.string() + "'.\n");
+        return 0;
+    }
+
     ResourceRequest request(completedURL, referrer);
     FrameLoader::addHTTPOriginIfNeeded(request, firstFrame->loader()->outgoingOrigin());
     FrameLoadRequest frameRequest(activeWindow->securityOrigin(), request, frameName);