!frame || BindingSecurity::shouldAllowAccessToFrame( toDOMWindow(function->Creat |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6654154803249152 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !frame || BindingSecurity::shouldAllowAccessToFrame( toDOMWindow(function->Creat blink::V8ScriptRunner::callFunction blink::V8EventListener::callListenerFunction Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=451616:451629 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96tdToFiVmGaDyb51pjZJALysqkWq-h1BAgfexTwpg_ZuRu9l2QbJ8lLedZEdkDnTYnw1wLLRSdRqKCmLvvkBWVFFQENmJv5PQVG7bF2cjmJCF-HgpUb0JSeYOZkuUmmlYmE5iauc4kBL8bRIRUtJhe6fjo9mbQfkw4098Xrg5neDRIcWavqHZnLh2jhURIB4-xfHC2x0qBp3BpiZqIK6g3M9eP0__XP0JRPUY5tN_tOTMuxrCtG24R9bN8nKxgFqZtEN4PqTEZGJ10eJDPEF47BfcajlYiwK4UWaHv2Ue5cVSQZ_pLAdRFxO8h0FUkMTlrR1TF07pOPylb4q-EM_jTRepYTjOGzqZD_adeTt1Uv8WMm4o?testcase_id=6654154803249152 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 6 2017
any idea who owns the XML tree viewer? in https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/xml/parser/XMLDocumentParser.cpp?rcl=f193ee6d21e6548ed425746ec80fb71faa7998a5&l=1549 we turn an XML document without a stylesheet into viewer mode, but don't clear script references to it. Setting viewer mode makes the security origin "opaque", i.e., it should not be accessible to other origins anymore. The clusterfuzz issue demonstrates that this is not the case
,
Mar 6 2017
I don't think anyone is currently working on XML tree viewer. adithyas@: Would you mind taking a look at this?
,
Mar 6 2017
I think there are two possible solutions - if the XML tree viewer indeed modifies the DOM, we'll need to scrape the document (as if it was a navigation) to make sure all ties are cut - if the XML tree viewer is a pure UI thing, and the parsed XML tree is supposed to be still accessible by outside script, we'll have to ensure that the security origin isn't replaced with an opaque one
,
Mar 6 2017
> - if the XML tree viewer is a pure UI thing, and the parsed XML tree is supposed to be still accessible by outside script, we'll have to ensure that the security origin isn't replaced with an opaque one I think this makes more sense. dcheng@: Any thoughts on this?
,
Mar 8 2017
Wow... it seems kind of insane that we just switch over to view-source mode if we don't see any XSLT, etc. https://chromium.googlesource.com/chromium/src/+/c92a57f13f7b09b68e5c0534129f23eba148ac5c is the commit that put view-source documents in an opaque origin. I guess we could skip the opaque origin if scripts aren't disabled...?
,
Mar 13 2017
Is anyone still able to access the clusterfuzz test case? I keep getting a "file does not exist"
,
Mar 14 2017
it works for me - can you ping aarya@ and ask for help?
,
Mar 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3de53e557c2b84aed1cb4ba9ed1133ac361da46c commit 3de53e557c2b84aed1cb4ba9ed1133ac361da46c Author: adithyas <adithyas@chromium.org> Date: Wed Mar 15 19:36:10 2017 Set view source without creating a unique origin in XMLDocumentParser BUG= 697830 Review-Url: https://codereview.chromium.org/2744413002 Cr-Commit-Position: refs/heads/master@{#457168} [add] https://crrev.com/3de53e557c2b84aed1cb4ba9ed1133ac361da46c/third_party/WebKit/LayoutTests/http/tests/xmlviewer/no-unique-origin.html [modify] https://crrev.com/3de53e557c2b84aed1cb4ba9ed1133ac361da46c/third_party/WebKit/Source/core/dom/Document.cpp
,
Mar 18 2017
ClusterFuzz has detected this issue as fixed in range 456626:457730. Detailed report: https://clusterfuzz.com/testcase?key=6654154803249152 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !frame || BindingSecurity::shouldAllowAccessToFrame( toDOMWindow(function->Creat blink::V8ScriptRunner::callFunction blink::V8EventListener::callListenerFunction Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=451616:451629 Fixed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=456626:457730 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv978sk_EpkKqIH8f_OS83lUEDBOQyFpEYHPUUKV7WAQi84QQubtg6qM5oa9sOhtcSlb8yUOcSkVXoCnKyBI3Einx2r-yu0iyQEPL0Do9DBtIBW91vtZsSlzOnjMlQdw-IgQROe6AzDb05PFCJjOQTplQjvCk0FFMoSrTLQ9gTC7GatqkvatxMvcc200xUiY9bKI-t3hdAz-zNUwSmlYLorzNMx1Vva7Rjus6AoaDUFlvWzFbkY7ehzz9kxtzrV4nKDYbZ_BLmF_7EqGDJ8ZL3YkHWMw58VqjpMScZEnIm_bc2m8PO8zGW_Yil5R6-LZi7MVyNMX9diEpL-fnjsJ0hai02Vz_il3puFBbkm390LI_AVa0xmYLOcKvzbl3a4aqer8uC4m9k4b24CgSXptMqPlVOA6Cow?testcase_id=6654154803249152 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 18 2017
ClusterFuzz testcase 6654154803249152 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by msrchandra@chromium.org
, Mar 2 2017Labels: Test-Predator-Wrong M-58
Owner: jochen@chromium.org
Status: Assigned (was: Untriaged)