diff options
| author | Victor Costan <pwnall@chromium.org> | 2019-10-21 22:29:45 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-03-24 08:16:45 +0000 |
| commit | 02e9407022a7e946eb8f2b4500d3316c85cdfa76 (patch) | |
| tree | ed1511abf4edbdd69a796dd6391e4c7404e7b477 | |
| parent | 6bf234cfacc25a2aa80e8e51a59c1ff0613618d2 (diff) | |
| download | qtwebengine-chromium-02e9407022a7e946eb8f2b4500d3316c85cdfa76.tar.gz | |
[Backport] Security bug 1016038
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1869384:
IndexedDB: Mark transactions inactive during structured cloning.
Bug: 1016038
Change-Id: Icf24fb597c0dbfd83220fac20a557d05b0c9b96b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
3 files changed, 28 insertions, 8 deletions
diff --git a/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc b/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc index edacac192e5..7dfe0b20702 100644 --- a/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc +++ b/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc @@ -418,6 +418,7 @@ IDBRequest* IDBObjectStore::DoPut(ScriptState* script_state, v8::Isolate* isolate = script_state->GetIsolate(); DCHECK(isolate->InContext()); + transaction_->SetActiveDuringSerialization(false); // TODO(crbug.com/719053): This wasm behavior differs from other browsers. SerializedScriptValue::SerializeOptions::WasmSerializationPolicy wasm_policy = ExecutionContext::From(script_state)->IsSecureContext() @@ -425,6 +426,7 @@ IDBRequest* IDBObjectStore::DoPut(ScriptState* script_state, : SerializedScriptValue::SerializeOptions::kBlockedInNonSecureContext; IDBValueWrapper value_wrapper(isolate, value.V8Value(), wasm_policy, exception_state); + transaction_->SetActiveDuringSerialization(true); if (exception_state.HadException()) return nullptr; diff --git a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc index c6964ca53ac..1d9cd13d511 100644 --- a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc +++ b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc @@ -328,18 +328,29 @@ void IDBTransaction::IndexDeleted(IDBIndex* index) { deleted_indexes_.push_back(index); } -void IDBTransaction::SetActive(bool active) { - DCHECK_NE(state_, kFinished) << "A finished transaction tried to SetActive(" - << (active ? "true" : "false") << ")"; - if (state_ == kFinishing) +void IDBTransaction::SetActive(bool new_is_active) { + DCHECK_NE(state_, kFinished) + << "A finished transaction tried to SetActive(" << new_is_active << ")"; if (state_ == kFinishing) return; - DCHECK_NE(active, (state_ == kActive)); - state_ = active ? kActive : kInactive; + DCHECK_NE(new_is_active, (state_ == kActive)); + state_ = new_is_active ? kActive : kInactive; - if (!active && request_list_.IsEmpty() && BackendDB()) + if (!new_is_active && request_list_.IsEmpty() && BackendDB()) BackendDB()->Commit(id_); } +void IDBTransaction::SetActiveDuringSerialization(bool new_is_active) { + if (new_is_active) { + DCHECK_EQ(state_, kInactive) + << "Incorrect state restore during Structured Serialization"; + state_ = kActive; + } else { + DCHECK_EQ(state_, kActive) + << "Structured serialization attempted while transaction is inactive"; + state_ = kInactive; + } +} + void IDBTransaction::abort(ExceptionState& exception_state) { if (state_ == kFinishing || state_ == kFinished) { exception_state.ThrowDOMException( diff --git a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h index 5a2970a568d..924affb747f 100644 --- a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h +++ b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h @@ -130,7 +130,14 @@ class MODULES_EXPORT IDBTransaction final // Called when deleting an index whose IDBIndex had been created. void IndexDeleted(IDBIndex*); - void SetActive(bool); + // Called during event dispatch. + // + // This can trigger transaction auto-commit. + void SetActive(bool new_is_active); + + // Called right before and after structured serialization. + void SetActiveDuringSerialization(bool new_is_active); + void SetError(DOMException*); DEFINE_ATTRIBUTE_EVENT_LISTENER(abort); |