mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-08-09 09:39:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

LibWeb: Disallow creating a FileAPI::FileList with a vector of files

Browse source 
This factory forced callers to make a list of GC-allocated FileAPI::File
objects. This isn't safe - this opens a window for these files to be
garbage collected before the FileList object stores / visits the list.

Instead, only allow creating an empty FileList and incrementally adding
files to that list.
This commit is contained in:
Timothy Flynn 2024-08-18 10:48:22 -04:00 committed by Andreas Kling
commit 8b4d28b5fd
Notes: github-actions[bot] 2024-08-19 11:30:30 +00:00
3 changed files with 8 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

12
Userland/Libraries/LibWeb/FileAPI/FileList.cpp
View file

@ -14,23 +14,11 @@ namespace Web::FileAPI {
JS_DEFINE_ALLOCATOR(FileList); JS_DEFINE_ALLOCATOR(FileList);
JS::NonnullGCPtr<FileList> FileList::create(JS::Realm& realm, Vector<JS::NonnullGCPtr<File>>&& files)
{
return realm.heap().allocate<FileList>(realm, realm, move(files));
}
JS::NonnullGCPtr<FileList> FileList::create(JS::Realm& realm) JS::NonnullGCPtr<FileList> FileList::create(JS::Realm& realm)
{ {
return realm.heap().allocate<FileList>(realm, realm); return realm.heap().allocate<FileList>(realm, realm);
} }
FileList::FileList(JS::Realm& realm, Vector<JS::NonnullGCPtr<File>>&& files)
: Bindings::PlatformObject(realm)
, m_files(move(files))
{
m_legacy_platform_object_flags = LegacyPlatformObjectFlags { .supports_indexed_properties = 1 };
}
FileList::FileList(JS::Realm& realm) FileList::FileList(JS::Realm& realm)
: Bindings::PlatformObject(realm) : Bindings::PlatformObject(realm)
{ {

4
Userland/Libraries/LibWeb/FileAPI/FileList.h
View file

@ -22,9 +22,10 @@ class FileList
JS_DECLARE_ALLOCATOR(FileList); JS_DECLARE_ALLOCATOR(FileList);
public: public:
[[nodiscard]] static JS::NonnullGCPtr<FileList> create(JS::Realm&, Vector<JS::NonnullGCPtr<File>>&&);
[[nodiscard]] static JS::NonnullGCPtr<FileList> create(JS::Realm&); [[nodiscard]] static JS::NonnullGCPtr<FileList> create(JS::Realm&);
void add_file(JS::NonnullGCPtr<File> file) { m_files.append(file); }
virtual ~FileList() override; virtual ~FileList() override;
// https://w3c.github.io/FileAPI/#dfn-length // https://w3c.github.io/FileAPI/#dfn-length
@ -49,7 +50,6 @@ public:
virtual WebIDL::ExceptionOr<void> deserialization_steps(ReadonlySpan<u32> const& serialized, size_t& position, HTML::DeserializationMemory&) override; virtual WebIDL::ExceptionOr<void> deserialization_steps(ReadonlySpan<u32> const& serialized, size_t& position, HTML::DeserializationMemory&) override;
private: private:
FileList(JS::Realm&, Vector<JS::NonnullGCPtr<File>>&&);
explicit FileList(JS::Realm&); explicit FileList(JS::Realm&);
virtual void initialize(JS::Realm&) override; virtual void initialize(JS::Realm&) override;

13
Userland/Libraries/LibWeb/HTML/HTMLInputElement.cpp
View file

@ -189,7 +189,7 @@ JS::GCPtr<FileAPI::FileList> HTMLInputElement::files()
return nullptr; return nullptr;
if (!m_selected_files) if (!m_selected_files)
m_selected_files = FileAPI::FileList::create(realm(), {}); m_selected_files = FileAPI::FileList::create(realm());
return m_selected_files; return m_selected_files;
} }
@ -461,8 +461,7 @@ void HTMLInputElement::did_select_files(Span<SelectedFile> selected_files)
return; return;
} }
Vector<JS::NonnullGCPtr<FileAPI::File>> files; auto files = FileAPI::FileList::create(realm());
files.ensure_capacity(selected_files.size());
for (auto& selected_file : selected_files) { for (auto& selected_file : selected_files) {
auto contents = selected_file.take_contents(); auto contents = selected_file.take_contents();
@ -478,14 +477,14 @@ void HTMLInputElement::did_select_files(Span<SelectedFile> selected_files)
options.type = mime_type.essence(); options.type = mime_type.essence();
auto file = MUST(FileAPI::File::create(realm(), { JS::make_handle(blob) }, file_name, move(options))); auto file = MUST(FileAPI::File::create(realm(), { JS::make_handle(blob) }, file_name, move(options)));
files.unchecked_append(file); files->add_file(file);
} }
// https://html.spec.whatwg.org/multipage/input.html#update-the-file-selection // https://html.spec.whatwg.org/multipage/input.html#update-the-file-selection
// 1. Queue an element task on the user interaction task source given element and the following steps: // 1. Queue an element task on the user interaction task source given element and the following steps:
queue_an_element_task(HTML::Task::Source::UserInteraction, [this, files = move(files)]() mutable { queue_an_element_task(HTML::Task::Source::UserInteraction, [this, files]() mutable {
// 1. Update element's selected files so that it represents the user's selection. // 1. Update element's selected files so that it represents the user's selection.
m_selected_files = FileAPI::FileList::create(realm(), move(files)); m_selected_files = files;
update_file_input_shadow_tree(); update_file_input_shadow_tree();
// 2. Fire an event named input at the input element, with the bubbles and composed attributes initialized to true. // 2. Fire an event named input at the input element, with the bubbles and composed attributes initialized to true.
@ -1424,7 +1423,7 @@ void HTMLInputElement::reset_algorithm()
m_checked = has_attribute(AttributeNames::checked); m_checked = has_attribute(AttributeNames::checked);
// empty the list of selected files, // empty the list of selected files,
m_selected_files = FileAPI::FileList::create(realm(), {}); m_selected_files = FileAPI::FileList::create(realm());
// and then invoke the value sanitization algorithm, if the type attribute's current state defines one. // and then invoke the value sanitization algorithm, if the type attribute's current state defines one.
m_value = value_sanitization_algorithm(m_value); m_value = value_sanitization_algorithm(m_value);