RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 08:48:11 +00:00
Code Issues Activity Actions

LibWeb: Fix UAF in CSSStyleSheet

Browse source 
CSSNamespaceRule returns a copy of a DeprecatedString, meaning that the
view returned by the namespace in CSSStyleSheet is into a temporary
string.
This commit is contained in:
Shannon Booth 2023-11-24 19:14:24 +13:00 committed by Andreas Kling
parent 673329e1bd
commit b7bcdf7c53
2 changed files with 6 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Userland/Libraries/LibWeb/CSS/CSSStyleSheet.cpp
View file

@ -146,19 +146,19 @@ void CSSStyleSheet::set_style_sheet_list(Badge<StyleSheetList>, StyleSheetList*
m_style_sheet_list = list;
}
Optional<StringView> CSSStyleSheet::default_namespace() const
Optional<FlyString> CSSStyleSheet::default_namespace() const
{
if (m_default_namespace_rule)
return m_default_namespace_rule->namespace_uri().view();
return MUST(FlyString::from_deprecated_fly_string(m_default_namespace_rule->namespace_uri()));
return {};
}
Optional<StringView> CSSStyleSheet::namespace_uri(StringView namespace_prefix) const
Optional<FlyString> CSSStyleSheet::namespace_uri(StringView namespace_prefix) const
{
return m_namespace_rules.get(namespace_prefix)
.map([](JS::GCPtr<CSSNamespaceRule> namespace_) {
return namespace_->namespace_uri().view();
return MUST(FlyString::from_deprecated_fly_string(namespace_->namespace_uri()));
});
}