Bug 123490 - Accessing XMLHttpRequest()s .responseXML when the response XML contains a script tag with a src attribute crashes Konqueror
Summary: Accessing XMLHttpRequest()s .responseXML when the response XML contains a scr...
Status: RESOLVED WORKSFORME
Alias: None
Product: konqueror
Classification: Applications
Component: khtml xml (show other bugs)
Version: unspecified
Platform: Debian testing Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-03-12 13:58 UTC by Frederik Reiss
Modified: 2021-01-02 04:34 UTC (History)
4 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Frederik Reiss 2006-03-12 13:58:56 UTC
Version:           3.5.1 (using KDE KDE 3.5.1)
Installed from:    Debian testing/unstable Packages
OS:                Linux

Accessing XMLHttpRequest()s .responseXML when the response XML contains a script tag with a src attribute crashes Konqueror. Changing the tag or attribute name makes the crash go away. There is no difference between accessing the files localy or through a webserver.

To reproduce this save crash.html and data.xml below in the same directory.

Open crash.html and click on the link.
result: Konqueror crashes with SIGSEGV

Now rename the script tag in data.xml to scrript and click on the link.
result: Konqueror does not crash




--- start crash.html ---
<html>
  <head>
    <title>Konqueror Crash</title>
    <script type="text/javascript">
<!--
function loadFile(url)
  {
    var connection = new XMLHttpRequest();
    connection.open("GET", url, false);
    connection.setRequestHeader('Content-Type', 'text/xml');
    connection.send(null);

    alert(connection.responseXML);
  }
-->
</script>
</head>
<body>
  <a href="javascript:loadFile(&quot;data.xml&quot;);">Crash Me</a>
</body>
</html>
--- end crash.html ---

--- start data.xml ---
<?xml version="1.0" encoding="UTF-8"?>
<result>
    <script src="Some_Random_Value" />
</result>
--- end data.xml

Backtrace:
(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(no debugging symbols found)
...
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1234483520 (LWP 13729)]
(no debugging symbols found)
...
(no debugging symbols found)
[KCrash handler]
#6  0xb5e509e9 in DOM::XMLAttributeReader::~XMLAttributeReader ()
   from /usr/lib/libkhtml.so.4
#7  0xb5e54c3c in DOM::XMLAttributeReader::~XMLAttributeReader ()
   from /usr/lib/libkhtml.so.4
#8  0xb5e36308 in KHTMLWalletQueue::~KHTMLWalletQueue ()
   from /usr/lib/libkhtml.so.4
#9  0xb5fad059 in EmbedLiveConnect::call () from /usr/lib/libkhtml.so.4
#10 0xb5fad2ec in EmbedLiveConnect::call () from /usr/lib/libkhtml.so.4
#11 0xb5f742a6 in EmbedLiveConnect::EmbedLiveConnect ()
   from /usr/lib/libkhtml.so.4
#12 0xb5cdf932 in KJS::Reference::getValue () from /usr/lib/libkjs.so.1
#13 0xb5cdfe82 in KJS::Reference::getValue () from /usr/lib/libkjs.so.1
#14 0xb5ce2c66 in KJS::FunctionImp::call () from /usr/lib/libkjs.so.1
#15 0xb5ce2d87 in KJS::FunctionImp::call () from /usr/lib/libkjs.so.1
#16 0xb5cf199a in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1
#17 0xb5cf3fff in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1
#18 0xb5cf8afd in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1
#19 0xb5cf3e5c in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1
#20 0xb5cf9b19 in KJS::DeclaredFunctionImp::execute ()
   from /usr/lib/libkjs.so.1
#21 0xb5ce023d in KJS::FunctionImp::call () from /usr/lib/libkjs.so.1
#22 0xb5ce39a0 in KJS::Object::call () from /usr/lib/libkjs.so.1
#23 0xb5cf1cd2 in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1
#24 0xb5cf3fff in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1
#25 0xb5cf8a67 in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1
#26 0xb5cf3e5c in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1
#27 0xb5cf95b7 in KJS::UndefinedImp::toObject () from /usr/lib/libkjs.so.1
#28 0xb5cf9aca in KJS::Interpreter::evaluate () from /usr/lib/libkjs.so.1
#29 0xb5f968c9 in EmbedLiveConnect::toString () from /usr/lib/libkhtml.so.4
#30 0xb5e1ae3f in KHTMLPart::executeScript () from /usr/lib/libkhtml.so.4
#31 0xb5e1d86b in KHTMLPart::crossFrameExecuteScript ()
   from /usr/lib/libkhtml.so.4
#32 0xb5e1fc6f in KHTMLPart::urlSelectedIntern () from /usr/lib/libkhtml.so.4
#33 0xb5e20a6d in KHTMLPart::urlSelected () from /usr/lib/libkhtml.so.4
#34 0xb5e7d860 in DOM::checkChild () from /usr/lib/libkhtml.so.4
#35 0xb5e5a457 in DOM::XMLAttributeReader::~XMLAttributeReader ()
   from /usr/lib/libkhtml.so.4
#36 0xb5e5a862 in DOM::XMLAttributeReader::~XMLAttributeReader ()
   from /usr/lib/libkhtml.so.4
#37 0xb5de48d8 in KHTMLView::dispatchMouseEvent () from /usr/lib/libkhtml.so.4
#38 0xb5dea10f in KHTMLView::viewportMouseReleaseEvent ()
   from /usr/lib/libkhtml.so.4
#39 0xb6d921c5 in QScrollView::eventFilter () from /usr/lib/libqt-mt.so.3
#40 0xb5de2c79 in KHTMLView::eventFilter () from /usr/lib/libkhtml.so.4
#41 0xb6c55b52 in QObject::activate_filters () from /usr/lib/libqt-mt.so.3
#42 0xb6c55bdb in QObject::event () from /usr/lib/libqt-mt.so.3
#43 0xb6c93dcd in QWidget::event () from /usr/lib/libqt-mt.so.3
#44 0xb6bee698 in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3
#45 0xb6beec6b in QApplication::notify () from /usr/lib/libqt-mt.so.3
#46 0xb7390d4e in KApplication::notify () from /usr/lib/libkdecore.so.4
#47 0xb6b7e653 in QApplication::sendSpontaneousEvent ()
   from /usr/lib/libqt-mt.so.3
#48 0xb6b79ae4 in QETWidget::translateMouseEvent ()
   from /usr/lib/libqt-mt.so.3
#49 0xb6b77dbe in QApplication::x11ProcessEvent () from /usr/lib/libqt-mt.so.3
#50 0xb6b918c0 in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3
#51 0xb6c06da2 in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3
#52 0xb6c06ccb in QEventLoop::exec () from /usr/lib/libqt-mt.so.3
#53 0xb6bed225 in QApplication::exec () from /usr/lib/libqt-mt.so.3
#54 0xb7ecaf9c in kdemain () from /usr/lib/libkdeinit_konqueror.so
#55 0xb7bf1eb0 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
#56 0x080483d1 in ?? ()
Comment 1 Maksim Orlovich 2006-03-12 15:50:55 UTC
hmm, this suggests some bad stuff about namespace handling :-(
Comment 2 Maksim Orlovich 2006-03-12 16:15:04 UTC
SVN commit 517910 by orlovich:

Properly handle script namespace in XML parser
BUG:123490


 M  +2 -2      xml_tokenizer.cpp  


--- branches/KDE/3.5/kdelibs/khtml/xml/xml_tokenizer.cpp #517909:517910
@@ -157,7 +157,7 @@
             return false;
     }
 
-    if (newElement->id() == ID_SCRIPT)
+    if (newElement->id() == makeId(xhtmlNamespace, ID_SCRIPT))
         static_cast<HTMLScriptElementImpl *>(newElement)->setCreatedByParser(true);
 
     //this is tricky. in general the node doesn't have to attach to the one it's in. as far
@@ -491,7 +491,7 @@
     // Recursively go through the entire document tree, looking for html <script> tags. For each of these
     // that is found, add it to the m_scripts list from which they will be executed
 
-    if (n->id() == ID_SCRIPT) {
+    if (n->id() == makeId(xhtmlNamespace, ID_SCRIPT)) {
         m_scripts.append(static_cast<HTMLScriptElementImpl*>(n));
     }
 
Comment 3 Maksim Orlovich 2006-03-12 16:23:03 UTC
hmm, wrong :-(. This sucks.
Comment 4 Maksim Orlovich 2006-03-12 16:25:14 UTC
SVN commit 517915 by orlovich:

Revert. Need to sort out the no namespace vs. xhtml namespace mess to fix this:
CCBUG:123490


 M  +2 -2      xml_tokenizer.cpp  


--- branches/KDE/3.5/kdelibs/khtml/xml/xml_tokenizer.cpp #517914:517915
@@ -157,7 +157,7 @@
             return false;
     }
 
-    if (newElement->id() == makeId(xhtmlNamespace, ID_SCRIPT))
+    if (newElement->id() == ID_SCRIPT)
         static_cast<HTMLScriptElementImpl *>(newElement)->setCreatedByParser(true);
 
     //this is tricky. in general the node doesn't have to attach to the one it's in. as far
@@ -491,7 +491,7 @@
     // Recursively go through the entire document tree, looking for html <script> tags. For each of these
     // that is found, add it to the m_scripts list from which they will be executed
 
-    if (n->id() == makeId(xhtmlNamespace, ID_SCRIPT)) {
+    if (n->id() == ID_SCRIPT) {
         m_scripts.append(static_cast<HTMLScriptElementImpl*>(n));
     }
 
Comment 5 James Spahlinger 2008-04-19 15:41:41 UTC
Konqueror 4.0.3 produces no crash. Bug appears to be fixed.

I put an online copy of this for ease of testing: http://nixeagle.org/kdebugs/123490/crash.html - when the page opens, just click the link. You should get a popup, if not I presume you will get a lovely crash.

Using Gentoo Linux ~x86 (testing in gentoo lingo). KDE 4.0.3 and the majority of packages compiled using gcc 4.3.0.
Comment 6 FiNeX 2008-04-25 13:40:42 UTC
Cannot reproduce the crash on 3.5.9 AND konqueror trunk (revision 800924). The bug has been fixed :-)
Comment 7 Maksim Orlovich 2008-04-25 17:16:26 UTC
No, it hasn't been. It just luckily doesn't crash.
Comment 8 Justin Zobel 2020-12-03 21:38:32 UTC
Thank you for the report, Frederik.

As it has been a while since this was reported, can you please test and confirm if this issue is still occurring or if this bug report can be marked as resolved.

I have set the bug status to "needsinfo" pending your response, please change back to "reported" or "resolved/worksforme" when you respond, thank you.
Comment 9 Bug Janitor Service 2020-12-18 04:34:38 UTC
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!
Comment 10 Bug Janitor Service 2021-01-02 04:34:14 UTC
This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!