From da4ffba387f70730453d4533272dd55870dd81bb Mon Sep 17 00:00:00 2001
From: Steve Block <steveblock@google.com>
Date: Thu, 9 Sep 2010 11:17:13 +0100
Subject: Cherry-pick security fix in WebKit change 64077

See http://trac.webkit.org/changeset/64077

Bug: 2986936
Change-Id: Ic3e825e880f2094f274758af93a0949b0b9278f0
---
 WebCore/page/History.cpp | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

(limited to 'WebCore')

diff --git a/WebCore/page/History.cpp b/WebCore/page/History.cpp
index 78e8ea6..337f5b2 100644
--- a/WebCore/page/History.cpp
+++ b/WebCore/page/History.cpp
@@ -86,14 +86,7 @@ KURL History::urlForState(const String& urlString)
     if (urlString.isEmpty())
         return baseURL;
         
-    KURL absoluteURL(baseURL, urlString);
-    if (!absoluteURL.isValid())
-        return KURL();
-    
-    if (absoluteURL.string().left(absoluteURL.pathStart()) != baseURL.string().left(baseURL.pathStart()))
-        return KURL();
-    
-    return absoluteURL;
+    return KURL(baseURL, urlString);
 }
 
 void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const String& title, const String& urlString, StateObjectType stateObjectType, ExceptionCode& ec)
@@ -102,7 +95,8 @@ void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const Str
         return;
     
     KURL fullURL = urlForState(urlString);
-    if (!fullURL.isValid()) {
+    RefPtr<SecurityOrigin> origin = SecurityOrigin::create(fullURL);
+    if (!fullURL.isValid() || !m_frame->document()->securityOrigin()->isSameSchemeHostPort(origin.get())) {
         ec = SECURITY_ERR;
         return;
     }
-- 
cgit v1.1