- From: Mattias Buelens <notifications@github.com>
- Date: Tue, 10 Sep 2024 13:26:35 -0700
- To: whatwg/streams <streams@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/streams/pull/1326@github.com>
In [Chromium bug #339877167](https://issues.chromium.org/issues/339877167), it was discovered that a user could run JavaScript code *synchronously* during `ReadableStreamFulfillReadIntoRequest` by patching `Object.prototype.then`, and use this gadget to break some invariants within `ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue`.
To prevent this, this PR postpones all calls to `ReadableByteStreamControllerCommitPullIntoDescriptor` until *after* all pull-into descriptors have been filled up by `ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue`. This way, we won't trigger any patched `then()` method until the stream is in a stable state.
- [ ] At least two implementers are interested (and none opposed):
* …
* …
- [ ] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
* … <!-- If these tests are tentative, link a PR to make them non-tentative. -->
- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
* Chromium: …
* Gecko: …
* WebKit: …
* Deno: …
* Node.js: …
- [ ] [MDN issue](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) is filed: …
- [ ] The top of this comment includes a [clear commit message](https://github.com/whatwg/meta/blob/main/COMMITTING.md) to use. <!-- If you created this PR from a single commit, Github copied its message. Otherwise, you need to add a commit message yourself. -->
(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)
<!--
This comment and the below content is programmatically generated.
You may add a comma-separated list of anchors you'd like a
direct link to below (e.g. #idl-serializers, #idl-sequence):
Don't remove this comment or modify anything below this line.
If you don't want a preview generated for this pull request,
just replace the whole of this comment's content by "no preview"
and remove what's below.
-->
***
<a href="https://whatpr.org/streams/1326.html" title="Last updated on Sep 10, 2024, 8:26 PM UTC (4cfd7ee)">Preview</a> | <a href="https://whatpr.org/streams/1326/4d33866...4cfd7ee.html" title="Last updated on Sep 10, 2024, 8:26 PM UTC (4cfd7ee)">Diff</a>
You can view, comment on, or merge this pull request online at:
https://github.com/whatwg/streams/pull/1326
-- Commit Summary --
* Assert that pull-into descriptor's buffer is not detached before filling
* Commit pull-intos after filling from queue
* Separate filling from queue and committing pull-intos
* Commit all pull-intos at the end of RespondInReadableState()
* Commit all pull-intos at the end of RespondInClosedState()
* Fix loop
* Error stream if CopyDataBlockBytes assertions do not hold
-- File Changes --
M index.bs (67)
M reference-implementation/lib/abstract-ops/miscellaneous.js (21)
M reference-implementation/lib/abstract-ops/readable-streams.js (52)
-- Patch Links --
https://github.com/whatwg/streams/pull/1326.patch
https://github.com/whatwg/streams/pull/1326.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/streams/pull/1326
You are receiving this because you are subscribed to this thread.
Message ID: <whatwg/streams/pull/1326@github.com>
Received on Tuesday, 10 September 2024 20:26:39 UTC