Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Web Streams: commit pull-into descriptors after filling from queue #56044

Open
MattiasBuelens opened this issue Nov 27, 2024 · 0 comments · May be fixed by #56072
Open

Web Streams: commit pull-into descriptors after filling from queue #56044

MattiasBuelens opened this issue Nov 27, 2024 · 0 comments · May be fixed by #56072
Assignees
@MattiasBuelens
Labels
web streams web-standards Issues and PRs related to Web APIs

Comments

@MattiasBuelens
Copy link
Contributor

In GHSA-p5g2-876g-95h9, we discovered that in Chromium, a user could run JavaScript code synchronously during ReadableStreamFulfillReadIntoRequest by patching Object.prototype.then, and use this gadget to break some invariants within ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue. Fortunately, Node.js seems unaffected.

The Streams standard has been updated with a proper fix for this case. We now postpone all calls to ReadableByteStreamControllerCommitPullIntoDescriptor until after all pull-into descriptors have been filled up by ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue. This way, we won't trigger any patched then() method until the stream is in a stable state.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MattiasBuelens MattiasBuelens

Labels
web streams web-standards Issues and PRs related to Web APIs
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

web streams: commit pull-into descriptors after filling from queue MattiasBuelens/node
2 participants
@MattiasBuelens @aduh95