AK+LibWeb: Make StringBase::bytes() lvalue-only

Disallow calling `StringBase::bytes()` on temporaries to avoid returning `ReadonlyBytes` that outlive the underlying string. With this change, we catch a real UAF: `load_result.data = maybe_response.release_value().bytes();` All other updated call sites were already safe, they just needed to use an intermediate named variable to satisfy the new lvalue-only requirement.
Author: https://github.com/kalenikaliaksandr Commit: 69cede4a0f Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/6932 Reviewed-by: https://github.com/trflynn89 ✅
2025-12-08 06:09:58 +00:00 · 2025-11-25 18:06:48 +01:00 · 2025-11-25 18:06:48 +01:00 · 69cede4a0f · 2025-11-25 18:03:33 +00:00
commit 69cede4a0f
parent d1f34efa64
8 changed files with 31 additions and 16 deletions
--- a/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
+++ b/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
@ -1795,8 +1795,10 @@ GC::Ref<PendingResponse> http_network_or_cache_fetch(JS::Realm& realm, Infrastru

        // 8. If contentLength is non-null, then set contentLengthHeaderValue to contentLength, serialized and
        //    isomorphic encoded.
-        if (content_length.has_value())
-            content_length_header_value = MUST(ByteBuffer::copy(String::number(*content_length).bytes()));
+        if (content_length.has_value()) {
+            auto content_length_string = String::number(*content_length);
+            content_length_header_value = MUST(ByteBuffer::copy(content_length_string.bytes()));
+        }

        // 9. If contentLengthHeaderValue is non-null, then append (`Content-Length`, contentLengthHeaderValue) to
        //    httpRequest’s header list.