AK+LibWeb: Make StringBase::bytes() lvalue-only

Disallow calling `StringBase::bytes()` on temporaries to avoid returning `ReadonlyBytes` that outlive the underlying string. With this change, we catch a real UAF: `load_result.data = maybe_response.release_value().bytes();` All other updated call sites were already safe, they just needed to use an intermediate named variable to satisfy the new lvalue-only requirement.
Author: https://github.com/kalenikaliaksandr Commit: 69cede4a0f Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/6932 Reviewed-by: https://github.com/trflynn89 ✅
2025-12-07 21:59:54 +00:00 · 2025-11-25 18:06:48 +01:00 · 2025-11-25 18:06:48 +01:00 · 69cede4a0f · 2025-11-25 18:03:33 +00:00
commit 69cede4a0f
parent d1f34efa64
8 changed files with 31 additions and 16 deletions
--- a/Libraries/LibWeb/ReferrerPolicy/AbstractOperations.cpp
+++ b/Libraries/LibWeb/ReferrerPolicy/AbstractOperations.cpp
@ -108,8 +108,11 @@ Optional<URL::URL> determine_requests_referrer(Fetch::Infrastructure::Request co

    // 6. If the result of serializing referrerURL is a string whose length is greater than 4096, set referrerURL to
    //    referrerOrigin.
-    if (referrer_url.has_value() && referrer_url.value().serialize().bytes().size() > 4096)
-        referrer_url = referrer_origin;
+    if (referrer_url.has_value()) {
+        auto serialized_referrer_url = referrer_url.value().serialize();
+        if (serialized_referrer_url.bytes().size() > 4096)
+            referrer_url = referrer_origin;
+    }

    // 7. The user agent MAY alter referrerURL or referrerOrigin at this point to enforce arbitrary policy
    //    considerations in the interests of minimizing data leakage. For example, the user agent could strip the URL