Fix handling of new window request

Fixes heap-use-after-free for WebContentsAdapter, which is replaced in
the case, when new window set to be opened and adopted by the same page,
which triggered this request: for example, when 'this' is returned by
'createWindow' override. Achieve this by scheduling 'deleteLater' on an
old adapter. This was already implemented that way for internal
'adoptWebContents', but was overlooked for page's 'createWindow' API. So
just unify handling logic. Also, adapt 'customUserAgentInNewTab' test,
since adopting existing WebContents from different profile is not
supposed to work, and now enforced by the check in 'adoptWebContents'.
Unfortunately, test should also be blacklisted, since it's appeared that
custom user agent is still not reliably set for newly created window.

Task-number: QTBUG-76249
Fixes: QTBUG-94772
Pick-to: 6.2
Change-Id: Ic9dff33eae99cc242a294d45a92be96306cef93d
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

2 files changed, 9 insertions, 13 deletions

diff --git a/src/webenginequick/api/qquickwebengineview.cpp b/src/webenginequick/api/qquickwebengineview.cpp
index cf1bff708..ae01aad23 100644
--- a/src/webenginequick/api/qquickwebengineview.cpp
+++ b/src/webenginequick/api/qquickwebengineview.cpp
@@ -772,18 +772,12 @@ private:
     AdapterPtr adapter;
 };
 
-void QQuickWebEngineViewPrivate::adoptWebContents(WebContentsAdapter *webContents)
+bool QQuickWebEngineViewPrivate::adoptWebContents(WebContentsAdapter *webContents)
 {
-    if (!webContents) {
-        qWarning("Trying to open an empty request, it was either already used or was invalidated."
-            "\nYou must complete the request synchronously within the newWindowRequested signal handler."
-            " If a view hasn't been adopted before returning, the request will be invalidated.");
-        return;
-    }
-
+    Q_ASSERT(webContents);
     if (webContents->profileAdapter() && profileAdapter() != webContents->profileAdapter()) {
         qWarning("Can not adopt content from a different WebEngineProfile.");
-        return;
+        return false;
     }
 
     m_isBeingAdopted = true;
@@ -795,6 +789,7 @@ void QQuickWebEngineViewPrivate::adoptWebContents(WebContentsAdapter *webContent
 
     adapter = webContents->sharedFromThis();
     adapter->setClient(this);
+    return true;
 }
 
 QQuickWebEngineView::QQuickWebEngineView(QQuickItem *parent)
@@ -1651,10 +1646,11 @@ void QQuickWebEngineView::acceptAsNewWindow(QWebEngineNewWindowRequest *request)
         return;
     }
 
-    if (auto adapter = request->d_ptr->adapter)
-        d->adoptWebContents(adapter.data());
-    else
+    auto adapter = request->d_ptr->adapter;
+    if (!adapter)
         setUrl(request->requestedUrl());
+    else if (!d->adoptWebContents(adapter.data()))
+        return;
 
     request->d_ptr->setHandled();
 }
diff --git a/src/webenginequick/api/qquickwebengineview_p_p.h b/src/webenginequick/api/qquickwebengineview_p_p.h
index 2e70e423d..4647d671e 100644
--- a/src/webenginequick/api/qquickwebengineview_p_p.h
+++ b/src/webenginequick/api/qquickwebengineview_p_p.h
@@ -164,7 +164,7 @@ public:
     void printRequested() override;
     void findTextFinished(const QWebEngineFindTextResult &result) override;
     void updateAction(QQuickWebEngineView::WebAction) const;
-    void adoptWebContents(QtWebEngineCore::WebContentsAdapter *webContents);
+    bool adoptWebContents(QtWebEngineCore::WebContentsAdapter *webContents);
     void setProfile(QQuickWebEngineProfile *profile);
     void updateAdapter();
     void ensureContentsAdapter();