Diff
Modified: branches/safari-603-branch/Source/WebKit2/ChangeLog (210713 => 210714)
--- branches/safari-603-branch/Source/WebKit2/ChangeLog 2017-01-13 06:10:40 UTC (rev 210713)
+++ branches/safari-603-branch/Source/WebKit2/ChangeLog 2017-01-13 06:10:43 UTC (rev 210714)
@@ -1,5 +1,39 @@
2017-01-12 Matthew Hanson <matthew_han...@apple.com>
+ Merge r210683. rdar://problem/11187315
+
+ 2017-01-12 Megan Gardner <megan_gard...@apple.com>
+
+ Double Check URLs on UI side before putting in pasteboard
+ https://bugs.webkit.org/show_bug.cgi?id=166945
+ <rdar://problem/11187315>
+
+ Reviewed by Tim Horton.
+
+ Check URLs sent from the web process before putting the on pasteboard.
+
+ * UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
+ (WebKit::WebPasteboardProxy::setPasteboardPathnamesForType):
+ Add a check to make sure the URLs we've received are valid and not compromising to the user's system.
+
+ * UIProcess/WebPasteboardProxy.cpp:
+ (WebKit::WebPasteboardProxy::addWebProcessProxy):
+ Keep track of the webProcesses associated with the pasteboard proxies specifically, so that we can
+ use it to check the URLs before putting them on pasteboard.
+ (WebKit::WebPasteboardProxy::removeWebProcessProxy):
+ Remove dead webProcesses.
+
+ * UIProcess/WebPasteboardProxy.h:
+ * UIProcess/WebPasteboardProxy.messages.in:
+ Allow for the connection to be passed in, so that we can determine which webProcess we need to
+ check the URLs of.
+
+ * UIProcess/WebProcessProxy.cpp:
+ (WebKit::WebProcessProxy::~WebProcessProxy):
+ Make sure to remove WebProcessProxys from the list stored in WebPasteboardProxy
+
+2017-01-12 Matthew Hanson <matthew_han...@apple.com>
+
Merge r210666. rdar://problem/28904157
2017-01-12 Andreas Kling <akl...@apple.com>
Modified: branches/safari-603-branch/Source/WebKit2/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm (210713 => 210714)
--- branches/safari-603-branch/Source/WebKit2/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm 2017-01-13 06:10:40 UTC (rev 210713)
+++ branches/safari-603-branch/Source/WebKit2/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm 2017-01-13 06:10:43 UTC (rev 210714)
@@ -25,6 +25,7 @@
#import "config.h"
#import "WebPasteboardProxy.h"
+#import "WebProcessProxy.h"
#import <WebCore/Color.h>
#import <WebCore/PlatformPasteboard.h>
@@ -98,9 +99,23 @@
newChangeCount = PlatformPasteboard(pasteboardName).setTypes(pasteboardTypes);
}
-void WebPasteboardProxy::setPasteboardPathnamesForType(const String& pasteboardName, const String& pasteboardType, const Vector<String>& pathnames, uint64_t& newChangeCount)
+void WebPasteboardProxy::setPasteboardPathnamesForType(IPC::Connection& connection, const String& pasteboardName, const String& pasteboardType, const Vector<String>& pathnames, uint64_t& newChangeCount)
{
- newChangeCount = PlatformPasteboard(pasteboardName).setPathnamesForType(pathnames, pasteboardType);
+ for (auto* webProcessProxy : m_webProcessProxyList) {
+ if (webProcessProxy->connection() != &connection)
+ continue;
+
+ for (const auto& pathname : pathnames) {
+ if (!webProcessProxy->checkURLReceivedFromWebProcess(pathname)) {
+ connection.markCurrentlyDispatchedMessageAsInvalid();
+ newChangeCount = 0;
+ return;
+ }
+ }
+ newChangeCount = PlatformPasteboard(pasteboardName).setPathnamesForType(pathnames, pasteboardType);
+ return;
+ }
+ newChangeCount = 0;
}
void WebPasteboardProxy::setPasteboardStringForType(const String& pasteboardName, const String& pasteboardType, const String& string, uint64_t& newChangeCount)
Modified: branches/safari-603-branch/Source/WebKit2/UIProcess/WebPasteboardProxy.cpp (210713 => 210714)
--- branches/safari-603-branch/Source/WebKit2/UIProcess/WebPasteboardProxy.cpp 2017-01-13 06:10:40 UTC (rev 210713)
+++ branches/safari-603-branch/Source/WebKit2/UIProcess/WebPasteboardProxy.cpp 2017-01-13 06:10:43 UTC (rev 210714)
@@ -52,6 +52,12 @@
{
// FIXME: Can we handle all of these on a background queue?
webProcessProxy.addMessageReceiver(Messages::WebPasteboardProxy::messageReceiverName(), *this);
+ m_webProcessProxyList.add(&webProcessProxy);
}
+
+void WebPasteboardProxy::removeWebProcessProxy(WebProcessProxy& webProcessProxy)
+{
+ m_webProcessProxyList.remove(&webProcessProxy);
+}
} // namespace WebKit
Modified: branches/safari-603-branch/Source/WebKit2/UIProcess/WebPasteboardProxy.h (210713 => 210714)
--- branches/safari-603-branch/Source/WebKit2/UIProcess/WebPasteboardProxy.h 2017-01-13 06:10:40 UTC (rev 210713)
+++ branches/safari-603-branch/Source/WebKit2/UIProcess/WebPasteboardProxy.h 2017-01-13 06:10:43 UTC (rev 210714)
@@ -29,6 +29,7 @@
#include "MessageReceiver.h"
#include "SharedMemory.h"
#include <wtf/Forward.h>
+#include <wtf/HashSet.h>
#include <wtf/NeverDestroyed.h>
#include <wtf/Vector.h>
@@ -51,6 +52,7 @@
static WebPasteboardProxy& singleton();
void addWebProcessProxy(WebProcessProxy&);
+ void removeWebProcessProxy(WebProcessProxy&);
#if PLATFORM(GTK)
void setPrimarySelectionOwner(WebFrameProxy*);
@@ -59,6 +61,8 @@
private:
WebPasteboardProxy();
+
+ typedef HashSet<WebProcessProxy*> WebProcessProxyList;
void didReceiveMessage(IPC::Connection&, IPC::Decoder&) override;
void didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder>&) override;
@@ -84,7 +88,7 @@
void getPasteboardURL(const String& pasteboardName, WTF::String&);
void addPasteboardTypes(const String& pasteboardName, const Vector<String>& pasteboardTypes, uint64_t& newChangeCount);
void setPasteboardTypes(const String& pasteboardName, const Vector<String>& pasteboardTypes, uint64_t& newChangeCount);
- void setPasteboardPathnamesForType(const String& pasteboardName, const String& pasteboardType, const Vector<String>& pathnames, uint64_t& newChangeCount);
+ void setPasteboardPathnamesForType(IPC::Connection&, const String& pasteboardName, const String& pasteboardType, const Vector<String>& pathnames, uint64_t& newChangeCount);
void setPasteboardStringForType(const String& pasteboardName, const String& pasteboardType, const String&, uint64_t& newChangeCount);
void setPasteboardBufferForType(const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle&, uint64_t size, uint64_t& newChangeCount);
#endif
@@ -95,6 +99,8 @@
WebFrameProxy* m_primarySelectionOwner { nullptr };
WebFrameProxy* m_frameWritingToClipboard { nullptr };
#endif // PLATFORM(GTK)
+
+ WebProcessProxyList m_webProcessProxyList;
};
} // namespace WebKit
Modified: branches/safari-603-branch/Source/WebKit2/UIProcess/WebPasteboardProxy.messages.in (210713 => 210714)
--- branches/safari-603-branch/Source/WebKit2/UIProcess/WebPasteboardProxy.messages.in 2017-01-13 06:10:40 UTC (rev 210713)
+++ branches/safari-603-branch/Source/WebKit2/UIProcess/WebPasteboardProxy.messages.in 2017-01-13 06:10:43 UTC (rev 210714)
@@ -44,7 +44,7 @@
GetPasteboardURL(String pasteboardName) -> (String urlString)
AddPasteboardTypes(String pasteboardName, Vector<String> pasteboardTypes) -> (uint64_t changeCount)
SetPasteboardTypes(String pasteboardName, Vector<String> pasteboardTypes) -> (uint64_t changeCount)
- SetPasteboardPathnamesForType(String pasteboardName, String pasteboardType, Vector<String> pathnames) -> (uint64_t changeCount)
+ SetPasteboardPathnamesForType(String pasteboardName, String pasteboardType, Vector<String> pathnames) -> (uint64_t changeCount) WantsConnection
SetPasteboardStringForType(String pasteboardName, String pasteboardType, String string) -> (uint64_t changeCount)
SetPasteboardBufferForType(String pasteboardName, String pasteboardType, WebKit::SharedMemory::Handle handle, uint64_t size) -> (uint64_t changeCount)
#endif
Modified: branches/safari-603-branch/Source/WebKit2/UIProcess/WebProcessProxy.cpp (210713 => 210714)
--- branches/safari-603-branch/Source/WebKit2/UIProcess/WebProcessProxy.cpp 2017-01-13 06:10:40 UTC (rev 210713)
+++ branches/safari-603-branch/Source/WebKit2/UIProcess/WebProcessProxy.cpp 2017-01-13 06:10:43 UTC (rev 210714)
@@ -109,6 +109,8 @@
WebProcessProxy::~WebProcessProxy()
{
ASSERT(m_pageURLRetainCountMap.isEmpty());
+
+ WebPasteboardProxy::singleton().removeWebProcessProxy(*this);
if (m_webConnection)
m_webConnection->invalidate();
