Diff
Modified: trunk/Source/WebKit/ChangeLog (281055 => 281056)
--- trunk/Source/WebKit/ChangeLog 2021-08-14 02:28:19 UTC (rev 281055)
+++ trunk/Source/WebKit/ChangeLog 2021-08-14 04:47:04 UTC (rev 281056)
@@ -1,3 +1,21 @@
+2021-08-13 Kate Cheney <katherine_che...@apple.com>
+
+ Check quarantine bits before rendering local files
+ https://bugs.webkit.org/show_bug.cgi?id=229073
+ <rdar://problem/81430251>
+
+ Reviewed by Brent Fulgham.
+
+ We shouldn't load files unless they have no quarantine flags or
+ have been marked user approved.
+
+ * Platform/spi/mac/QuarantineSPI.h:
+ * UIProcess/Cocoa/WebPageProxyCocoa.mm:
+ (WebKit::WebPageProxy::isQuarantinedAndNotUserApproved):
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::loadFile):
+ * UIProcess/WebPageProxy.h:
+
2021-08-13 Chris Dumez <cdu...@apple.com>
Add Cross-Origin-Embedder-Policy support for Blob URLs
Modified: trunk/Source/WebKit/Platform/spi/mac/QuarantineSPI.h (281055 => 281056)
--- trunk/Source/WebKit/Platform/spi/mac/QuarantineSPI.h 2021-08-14 02:28:19 UTC (rev 281055)
+++ trunk/Source/WebKit/Platform/spi/mac/QuarantineSPI.h 2021-08-14 04:47:04 UTC (rev 281056)
@@ -33,9 +33,14 @@
#else
+enum qtn_error_code {
+ QTN_NOT_QUARANTINED = -1,
+};
+
enum qtn_flags {
QTN_FLAG_DOWNLOAD = 0x0001,
QTN_FLAG_SANDBOX = 0x0002,
+ QTN_FLAG_USER_APPROVED = 0x0040,
};
#define qtn_proc_alloc _qtn_proc_alloc
@@ -49,6 +54,7 @@
#define qtn_file_free _qtn_file_free
#define qtn_file_apply_to_path _qtn_file_apply_to_path
#define qtn_file_set_flags _qtn_file_set_flags
+#define qtn_file_get_flags _qtn_file_get_flags
#endif
typedef struct _qtn_proc *qtn_proc_t;
@@ -65,6 +71,7 @@
qtn_file_t qtn_file_alloc(void);
void qtn_file_free(qtn_file_t qf);
int qtn_file_set_flags(qtn_file_t qf, uint32_t flags);
+uint32_t qtn_file_get_flags(qtn_file_t qf);
int qtn_file_apply_to_path(qtn_file_t qf, const char *path);
int qtn_file_init_with_path(qtn_file_t qf, const char *path);
Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm (281055 => 281056)
--- trunk/Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm 2021-08-14 02:28:19 UTC (rev 281055)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm 2021-08-14 04:47:04 UTC (rev 281056)
@@ -35,6 +35,7 @@
#import "InsertTextOptions.h"
#import "LoadParameters.h"
#import "PageClient.h"
+#import "QuarantineSPI.h"
#import "QuickLookThumbnailLoader.h"
#import "SafeBrowsingSPI.h"
#import "SafeBrowsingWarning.h"
@@ -90,6 +91,8 @@
#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, process().connection())
#define MESSAGE_CHECK_COMPLETION(assertion, completion) MESSAGE_CHECK_COMPLETION_BASE(assertion, process().connection(), completion)
+#define WEBPAGEPROXY_RELEASE_LOG(channel, fmt, ...) RELEASE_LOG(channel, "%p - [pageProxyID=%llu, webPageID=%llu, PID=%i] WebPageProxy::" fmt, this, m_identifier.toUInt64(), m_webPageID.toUInt64(), m_process->processIdentifier(), ##__VA_ARGS__)
+
namespace WebKit {
using namespace WebCore;
@@ -718,6 +721,34 @@
return nil;
}
+#if PLATFORM(MAC)
+bool WebPageProxy::isQuarantinedAndNotUserApproved(const String& fileURLString)
+{
+ NSURL *fileURL = [NSURL URLWithString:fileURLString];
+ qtn_file_t qf = qtn_file_alloc();
+
+ int quarantineError = qtn_file_init_with_path(qf, fileURL.path.fileSystemRepresentation);
+
+ if (quarantineError == ENOENT || quarantineError == QTN_NOT_QUARANTINED)
+ return false;
+
+ if (quarantineError) {
+ // If we fail to check the quarantine status, assume the file is quarantined and not user approved to be safe.
+ WEBPAGEPROXY_RELEASE_LOG(Loading, "isQuarantinedAndNotUserApproved: failed to initialize quarantine file with path.");
+ qtn_file_free(qf);
+ return true;
+ }
+
+ uint32_t fileflags = qtn_file_get_flags(qf);
+ qtn_file_free(qf);
+
+ if (fileflags & QTN_FLAG_USER_APPROVED)
+ return false;
+
+ return true;
+}
+#endif
+
} // namespace WebKit
#undef MESSAGE_CHECK_COMPLETION
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (281055 => 281056)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2021-08-14 02:28:19 UTC (rev 281055)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2021-08-14 04:47:04 UTC (rev 281056)
@@ -1428,6 +1428,13 @@
return nullptr;
}
+#if PLATFORM(MAC)
+ if (isQuarantinedAndNotUserApproved(fileURLString)) {
+ WEBPAGEPROXY_RELEASE_LOG(Loading, "loadFile: file cannot be opened because it is from an unidentified developer.");
+ return nullptr;
+ }
+#endif
+
if (!hasRunningProcess())
launchProcess({ }, ProcessLaunchReason::InitialProcess);
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.h (281055 => 281056)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.h 2021-08-14 02:28:19 UTC (rev 281055)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.h 2021-08-14 04:47:04 UTC (rev 281056)
@@ -1967,6 +1967,10 @@
bool needsSiteSpecificViewportQuirks() const { return m_needsSiteSpecificViewportQuirks; }
void setNeedsSiteSpecificViewportQuirks(bool value) { m_needsSiteSpecificViewportQuirks = value; }
+#if PLATFORM(MAC)
+ bool isQuarantinedAndNotUserApproved(const String&);
+#endif
+
private:
WebPageProxy(PageClient&, WebProcessProxy&, Ref<API::PageConfiguration>&&);
void platformInitialize();