[webkit-changes] [239104] trunk/Source/WebKit

[cdumez]

Title: [239104] trunk/Source/WebKit

Revision

239104

Author

cdu...@apple.com

Date

2018-12-12 08:01:00 -0800 (Wed, 12 Dec 2018)

Log Message

Restore MESSAGE_CHECK_URL() security check on sourceURL in didPerformClientRedirect()
https://bugs.webkit.org/show_bug.cgi?id=191982
<rdar://problem/46258054>

Reviewed by Alex Christensen.

Have the WebPageProxy remember the local paths it previously visited so that the
MESSAGE_CHECK_URL() checks still work when process-swap on navigation is enabled.

Add back MESSAGE_CHECK_URL() on sourceURL in didPerformClientRedirect().

* UIProcess/Cocoa/WebPageProxyCocoa.mm:
(WebKit::WebPageProxy::createSandboxExtensionsIfNeeded):
* UIProcess/RemoteWebInspectorProxy.cpp:
(WebKit::RemoteWebInspectorProxy::createFrontendPageAndWindow):
* UIProcess/WebInspectorProxy.cpp:
(WebKit::WebInspectorProxy::createFrontendPage):
* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::loadRequestWithNavigation):
(WebKit::WebPageProxy::loadFile):
(WebKit::WebPageProxy::loadDataWithNavigation):
(WebKit::WebPageProxy::loadAlternateHTML):
(WebKit::WebPageProxy::reload):
(WebKit::WebPageProxy::didPerformClientRedirect):
(WebKit::WebPageProxy::backForwardGoToItem):
(WebKit::WebPageProxy::checkURLReceivedFromCurrentOrPreviousWebProcess):
(WebKit::WebPageProxy::addPreviouslyVisitedPath):
(WebKit::WebPageProxy::willAcquireUniversalFileReadSandboxExtension):
* UIProcess/WebPageProxy.h:
* UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::assumeReadAccessToBaseURL):
* UIProcess/WebProcessProxy.h:
* UIProcess/mac/WebPageProxyMac.mm:

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm
• trunk/Source/WebKit/UIProcess/RemoteWebInspectorProxy.cpp
• trunk/Source/WebKit/UIProcess/WebInspectorProxy.cpp
• trunk/Source/WebKit/UIProcess/WebPageProxy.cpp
• trunk/Source/WebKit/UIProcess/WebPageProxy.h
• trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp
• trunk/Source/WebKit/UIProcess/WebProcessProxy.h
• trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm

Diff

Modified: trunk/Source/WebKit/ChangeLog (239103 => 239104)

--- trunk/Source/WebKit/ChangeLog	2018-12-12 10:59:03 UTC (rev 239103)
+++ trunk/Source/WebKit/ChangeLog	2018-12-12 16:01:00 UTC (rev 239104)
@@ -1,3 +1,39 @@
+2018-12-12  Chris Dumez  <cdu...@apple.com>
+
+        Restore MESSAGE_CHECK_URL() security check on sourceURL in didPerformClientRedirect()
+        https://bugs.webkit.org/show_bug.cgi?id=191982
+        <rdar://problem/46258054>
+
+        Reviewed by Alex Christensen.
+
+        Have the WebPageProxy remember the local paths it previously visited so that the
+        MESSAGE_CHECK_URL() checks still work when process-swap on navigation is enabled.
+
+        Add back MESSAGE_CHECK_URL() on sourceURL in didPerformClientRedirect().
+
+        * UIProcess/Cocoa/WebPageProxyCocoa.mm:
+        (WebKit::WebPageProxy::createSandboxExtensionsIfNeeded):
+        * UIProcess/RemoteWebInspectorProxy.cpp:
+        (WebKit::RemoteWebInspectorProxy::createFrontendPageAndWindow):
+        * UIProcess/WebInspectorProxy.cpp:
+        (WebKit::WebInspectorProxy::createFrontendPage):
+        * UIProcess/WebPageProxy.cpp:
+        (WebKit::WebPageProxy::loadRequestWithNavigation):
+        (WebKit::WebPageProxy::loadFile):
+        (WebKit::WebPageProxy::loadDataWithNavigation):
+        (WebKit::WebPageProxy::loadAlternateHTML):
+        (WebKit::WebPageProxy::reload):
+        (WebKit::WebPageProxy::didPerformClientRedirect):
+        (WebKit::WebPageProxy::backForwardGoToItem):
+        (WebKit::WebPageProxy::checkURLReceivedFromCurrentOrPreviousWebProcess):
+        (WebKit::WebPageProxy::addPreviouslyVisitedPath):
+        (WebKit::WebPageProxy::willAcquireUniversalFileReadSandboxExtension):
+        * UIProcess/WebPageProxy.h:
+        * UIProcess/WebProcessProxy.cpp:
+        (WebKit::WebProcessProxy::assumeReadAccessToBaseURL):
+        * UIProcess/WebProcessProxy.h:
+        * UIProcess/mac/WebPageProxyMac.mm:
+
 2018-11-30  Carlos Garcia Campos  <cgar...@igalia.com>
 
         [WPE] Add API to notify about frame displayed view backend callback

Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm (239103 => 239104)

--- trunk/Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm	2018-12-12 10:59:03 UTC (rev 239103)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm	2018-12-12 16:01:00 UTC (rev 239104)
@@ -121,7 +121,7 @@
         BOOL isDirectory;
         if ([[NSFileManager defaultManager] fileExistsAtPath:files[0] isDirectory:&isDirectory] && !isDirectory) {
             SandboxExtension::createHandle("/", SandboxExtension::Type::ReadOnly, fileReadHandle);
-            process().willAcquireUniversalFileReadSandboxExtension();
+            willAcquireUniversalFileReadSandboxExtension();
         }
     }
 

Modified: trunk/Source/WebKit/UIProcess/RemoteWebInspectorProxy.cpp (239103 => 239104)

--- trunk/Source/WebKit/UIProcess/RemoteWebInspectorProxy.cpp	2018-12-12 10:59:03 UTC (rev 239103)
+++ trunk/Source/WebKit/UIProcess/RemoteWebInspectorProxy.cpp	2018-12-12 16:01:00 UTC (rev 239104)
@@ -148,7 +148,7 @@
     trackInspectorPage(m_inspectorPage);
 
     m_inspectorPage->process().addMessageReceiver(Messages::RemoteWebInspectorProxy::messageReceiverName(), m_inspectorPage->pageID(), *this);
-    m_inspectorPage->process().assumeReadAccessToBaseURL(WebInspectorProxy::inspectorBaseURL());
+    m_inspectorPage->process().assumeReadAccessToBaseURL(*m_inspectorPage, WebInspectorProxy::inspectorBaseURL());
 }
 
 void RemoteWebInspectorProxy::closeFrontendPageAndWindow()

Modified: trunk/Source/WebKit/UIProcess/WebInspectorProxy.cpp (239103 => 239104)

--- trunk/Source/WebKit/UIProcess/WebInspectorProxy.cpp	2018-12-12 10:59:03 UTC (rev 239103)
+++ trunk/Source/WebKit/UIProcess/WebInspectorProxy.cpp	2018-12-12 16:01:00 UTC (rev 239104)
@@ -385,7 +385,7 @@
     trackInspectorPage(m_inspectorPage);
 
     m_inspectorPage->process().addMessageReceiver(Messages::WebInspectorProxy::messageReceiverName(), m_inspectedPage->pageID(), *this);
-    m_inspectorPage->process().assumeReadAccessToBaseURL(WebInspectorProxy::inspectorBaseURL());
+    m_inspectorPage->process().assumeReadAccessToBaseURL(*m_inspectorPage, WebInspectorProxy::inspectorBaseURL());
 }
 
 void WebInspectorProxy::openLocalInspectorFrontend(bool canAttach, bool underTest)

Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (239103 => 239104)

--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp	2018-12-12 10:59:03 UTC (rev 239103)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp	2018-12-12 16:01:00 UTC (rev 239104)
@@ -241,7 +241,7 @@
 #define MERGE_WHEEL_EVENTS 1
 
 #define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, m_process->connection())
-#define MESSAGE_CHECK_URL(url) MESSAGE_CHECK_BASE(m_process->checkURLReceivedFromWebProcess(url), m_process->connection())
+#define MESSAGE_CHECK_URL(url) MESSAGE_CHECK_BASE(checkURLReceivedFromCurrentOrPreviousWebProcess(url), m_process->connection())
 
 #define RELEASE_LOG_IF_ALLOWED(channel, ...) RELEASE_LOG_IF(isAlwaysOnLoggingAllowed(), channel, __VA_ARGS__)
 
@@ -1066,7 +1066,7 @@
     loadParameters.clientRedirectSourceForHistory = navigation.clientRedirectSourceForHistory();
     bool createdExtension = maybeInitializeSandboxExtensionHandle(url, loadParameters.sandboxExtensionHandle);
     if (createdExtension)
-        m_process->willAcquireUniversalFileReadSandboxExtension();
+        willAcquireUniversalFileReadSandboxExtension();
     addPlatformLoadParameters(loadParameters);
 
     m_process->send(Messages::WebPage::LoadRequest(loadParameters), m_pageID);
@@ -1110,7 +1110,7 @@
     SandboxExtension::createHandle(resourceDirectoryPath, SandboxExtension::Type::ReadOnly, loadParameters.sandboxExtensionHandle);
     addPlatformLoadParameters(loadParameters);
 
-    m_process->assumeReadAccessToBaseURL(resourceDirectoryURL);
+    m_process->assumeReadAccessToBaseURL(*this, resourceDirectoryURL);
     m_process->send(Messages::WebPage::LoadRequest(loadParameters), m_pageID);
     m_process->responsivenessTimer().start();
 
@@ -1147,7 +1147,7 @@
     loadParameters.userData = UserData(process().transformObjectsToHandles(userData).get());
     addPlatformLoadParameters(loadParameters);
 
-    m_process->assumeReadAccessToBaseURL(baseURL);
+    m_process->assumeReadAccessToBaseURL(*this, baseURL);
     m_process->send(Messages::WebPage::LoadData(loadParameters), m_pageID);
     m_process->responsivenessTimer().start();
 }
@@ -1185,8 +1185,8 @@
     loadParameters.userData = UserData(process().transformObjectsToHandles(userData).get());
     addPlatformLoadParameters(loadParameters);
 
-    m_process->assumeReadAccessToBaseURL(baseURL);
-    m_process->assumeReadAccessToBaseURL(unreachableURL);
+    m_process->assumeReadAccessToBaseURL(*this, baseURL);
+    m_process->assumeReadAccessToBaseURL(*this, unreachableURL);
     m_process->send(Messages::WebPage::LoadAlternateHTML(loadParameters), m_pageID);
     m_process->responsivenessTimer().start();
 }
@@ -1250,7 +1250,7 @@
         // We may not have an extension yet if back/forward list was reinstated after a WebProcess crash or a browser relaunch
         bool createdExtension = maybeInitializeSandboxExtensionHandle(URL(URL(), url), sandboxExtensionHandle);
         if (createdExtension)
-            m_process->willAcquireUniversalFileReadSandboxExtension();
+            willAcquireUniversalFileReadSandboxExtension();
     }
 
     if (!isValid())
@@ -4498,6 +4498,7 @@
     WebFrameProxy* frame = m_process->webFrame(frameID);
     MESSAGE_CHECK(frame);
     MESSAGE_CHECK(frame->page() == this);
+    MESSAGE_CHECK_URL(sourceURLString);
     MESSAGE_CHECK_URL(destinationURLString);
 
     if (frame->isMainFrame()) {
@@ -5182,7 +5183,7 @@
 
     bool createdExtension = maybeInitializeSandboxExtensionHandle(URL(URL(), item->url()), sandboxExtensionHandle);
     if (createdExtension)
-        m_process->willAcquireUniversalFileReadSandboxExtension();
+        willAcquireUniversalFileReadSandboxExtension();
     m_backForwardList->goToItem(*item);
 }
 
@@ -8312,6 +8313,42 @@
 #endif
 }
 
+bool WebPageProxy::checkURLReceivedFromCurrentOrPreviousWebProcess(const String& urlString)
+{
+    return checkURLReceivedFromCurrentOrPreviousWebProcess(URL(URL(), urlString));
+}
+
+bool WebPageProxy::checkURLReceivedFromCurrentOrPreviousWebProcess(const URL& url)
+{
+    if (!url.isLocalFile())
+        return true;
+
+    if (m_mayHaveUniversalFileReadSandboxExtension)
+        return true;
+
+    String path = url.fileSystemPath();
+    auto startsWithURLPath = [&path](const String& visitedPath) {
+        return path.startsWith(visitedPath);
+    };
+
+    auto localPathsEnd = m_previouslyVisitedPaths.end();
+    if (std::find_if(m_previouslyVisitedPaths.begin(), localPathsEnd, startsWithURLPath) != localPathsEnd)
+        return true;
+
+    return m_process->checkURLReceivedFromWebProcess(url);
+}
+
+void WebPageProxy::addPreviouslyVisitedPath(const String& path)
+{
+    m_previouslyVisitedPaths.add(path);
+}
+
+void WebPageProxy::willAcquireUniversalFileReadSandboxExtension()
+{
+    m_mayHaveUniversalFileReadSandboxExtension = true;
+    process().willAcquireUniversalFileReadSandboxExtension();
+}
+
 #if ENABLE(DATA_DETECTION)
 
 void WebPageProxy::detectDataInAllFrames(WebCore::DataDetectorTypes types, CompletionHandler<void(const DataDetectionResult&)>&& completionHandler)

Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.h (239103 => 239104)

--- trunk/Source/WebKit/UIProcess/WebPageProxy.h	2018-12-12 10:59:03 UTC (rev 239103)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.h	2018-12-12 16:01:00 UTC (rev 239104)
@@ -362,6 +362,8 @@
     WebsiteDataStore& websiteDataStore() { return m_websiteDataStore; }
     void changeWebsiteDataStore(WebsiteDataStore&);
 
+    void addPreviouslyVisitedPath(const String&);
+
 #if ENABLE(DATA_DETECTION)
     NSArray *dataDetectionResults() { return m_dataDetectionResults.get(); }
     void detectDataInAllFrames(WebCore::DataDetectorTypes, CompletionHandler<void(const DataDetectionResult&)>&&);
@@ -1849,6 +1851,10 @@
     void stopURLSchemeTask(uint64_t handlerIdentifier, uint64_t taskIdentifier);
     void loadSynchronousURLSchemeTask(URLSchemeTaskParameters&&, Messages::WebPageProxy::LoadSynchronousURLSchemeTask::DelayedReply&&);
 
+    bool checkURLReceivedFromCurrentOrPreviousWebProcess(const String&);
+    bool checkURLReceivedFromCurrentOrPreviousWebProcess(const URL&);
+    void willAcquireUniversalFileReadSandboxExtension();
+
     void handleAutoFillButtonClick(const UserData&);
 
     void didResignInputElementStrongPasswordAppearance(const UserData&);
@@ -2292,11 +2298,13 @@
     std::optional<SpellDocumentTag> m_spellDocumentTag;
 
     std::optional<MonotonicTime> m_pageLoadStart;
+    HashSet<String> m_previouslyVisitedPaths;
 
     RunLoop::Timer<WebPageProxy> m_resetRecentCrashCountTimer;
     unsigned m_recentCrashCount { 0 };
 
     bool m_needsFontAttributes { false };
+    bool m_mayHaveUniversalFileReadSandboxExtension { false };
 
 #if HAVE(PENCILKIT)
     std::unique_ptr<EditableImageController> m_editableImageController;

Modified: trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp (239103 => 239104)

--- trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp	2018-12-12 10:59:03 UTC (rev 239103)
+++ trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp	2018-12-12 16:01:00 UTC (rev 239104)
@@ -497,7 +497,7 @@
     m_webUserContentControllerProxies.remove(&proxy);
 }
 
-void WebProcessProxy::assumeReadAccessToBaseURL(const String& urlString)
+void WebProcessProxy::assumeReadAccessToBaseURL(WebPageProxy& page, const String& urlString)
 {
     URL url(URL(), urlString);
     if (!url.isLocalFile())
@@ -513,6 +513,7 @@
     // Client loads an alternate string. This doesn't grant universal file read, but the web process is assumed
     // to have read access to this directory already.
     m_localPathsWithAssumedReadAccess.add(path);
+    page.addPreviouslyVisitedPath(path);
 }
 
 bool WebProcessProxy::hasAssumedReadAccessToURL(const URL& url) const

Modified: trunk/Source/WebKit/UIProcess/WebProcessProxy.h (239103 => 239104)

--- trunk/Source/WebKit/UIProcess/WebProcessProxy.h	2018-12-12 10:59:03 UTC (rev 239103)
+++ trunk/Source/WebKit/UIProcess/WebProcessProxy.h	2018-12-12 16:01:00 UTC (rev 239104)
@@ -153,7 +153,7 @@
     void updateTextCheckerState();
 
     void willAcquireUniversalFileReadSandboxExtension() { m_mayHaveUniversalFileReadSandboxExtension = true; }
-    void assumeReadAccessToBaseURL(const String&);
+    void assumeReadAccessToBaseURL(WebPageProxy&, const String&);
     bool hasAssumedReadAccessToURL(const URL&) const;
 
     bool checkURLReceivedFromWebProcess(const String&);

Modified: trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm (239103 => 239104)

--- trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm	2018-12-12 10:59:03 UTC (rev 239103)
+++ trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm	2018-12-12 16:01:00 UTC (rev 239104)
@@ -65,7 +65,7 @@
 #import <wtf/text/StringConcatenate.h>
 
 #define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, process().connection())
-#define MESSAGE_CHECK_URL(url) MESSAGE_CHECK_BASE(m_process->checkURLReceivedFromWebProcess(url), m_process->connection())
+#define MESSAGE_CHECK_URL(url) MESSAGE_CHECK_BASE(checkURLReceivedFromCurrentOrPreviousWebProcess(url), m_process->connection())
 
 using namespace WebCore;
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes