Title: [252484] trunk/Source/WebKit
- Revision
- 252484
- Author
- [email protected]
- Date
- 2019-11-15 08:36:23 -0800 (Fri, 15 Nov 2019)
Log Message
Regression(r244361) iOS: Layout test http/tests/quicklook/rtf-document-domain-is-empty-string.html is crashing
https://bugs.webkit.org/show_bug.cgi?id=204205
<rdar://problem/51864314>
Reviewed by Alex Christensen.
In this test, NSHTMLWriter ends up creating a WebArchive providing file:///index.html as URL. The page's script
then calls document.open(), which triggers a DidExplicitOpenForFrame() IPC to the UIProcess with this URL.
This trips our MESSAGE_CHECK_URL() check in the UIProcess when this path is not within the WebContent process'
sandbox, and we kill the WebContent process. To address the issue, this patch replaces the MESSAGE_CHECK_URL()
with an if check and an early return so that we ignore the IPC if the URL does not make sense, without actually
terminating the WebContent process.
* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didExplicitOpenForFrame):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (252483 => 252484)
--- trunk/Source/WebKit/ChangeLog 2019-11-15 15:41:25 UTC (rev 252483)
+++ trunk/Source/WebKit/ChangeLog 2019-11-15 16:36:23 UTC (rev 252484)
@@ -1,3 +1,21 @@
+2019-11-15 Chris Dumez <[email protected]>
+
+ Regression(r244361) iOS: Layout test http/tests/quicklook/rtf-document-domain-is-empty-string.html is crashing
+ https://bugs.webkit.org/show_bug.cgi?id=204205
+ <rdar://problem/51864314>
+
+ Reviewed by Alex Christensen.
+
+ In this test, NSHTMLWriter ends up creating a WebArchive providing file:///index.html as URL. The page's script
+ then calls document.open(), which triggers a DidExplicitOpenForFrame() IPC to the UIProcess with this URL.
+ This trips our MESSAGE_CHECK_URL() check in the UIProcess when this path is not within the WebContent process'
+ sandbox, and we kill the WebContent process. To address the issue, this patch replaces the MESSAGE_CHECK_URL()
+ with an if check and an early return so that we ignore the IPC if the URL does not make sense, without actually
+ terminating the WebContent process.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::didExplicitOpenForFrame):
+
2019-11-12 Youenn Fablet <[email protected]>
Update libwebrtc to M78
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (252483 => 252484)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2019-11-15 15:41:25 UTC (rev 252483)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2019-11-15 16:36:23 UTC (rev 252484)
@@ -4150,8 +4150,12 @@
{
auto* frame = m_process->webFrame(frameID);
MESSAGE_CHECK(m_process, frame);
- MESSAGE_CHECK_URL(m_process, url);
+ if (!checkURLReceivedFromCurrentOrPreviousWebProcess(m_process, url)) {
+ RELEASE_LOG_ERROR_IF_ALLOWED(Process, "Ignoring WebPageProxy::DidExplicitOpenForFrame() IPC from the WebContent process because the file URL is outside the sandbox");
+ return;
+ }
+
auto transaction = m_pageLoadState.transaction();
if (frame->isMainFrame())
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
