Title: [254718] trunk/Source/WebKit
- Revision
- 254718
- Author
- [email protected]
- Date
- 2020-01-16 16:13:48 -0800 (Thu, 16 Jan 2020)
Log Message
IPC hardening for WebPageProxy::RegisterAttachmentIdentifier*
https://bugs.webkit.org/show_bug.cgi?id=206376
<rdar://problem/58622645>
Reviewed by David Kilzer.
IPC hardening for WebPageProxy::RegisterAttachmentIdentifier*, validate identifiers sent over
IPC to make sure they are valid keys in our HashMap.
* UIProcess/WebPageProxy.cpp:
* UIProcess/WebPageProxy.h:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (254717 => 254718)
--- trunk/Source/WebKit/ChangeLog 2020-01-17 00:06:35 UTC (rev 254717)
+++ trunk/Source/WebKit/ChangeLog 2020-01-17 00:13:48 UTC (rev 254718)
@@ -1,3 +1,17 @@
+2020-01-16 Chris Dumez <[email protected]>
+
+ IPC hardening for WebPageProxy::RegisterAttachmentIdentifier*
+ https://bugs.webkit.org/show_bug.cgi?id=206376
+ <rdar://problem/58622645>
+
+ Reviewed by David Kilzer.
+
+ IPC hardening for WebPageProxy::RegisterAttachmentIdentifier*, validate identifiers sent over
+ IPC to make sure they are valid keys in our HashMap.
+
+ * UIProcess/WebPageProxy.cpp:
+ * UIProcess/WebPageProxy.h:
+
2020-01-16 Don Olmstead <[email protected]>
[PlayStation] Enable WebKit
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (254717 => 254718)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-01-17 00:06:35 UTC (rev 254717)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-01-17 00:13:48 UTC (rev 254718)
@@ -9172,6 +9172,8 @@
void WebPageProxy::registerAttachmentIdentifierFromData(const String& identifier, const String& contentType, const String& preferredFileName, const IPC::DataReference& data)
{
+ MESSAGE_CHECK(m_process, IdentifierToAttachmentMap::isValidKey(identifier));
+
if (attachmentForIdentifier(identifier))
return;
@@ -9184,6 +9186,8 @@
void WebPageProxy::registerAttachmentIdentifierFromFilePath(const String& identifier, const String& contentType, const String& filePath)
{
+ MESSAGE_CHECK(m_process, IdentifierToAttachmentMap::isValidKey(identifier));
+
if (attachmentForIdentifier(identifier))
return;
@@ -9197,6 +9201,8 @@
void WebPageProxy::registerAttachmentIdentifier(const String& identifier)
{
+ MESSAGE_CHECK(m_process, IdentifierToAttachmentMap::isValidKey(identifier));
+
if (!attachmentForIdentifier(identifier))
m_attachmentIdentifierToAttachmentMap.set(identifier, ensureAttachment(identifier));
}
@@ -9212,6 +9218,9 @@
void WebPageProxy::cloneAttachmentData(const String& fromIdentifier, const String& toIdentifier)
{
+ MESSAGE_CHECK(m_process, IdentifierToAttachmentMap::isValidKey(fromIdentifier));
+ MESSAGE_CHECK(m_process, IdentifierToAttachmentMap::isValidKey(toIdentifier));
+
auto newAttachment = ensureAttachment(toIdentifier);
auto existingAttachment = attachmentForIdentifier(fromIdentifier);
if (!existingAttachment) {
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.h (254717 => 254718)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.h 2020-01-17 00:06:35 UTC (rev 254717)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.h 2020-01-17 00:13:48 UTC (rev 254718)
@@ -2631,7 +2631,8 @@
HashMap<uint64_t, Ref<WebURLSchemeHandler>> m_urlSchemeHandlersByIdentifier;
#if ENABLE(ATTACHMENT_ELEMENT)
- HashMap<String, Ref<API::Attachment>> m_attachmentIdentifierToAttachmentMap;
+ using IdentifierToAttachmentMap = HashMap<String, Ref<API::Attachment>>;
+ IdentifierToAttachmentMap m_attachmentIdentifierToAttachmentMap;
#endif
const std::unique_ptr<WebPageInspectorController> m_inspectorController;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
