Title: [254719] trunk/Source/WebKit
- Revision
- 254719
- Author
- [email protected]
- Date
- 2020-01-16 16:15:21 -0800 (Thu, 16 Jan 2020)
Log Message
IPC hardening for WebPageProxy::savePDFToTemporaryFolder* / WebPageProxy::openPDFFromTemporaryFolder* messages
https://bugs.webkit.org/show_bug.cgi?id=206378
<rdar://problem/58622919>
Reviewed by Geoffrey Garen.
IPC hardening for WebPageProxy::savePDFToTemporaryFolder* / WebPageProxy::openPDFFromTemporaryFolder* messages.
Make sure the UUID passed over IPC is a valid HashMap key.
* UIProcess/WebPageProxy.h:
* UIProcess/mac/WebPageProxyMac.mm:
(WebKit::WebPageProxy::savePDFToTemporaryFolderAndOpenWithNativeApplication):
(WebKit::WebPageProxy::openPDFFromTemporaryFolderWithNativeApplication):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (254718 => 254719)
--- trunk/Source/WebKit/ChangeLog 2020-01-17 00:13:48 UTC (rev 254718)
+++ trunk/Source/WebKit/ChangeLog 2020-01-17 00:15:21 UTC (rev 254719)
@@ -1,5 +1,21 @@
2020-01-16 Chris Dumez <[email protected]>
+ IPC hardening for WebPageProxy::savePDFToTemporaryFolder* / WebPageProxy::openPDFFromTemporaryFolder* messages
+ https://bugs.webkit.org/show_bug.cgi?id=206378
+ <rdar://problem/58622919>
+
+ Reviewed by Geoffrey Garen.
+
+ IPC hardening for WebPageProxy::savePDFToTemporaryFolder* / WebPageProxy::openPDFFromTemporaryFolder* messages.
+ Make sure the UUID passed over IPC is a valid HashMap key.
+
+ * UIProcess/WebPageProxy.h:
+ * UIProcess/mac/WebPageProxyMac.mm:
+ (WebKit::WebPageProxy::savePDFToTemporaryFolderAndOpenWithNativeApplication):
+ (WebKit::WebPageProxy::openPDFFromTemporaryFolderWithNativeApplication):
+
+2020-01-16 Chris Dumez <[email protected]>
+
IPC hardening for WebPageProxy::RegisterAttachmentIdentifier*
https://bugs.webkit.org/show_bug.cgi?id=206376
<rdar://problem/58622645>
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.h (254718 => 254719)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.h 2020-01-17 00:13:48 UTC (rev 254718)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.h 2020-01-17 00:15:21 UTC (rev 254719)
@@ -2561,7 +2561,8 @@
bool m_shouldSuppressNextAutomaticNavigationSnapshot { false };
#if PLATFORM(COCOA)
- HashMap<String, String> m_temporaryPDFFiles;
+ using TemporaryPDFFileMap = HashMap<String, String>;
+ TemporaryPDFFileMap m_temporaryPDFFiles;
std::unique_ptr<WebCore::RunLoopObserver> m_activityStateChangeDispatcher;
std::unique_ptr<RemoteLayerTreeScrollingPerformanceData> m_scrollingPerformanceData;
Modified: trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm (254718 => 254719)
--- trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm 2020-01-17 00:13:48 UTC (rev 254718)
+++ trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm 2020-01-17 00:15:21 UTC (rev 254719)
@@ -495,6 +495,8 @@
void WebPageProxy::savePDFToTemporaryFolderAndOpenWithNativeApplication(const String& suggestedFilename, const String& originatingURLString, const IPC::DataReference& data, const String& pdfUUID)
{
+ MESSAGE_CHECK(TemporaryPDFFileMap::isValidKey(pdfUUID));
+
// FIXME: Write originatingURLString to the file's originating URL metadata (perhaps FileSystem::setMetadataURL()?).
UNUSED_PARAM(originatingURLString);
@@ -532,6 +534,8 @@
void WebPageProxy::openPDFFromTemporaryFolderWithNativeApplication(const String& pdfUUID)
{
+ MESSAGE_CHECK(TemporaryPDFFileMap::isValidKey(pdfUUID));
+
String pdfFilename = m_temporaryPDFFiles.get(pdfUUID);
if (!pdfFilename.endsWithIgnoringASCIICase(".pdf"))
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
