Diff
Modified: trunk/Source/WebKit/ChangeLog (254891 => 254892)
--- trunk/Source/WebKit/ChangeLog 2020-01-21 23:53:27 UTC (rev 254891)
+++ trunk/Source/WebKit/ChangeLog 2020-01-22 00:08:40 UTC (rev 254892)
@@ -1,3 +1,31 @@
+2020-01-21 Chris Dumez <[email protected]>
+
+ [IPC Hardening] Only process Messages::NetworkProcess messages when sent by the UIProcess
+ https://bugs.webkit.org/show_bug.cgi?id=206558
+ <rdar://problem/58733679>
+
+ Reviewed by Alex Christensen.
+
+ Port UpdateQuotaBasedOnSpaceUsageForTesting IPC from the NetworkProcess to the NetworkConnectionToWebProcess
+ since it is sent by the WebContent process. As a result, we can now stop forwarding all Messages::NetworkProcess
+ IPC messages from the WebContent process to the NetworkProcess class.
+
+ * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+ (WebKit::NetworkConnectionToWebProcess::didReceiveMessage):
+ (WebKit::NetworkConnectionToWebProcess::didReceiveSyncMessage):
+ (WebKit::NetworkConnectionToWebProcess::updateQuotaBasedOnSpaceUsageForTesting):
+ * NetworkProcess/NetworkConnectionToWebProcess.h:
+ * NetworkProcess/NetworkConnectionToWebProcess.messages.in:
+ * NetworkProcess/NetworkProcess.cpp:
+ (WebKit::NetworkProcess::didReceiveMessage):
+ (WebKit::NetworkProcess::didReceiveSyncMessage):
+ * NetworkProcess/NetworkProcess.h:
+ * NetworkProcess/NetworkProcess.messages.in:
+ * Platform/IPC/StringReference.h:
+ (IPC::StringReference::operator!=):
+ * WebProcess/Cache/WebCacheStorageConnection.cpp:
+ (WebKit::WebCacheStorageConnection::updateQuotaBasedOnSpaceUsage):
+
2020-01-21 Daniel Bates <[email protected]>
Add Legacy WebKit SPI and WebKit IPI to show and hide placeholder
Modified: trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp (254891 => 254892)
--- trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp 2020-01-21 23:53:27 UTC (rev 254891)
+++ trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp 2020-01-22 00:08:40 UTC (rev 254892)
@@ -157,6 +157,9 @@
void NetworkConnectionToWebProcess::didReceiveMessage(IPC::Connection& connection, IPC::Decoder& decoder)
{
+ // For security reasons, Messages::NetworkProcess IPC is only supposed to come from the UIProcess.
+ ASSERT(decoder.messageReceiverName() != Messages::NetworkProcess::messageReceiverName());
+
if (decoder.messageReceiverName() == Messages::NetworkConnectionToWebProcess::messageReceiverName()) {
didReceiveNetworkConnectionToWebProcessMessage(connection, decoder);
return;
@@ -185,12 +188,6 @@
return;
}
- if (decoder.messageReceiverName() == Messages::NetworkProcess::messageReceiverName()) {
- m_networkProcess->didReceiveNetworkProcessMessage(connection, decoder);
- return;
- }
-
-
#if USE(LIBWEBRTC)
if (decoder.messageReceiverName() == Messages::NetworkRTCSocket::messageReceiverName()) {
rtcProvider().didReceiveNetworkRTCSocketMessage(connection, decoder);
@@ -241,8 +238,7 @@
return paymentCoordinator().didReceiveMessage(connection, decoder);
#endif
- LOG_ERROR("Unhandled network process message '%s:%s'", decoder.messageReceiverName().toString().data(), decoder.messageName().toString().data());
-
+ WTFLogAlways("Unhandled network process message '%s:%s'", decoder.messageReceiverName().toString().data(), decoder.messageName().toString().data());
ASSERT_NOT_REACHED();
}
@@ -264,6 +260,9 @@
void NetworkConnectionToWebProcess::didReceiveSyncMessage(IPC::Connection& connection, IPC::Decoder& decoder, std::unique_ptr<IPC::Encoder>& reply)
{
+ // For security reasons, Messages::NetworkProcess IPC is only supposed to come from the UIProcess.
+ ASSERT(decoder.messageReceiverName() != Messages::NetworkProcess::messageReceiverName());
+
if (decoder.messageReceiverName() == Messages::NetworkConnectionToWebProcess::messageReceiverName()) {
didReceiveSyncNetworkConnectionToWebProcessMessage(connection, decoder, reply);
return;
@@ -282,9 +281,16 @@
return paymentCoordinator().didReceiveSyncMessage(connection, decoder, reply);
#endif
+ WTFLogAlways("Unhandled network process message '%s:%s'", decoder.messageReceiverName().toString().data(), decoder.messageName().toString().data());
ASSERT_NOT_REACHED();
}
+void NetworkConnectionToWebProcess::updateQuotaBasedOnSpaceUsageForTesting(const ClientOrigin& origin)
+{
+ auto storageQuotaManager = m_networkProcess->storageQuotaManager(sessionID(), origin);
+ storageQuotaManager->resetQuotaUpdatedBasedOnUsageForTesting();
+}
+
void NetworkConnectionToWebProcess::didClose(IPC::Connection& connection)
{
#if ENABLE(SERVICE_WORKER)
Modified: trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h (254891 => 254892)
--- trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h 2020-01-21 23:53:27 UTC (rev 254891)
+++ trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h 2020-01-22 00:08:40 UTC (rev 254892)
@@ -219,6 +219,7 @@
void createSocketStream(URL&&, String cachePartition, uint64_t);
void createSocketChannel(const WebCore::ResourceRequest&, const String& protocol, uint64_t identifier);
+ void updateQuotaBasedOnSpaceUsageForTesting(const WebCore::ClientOrigin&);
#if ENABLE(SERVICE_WORKER)
void establishSWServerConnection();
Modified: trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in (254891 => 254892)
--- trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in 2020-01-21 23:53:27 UTC (rev 254891)
+++ trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in 2020-01-22 00:08:40 UTC (rev 254892)
@@ -79,6 +79,7 @@
CloseSWContextConnection()
#endif
+ UpdateQuotaBasedOnSpaceUsageForTesting(struct WebCore::ClientOrigin origin)
CreateNewMessagePortChannel(struct WebCore::MessagePortIdentifier port1, struct WebCore::MessagePortIdentifier port2)
EntangleLocalPortInThisProcessToRemote(struct WebCore::MessagePortIdentifier local, struct WebCore::MessagePortIdentifier remote)
MessagePortDisentangled(struct WebCore::MessagePortIdentifier local)
Modified: trunk/Source/WebKit/NetworkProcess/NetworkProcess.cpp (254891 => 254892)
--- trunk/Source/WebKit/NetworkProcess/NetworkProcess.cpp 2020-01-21 23:53:27 UTC (rev 254891)
+++ trunk/Source/WebKit/NetworkProcess/NetworkProcess.cpp 2020-01-22 00:08:40 UTC (rev 254892)
@@ -214,6 +214,13 @@
void NetworkProcess::didReceiveMessage(IPC::Connection& connection, IPC::Decoder& decoder)
{
+ ASSERT(parentProcessConnection() == &connection);
+ if (parentProcessConnection() != &connection) {
+ WTFLogAlways("Ignored message '%s:%s' because it did not come from the UIProcess (destination: %" PRIu64 ")", decoder.messageReceiverName().toString().data(), decoder.messageName().toString().data(), decoder.destinationID());
+ ASSERT_NOT_REACHED();
+ return;
+ }
+
if (messageReceiverMap().dispatchMessage(connection, decoder))
return;
@@ -234,6 +241,13 @@
void NetworkProcess::didReceiveSyncMessage(IPC::Connection& connection, IPC::Decoder& decoder, std::unique_ptr<IPC::Encoder>& replyEncoder)
{
+ ASSERT(parentProcessConnection() == &connection);
+ if (parentProcessConnection() != &connection) {
+ WTFLogAlways("Ignored message '%s:%s' because it did not come from the UIProcess (destination: %" PRIu64 ")", decoder.messageReceiverName().toString().data(), decoder.messageName().toString().data(), decoder.destinationID());
+ ASSERT_NOT_REACHED();
+ return;
+ }
+
if (messageReceiverMap().dispatchSyncMessage(connection, decoder, replyEncoder))
return;
@@ -2325,12 +2339,6 @@
m_storageManagerSet->deleteLocalStorageModifiedSince(PAL::SessionID::legacyPrivateSessionID(), -WallTime::infinity(), []() { });
}
-void NetworkProcess::updateQuotaBasedOnSpaceUsageForTesting(PAL::SessionID sessionID, const ClientOrigin& origin)
-{
- auto storageQuotaManager = this->storageQuotaManager(sessionID, origin);
- storageQuotaManager->resetQuotaUpdatedBasedOnUsageForTesting();
-}
-
void NetworkProcess::resetQuota(PAL::SessionID sessionID, CompletionHandler<void()>&& completionHandler)
{
LockHolder locker(m_sessionStorageQuotaManagersLock);
Modified: trunk/Source/WebKit/NetworkProcess/NetworkProcess.h (254891 => 254892)
--- trunk/Source/WebKit/NetworkProcess/NetworkProcess.h 2020-01-21 23:53:27 UTC (rev 254891)
+++ trunk/Source/WebKit/NetworkProcess/NetworkProcess.h 2020-01-22 00:08:40 UTC (rev 254892)
@@ -285,7 +285,6 @@
void syncLocalStorage(CompletionHandler<void()>&&);
void clearLegacyPrivateBrowsingLocalStorage();
- void updateQuotaBasedOnSpaceUsageForTesting(PAL::SessionID, const WebCore::ClientOrigin&);
void resetQuota(PAL::SessionID, CompletionHandler<void()>&&);
#if ENABLE(SANDBOX_EXTENSIONS)
@@ -292,8 +291,6 @@
void getSandboxExtensionsForBlobFiles(const Vector<String>& filenames, CompletionHandler<void(SandboxExtension::HandleArray&&)>&&);
#endif
- void didReceiveNetworkProcessMessage(IPC::Connection&, IPC::Decoder&);
-
#if ENABLE(SERVICE_WORKER)
WebCore::SWServer* swServerForSessionIfExists(PAL::SessionID sessionID) { return m_swServers.get(sessionID); }
WebCore::SWServer& swServerForSession(PAL::SessionID);
@@ -348,6 +345,8 @@
void platformInitializeNetworkProcess(const NetworkProcessCreationParameters&);
std::unique_ptr<WebCore::NetworkStorageSession> platformCreateDefaultStorageSession() const;
+ void didReceiveNetworkProcessMessage(IPC::Connection&, IPC::Decoder&);
+
void terminate() override;
void platformTerminate();
Modified: trunk/Source/WebKit/NetworkProcess/NetworkProcess.messages.in (254891 => 254892)
--- trunk/Source/WebKit/NetworkProcess/NetworkProcess.messages.in 2020-01-21 23:53:27 UTC (rev 254891)
+++ trunk/Source/WebKit/NetworkProcess/NetworkProcess.messages.in 2020-01-22 00:08:40 UTC (rev 254892)
@@ -154,8 +154,6 @@
SyncLocalStorage() -> () Synchronous
ClearLegacyPrivateBrowsingLocalStorage()
- UpdateQuotaBasedOnSpaceUsageForTesting(PAL::SessionID sessionID, struct WebCore::ClientOrigin origin)
-
StoreAdClickAttribution(PAL::SessionID sessionID, WebCore::AdClickAttribution adClickAttribution)
DumpAdClickAttribution(PAL::SessionID sessionID) -> (String adClickAttributionState) Async
ClearAdClickAttribution(PAL::SessionID sessionID) -> () Async
Modified: trunk/Source/WebKit/Platform/IPC/StringReference.h (254891 => 254892)
--- trunk/Source/WebKit/Platform/IPC/StringReference.h 2020-01-21 23:53:27 UTC (rev 254891)
+++ trunk/Source/WebKit/Platform/IPC/StringReference.h 2020-01-22 00:08:40 UTC (rev 254892)
@@ -68,6 +68,11 @@
return a.m_size == b.m_size && !memcmp(a.m_data, b.m_data, a.m_size);
}
+ friend bool operator!=(const StringReference& a, const StringReference& b)
+ {
+ return !(a == b);
+ }
+
void encode(Encoder&) const;
static bool decode(Decoder&, StringReference&);
Modified: trunk/Source/WebKit/WebProcess/Cache/WebCacheStorageConnection.cpp (254891 => 254892)
--- trunk/Source/WebKit/WebProcess/Cache/WebCacheStorageConnection.cpp 2020-01-21 23:53:27 UTC (rev 254891)
+++ trunk/Source/WebKit/WebProcess/Cache/WebCacheStorageConnection.cpp 2020-01-22 00:08:40 UTC (rev 254892)
@@ -107,7 +107,7 @@
void WebCacheStorageConnection::updateQuotaBasedOnSpaceUsage(const WebCore::ClientOrigin& origin)
{
- connection().send(Messages::NetworkProcess::UpdateQuotaBasedOnSpaceUsageForTesting(WebProcess::singleton().sessionID(), origin), 0);
+ connection().send(Messages::NetworkConnectionToWebProcess::UpdateQuotaBasedOnSpaceUsageForTesting(origin), 0);
}
}
