Title: [255935] releases/WebKitGTK/webkit-2.28/Source
- Revision
- 255935
- Author
- [email protected]
- Date
- 2020-02-06 07:10:53 -0800 (Thu, 06 Feb 2020)
Log Message
Merge r255876 - [IPC hardening] Fail IPC decoding of invalid ClientOrigin objects
https://bugs.webkit.org/show_bug.cgi?id=207305
<rdar://problem/58797651>
Reviewed by Brent Fulgham.
Fail IPC decoding of invalid ClientOrigin objects (empty ClientOrigin or deleted value in a HashMap).
* page/ClientOrigin.h:
(WebCore::ClientOrigin::decode):
* page/SecurityOriginData.h:
(WebCore::SecurityOriginData::decode):
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog (255934 => 255935)
--- releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog 2020-02-06 15:10:47 UTC (rev 255934)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog 2020-02-06 15:10:53 UTC (rev 255935)
@@ -1,5 +1,20 @@
2020-02-05 Chris Dumez <[email protected]>
+ [IPC hardening] Fail IPC decoding of invalid ClientOrigin objects
+ https://bugs.webkit.org/show_bug.cgi?id=207305
+ <rdar://problem/58797651>
+
+ Reviewed by Brent Fulgham.
+
+ Fail IPC decoding of invalid ClientOrigin objects (empty ClientOrigin or deleted value in a HashMap).
+
+ * page/ClientOrigin.h:
+ (WebCore::ClientOrigin::decode):
+ * page/SecurityOriginData.h:
+ (WebCore::SecurityOriginData::decode):
+
+2020-02-05 Chris Dumez <[email protected]>
+
Regression(r248734) StorageAreaMap objects are getting leaked
https://bugs.webkit.org/show_bug.cgi?id=207073
<rdar://problem/59168065>
Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/page/ClientOrigin.h (255934 => 255935)
--- releases/WebKitGTK/webkit-2.28/Source/WebCore/page/ClientOrigin.h 2020-02-06 15:10:47 UTC (rev 255934)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/page/ClientOrigin.h 2020-02-06 15:10:53 UTC (rev 255935)
@@ -80,10 +80,10 @@
Optional<SecurityOriginData> topOrigin;
Optional<SecurityOriginData> clientOrigin;
decoder >> topOrigin;
- if (!topOrigin)
+ if (!topOrigin || topOrigin->isEmpty())
return WTF::nullopt;
decoder >> clientOrigin;
- if (!clientOrigin)
+ if (!clientOrigin || clientOrigin->isEmpty())
return WTF::nullopt;
return ClientOrigin { WTFMove(*topOrigin), WTFMove(*clientOrigin) };
Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/page/SecurityOriginData.h (255934 => 255935)
--- releases/WebKitGTK/webkit-2.28/Source/WebCore/page/SecurityOriginData.h 2020-02-06 15:10:47 UTC (rev 255934)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/page/SecurityOriginData.h 2020-02-06 15:10:53 UTC (rev 255935)
@@ -119,7 +119,11 @@
if (!decoder.decode(port))
return WTF::nullopt;
- return {{ WTFMove(*protocol), WTFMove(*host), WTFMove(port) }};
+ SecurityOriginData data { WTFMove(*protocol), WTFMove(*host), WTFMove(port) };
+ if (data.isHashTableDeletedValue())
+ return WTF::nullopt;
+
+ return data;
}
struct SecurityOriginDataHashTraits : WTF::SimpleClassHashTraits<SecurityOriginData> {
Modified: releases/WebKitGTK/webkit-2.28/Source/WebKit/NetworkProcess/cache/CacheStorageEngine.cpp (255934 => 255935)
--- releases/WebKitGTK/webkit-2.28/Source/WebKit/NetworkProcess/cache/CacheStorageEngine.cpp 2020-02-06 15:10:47 UTC (rev 255934)
+++ releases/WebKitGTK/webkit-2.28/Source/WebKit/NetworkProcess/cache/CacheStorageEngine.cpp 2020-02-06 15:10:53 UTC (rev 255935)
@@ -394,11 +394,6 @@
return;
}
- if (!m_caches.isValidKey(origin)) {
- callback(makeUnexpected(Error::Internal));
- return;
- }
-
auto& caches = m_caches.ensure(origin, [&origin, this] {
auto path = cachesRootPath(origin);
return Caches::create(*this, WebCore::ClientOrigin { origin }, WTFMove(path));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
