Modified: trunk/Source/WebKit/ChangeLog (258558 => 258559)
--- trunk/Source/WebKit/ChangeLog 2020-03-17 17:14:43 UTC (rev 258558)
+++ trunk/Source/WebKit/ChangeLog 2020-03-17 17:28:55 UTC (rev 258559)
@@ -1,3 +1,16 @@
+2020-03-17 Brent Fulgham <bfulg...@apple.com>
+
+ Terminate the WebContent process when receiving invalid IPC from a WebInspector session
+ https://bugs.webkit.org/show_bug.cgi?id=209157
+ <rdar://problem/58961055>
+
+ Reviewed by Chris Dumez.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::backForwardGoToItemShared): Add a message check that we are not receiving
+ the request from a WebInspector page.
+ (WebKit::WebPageProxy::maybeInitializeSandboxExtensionHandle): Switch to a release assert.
+
2020-03-17 Per Arne Vollan <pvol...@apple.com>
[Cocoa] Disable CF prefs direct mode
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (258558 => 258559)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-03-17 17:14:43 UTC (rev 258558)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-03-17 17:28:55 UTC (rev 258559)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Apple Inc. All rights reserved.
* Copyright (C) 2012 Intel Corporation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -288,6 +288,7 @@
#define MESSAGE_CHECK(process, assertion) MESSAGE_CHECK_BASE(assertion, process->connection())
#define MESSAGE_CHECK_URL(process, url) MESSAGE_CHECK_BASE(checkURLReceivedFromCurrentOrPreviousWebProcess(process, url), process->connection())
+#define MESSAGE_CHECK_COMPLETION(process, assertion, completion) MESSAGE_CHECK_COMPLETION_BASE(assertion, process->connection(), completion)
#define RELEASE_LOG_IF_ALLOWED(channel, fmt, ...) RELEASE_LOG_IF(isAlwaysOnLoggingAllowed(), channel, "%p - [pageProxyID=%" PRIu64 ", webPageID=%" PRIu64 ", PID=%i] WebPageProxy::" fmt, this, m_identifier.toUInt64(), m_webPageID.toUInt64(), m_process->processIdentifier(), ##__VA_ARGS__)
#define RELEASE_LOG_ERROR_IF_ALLOWED(channel, fmt, ...) RELEASE_LOG_ERROR_IF(isAlwaysOnLoggingAllowed(), channel, "%p - [pageProxyID=%" PRIu64 ", webPageID=%" PRIu64 ", PID=%i] WebPageProxy::" fmt, this, m_identifier.toUInt64(), m_webPageID.toUInt64(), m_process->processIdentifier(), ##__VA_ARGS__)
@@ -1209,7 +1210,7 @@
return;
// Inspector resources are in a directory with assumed access.
- ASSERT_WITH_SECURITY_IMPLICATION(!WebKit::isInspectorPage(*this));
+ RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!WebKit::isInspectorPage(*this));
#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
ASSERT(process.connection() && process.connection()->getAuditToken());
@@ -6169,6 +6170,8 @@
void WebPageProxy::backForwardGoToItemShared(Ref<WebProcessProxy>&& process, const BackForwardItemIdentifier& itemID, CompletionHandler<void(SandboxExtension::Handle&&, const WebBackForwardListCounts&)>&& completionHandler)
{
+ MESSAGE_CHECK_COMPLETION(m_process, !WebKit::isInspectorPage(*this), completionHandler({ }, m_backForwardList->counts()));
+
auto* item = m_backForwardList->itemForID(itemID);
if (!item)
return completionHandler({ }, m_backForwardList->counts());