Modified: branches/safari-609-branch/Source/WebKit/ChangeLog (258707 => 258708)
--- branches/safari-609-branch/Source/WebKit/ChangeLog 2020-03-19 17:23:58 UTC (rev 258707)
+++ branches/safari-609-branch/Source/WebKit/ChangeLog 2020-03-19 17:44:15 UTC (rev 258708)
@@ -1,3 +1,18 @@
+2020-03-19 Russell Epstein <[email protected]>
+
+ Apply patch. rdar://problem/60633852
+
+ 2020-03-19 Brent Fulgham <[email protected]>
+
+ Terminate the WebContent process when receiving invalid IPC from a WebInspector session
+ https://bugs.webkit.org/show_bug.cgi?id=209157
+ <rdar://problem/58961055>
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::backForwardGoToItemShared): Add a message check that we are not receiving
+ the request from a WebInspector page.
+ (WebKit::WebPageProxy::maybeInitializeSandboxExtensionHandle): Switch to a release assert.
+
2020-03-17 Kocsen Chung <[email protected]>
Apply patch. rdar://problem/60363244
Modified: branches/safari-609-branch/Source/WebKit/UIProcess/WebPageProxy.cpp (258707 => 258708)
--- branches/safari-609-branch/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-03-19 17:23:58 UTC (rev 258707)
+++ branches/safari-609-branch/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-03-19 17:44:15 UTC (rev 258708)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Apple Inc. All rights reserved.
* Copyright (C) 2012 Intel Corporation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -272,6 +272,7 @@
#define MESSAGE_CHECK(process, assertion) MESSAGE_CHECK_BASE(assertion, process->connection())
#define MESSAGE_CHECK_URL(process, url) MESSAGE_CHECK_BASE(checkURLReceivedFromCurrentOrPreviousWebProcess(process, url), process->connection())
+#define MESSAGE_CHECK_COMPLETION(process, assertion, completion) MESSAGE_CHECK_COMPLETION_BASE(assertion, process->connection(), completion)
#define RELEASE_LOG_IF_ALLOWED(channel, fmt, ...) RELEASE_LOG_IF(isAlwaysOnLoggingAllowed(), channel, "%p - [pageProxyID=%llu, webPageID=%llu, PID=%i] WebPageProxy::" fmt, this, m_identifier.toUInt64(), m_webPageID.toUInt64(), m_process->processIdentifier(), ##__VA_ARGS__)
#define RELEASE_LOG_ERROR_IF_ALLOWED(channel, fmt, ...) RELEASE_LOG_ERROR_IF(isAlwaysOnLoggingAllowed(), channel, "%p - [pageProxyID=%llu, webPageID=%llu, PID=%i] WebPageProxy::" fmt, this, m_identifier.toUInt64(), m_webPageID.toUInt64(), m_process->processIdentifier(), ##__VA_ARGS__)
@@ -1171,7 +1172,7 @@
return;
// Inspector resources are in a directory with assumed access.
- ASSERT_WITH_SECURITY_IMPLICATION(!WebKit::isInspectorPage(*this));
+ RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!WebKit::isInspectorPage(*this));
#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
ASSERT(process.connection() && process.connection()->getAuditToken());
@@ -6051,6 +6052,8 @@
void WebPageProxy::backForwardGoToItemShared(Ref<WebProcessProxy>&& process, const BackForwardItemIdentifier& itemID, CompletionHandler<void(SandboxExtension::Handle&&)>&& completionHandler)
{
+ MESSAGE_CHECK_COMPLETION(m_process, !WebKit::isInspectorPage(*this), completionHandler({ }, m_backForwardList->counts()));
+
auto* item = m_backForwardList->itemForID(itemID);
if (!item)
return completionHandler({ });
