Title: [274153] trunk/Source/WebKit
- Revision
- 274153
- Author
- [email protected]
- Date
- 2021-03-09 09:37:44 -0800 (Tue, 09 Mar 2021)
Log Message
[IPC Hardening] Protect WebPageProxy::willSubmitForm() against bad Strings
https://bugs.webkit.org/show_bug.cgi?id=222955
<rdar://problem/75195062>
Reviewed by Anders Carlsson.
The Strings passed in textFieldValues are used as keys in a HashMap later on so we need
to validate them.
* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::willSubmitForm):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (274152 => 274153)
--- trunk/Source/WebKit/ChangeLog 2021-03-09 17:36:04 UTC (rev 274152)
+++ trunk/Source/WebKit/ChangeLog 2021-03-09 17:37:44 UTC (rev 274153)
@@ -1,3 +1,17 @@
+2021-03-09 Chris Dumez <[email protected]>
+
+ [IPC Hardening] Protect WebPageProxy::willSubmitForm() against bad Strings
+ https://bugs.webkit.org/show_bug.cgi?id=222955
+ <rdar://problem/75195062>
+
+ Reviewed by Anders Carlsson.
+
+ The Strings passed in textFieldValues are used as keys in a HashMap later on so we need
+ to validate them.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::willSubmitForm):
+
2021-03-09 Wenson Hsieh <[email protected]>
[macOS] Add a way to trigger webpage translation via the context menu
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (274152 => 274153)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2021-03-09 17:36:04 UTC (rev 274152)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2021-03-09 17:37:44 UTC (rev 274153)
@@ -31,6 +31,7 @@
#include "APIAttachment.h"
#include "APIContentWorld.h"
#include "APIContextMenuClient.h"
+#include "APIDictionary.h"
#include "APIFindClient.h"
#include "APIFindMatchesClient.h"
#include "APIFormClient.h"
@@ -5438,6 +5439,9 @@
WebFrameProxy* sourceFrame = m_process->webFrame(sourceFrameID);
MESSAGE_CHECK(m_process, sourceFrame);
+ for (auto& pair : textFieldValues)
+ MESSAGE_CHECK(m_process, API::Dictionary::MapType::isValidKey(pair.first));
+
m_formClient->willSubmitForm(*this, *frame, *sourceFrame, textFieldValues, m_process->transformHandlesToObjects(userData.object()).get(), [this, protectedThis = makeRef(*this), frameID, listenerID]() {
send(Messages::WebPage::ContinueWillSubmitForm(frameID, listenerID));
});
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
