Diff
Modified: trunk/Source/WebKit/ChangeLog (291370 => 291371)
--- trunk/Source/WebKit/ChangeLog 2022-03-16 21:55:12 UTC (rev 291370)
+++ trunk/Source/WebKit/ChangeLog 2022-03-16 21:58:52 UTC (rev 291371)
@@ -1,3 +1,30 @@
+2022-03-16 Brent Fulgham <[email protected]>
+
+ CoreIPC Hardening: Add user gesture check when saving images
+ https://bugs.webkit.org/show_bug.cgi?id=237839
+ <rdar://72058321>
+
+ Reviewed by Chris Dumez.
+
+ Add check to confirm that attempts to store images in the user's Photo
+ Library and attempts to store data in the pasteboard were triggered by
+ a user gesture.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::writePromisedAttachmentToPasteboard): Message check the authorization token before
+ performing the write.
+ * UIProcess/WebPageProxy.h:
+ * UIProcess/WebPageProxy.messages.in:
+ * UIProcess/ios/WebPageProxyIOS.mm:
+ (WebKit::WebPageProxy::isValidPerformActionOnElementAuthorizationToken const): Added.
+ (WebKit::WebPageProxy::performActionOnElement): Added.
+ (WebKit::WebPageProxy::saveImageToLibrary): Message check the authorization token before
+ performing the save.
+ * WebProcess/WebPage/WebPage.h:
+ * WebProcess/WebPage/WebPage.messages.in:
+ * WebProcess/WebPage/ios/WebPageIOS.mm:
+ (WebKit::WebPage::performActionOnElement):
+
2022-03-16 Sihui Liu <[email protected]>
Do not suspend NetworkStorageManager if it is used for ephemeral session
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (291370 => 291371)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2022-03-16 21:55:12 UTC (rev 291370)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2022-03-16 21:58:52 UTC (rev 291371)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2022 Apple Inc. All rights reserved.
* Copyright (C) 2012 Intel Corporation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -10193,9 +10193,16 @@
#if ENABLE(ATTACHMENT_ELEMENT)
-void WebPageProxy::writePromisedAttachmentToPasteboard(WebCore::PromisedAttachmentInfo&& info)
+void WebPageProxy::writePromisedAttachmentToPasteboard(WebCore::PromisedAttachmentInfo&& info, const String& authorizationToken)
{
+#if PLATFORM(IOS_FAMILY)
+ MESSAGE_CHECK(m_process, isValidPerformActionOnElementAuthorizationToken(authorizationToken));
+
pageClient().writePromisedAttachmentToPasteboard(WTFMove(info));
+#else
+ UNUSED_PARAM(info);
+ UNUSED_PARAM(authorizationToken);
+#endif
}
void WebPageProxy::requestAttachmentIcon(const String& identifier, const String& contentType, const String& fileName, const String& title, const FloatSize& requestedSize)
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.h (291370 => 291371)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.h 2022-03-16 21:55:12 UTC (rev 291370)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.h 2022-03-16 21:58:52 UTC (rev 291371)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2022 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -889,7 +889,7 @@
void startInteractionWithPositionInformation(const InteractionInformationAtPosition&);
void stopInteraction();
void performActionOnElement(uint32_t action);
- void saveImageToLibrary(const SharedMemory::IPCHandle& imageHandle);
+ void saveImageToLibrary(const SharedMemory::IPCHandle& imageHandle, const String& authorizationToken);
void focusNextFocusedElement(bool isForward, CompletionHandler<void()>&& = [] { });
void setFocusedElementValue(const WebCore::ElementContext&, const String&);
void setFocusedElementSelectedIndex(const WebCore::ElementContext&, uint32_t index, bool allowMultipleSelection = false);
@@ -2393,6 +2393,8 @@
void showPlaybackTargetPicker(bool hasVideo, const WebCore::IntRect& elementRect, WebCore::RouteSharingPolicy, const String&);
void updateStringForFind(const String&);
+
+ bool isValidPerformActionOnElementAuthorizationToken(const String& authorizationToken) const;
#endif
void focusedFrameChanged(const std::optional<WebCore::FrameIdentifier>&);
@@ -2540,7 +2542,8 @@
Ref<API::Attachment> ensureAttachment(const String& identifier);
void invalidateAllAttachments();
- void writePromisedAttachmentToPasteboard(WebCore::PromisedAttachmentInfo&&);
+
+ void writePromisedAttachmentToPasteboard(WebCore::PromisedAttachmentInfo&&, const String& authorizationToken);
void requestAttachmentIcon(const String& identifier, const String& type, const String& path, const String& title, const WebCore::FloatSize&);
@@ -3067,6 +3070,7 @@
WebCore::FloatSize m_minimumUnobscuredSize;
WebCore::FloatSize m_maximumUnobscuredSize;
bool m_lastObservedStateWasBackground { false };
+ HashSet<String> m_performActionOnElementAuthTokens;
#endif
std::optional<WebCore::FontAttributes> m_cachedFontAttributesAtSelectionStart;
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.messages.in (291370 => 291371)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.messages.in 2022-03-16 21:55:12 UTC (rev 291370)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.messages.in 2022-03-16 21:58:52 UTC (rev 291371)
@@ -1,4 +1,4 @@
-# Copyright (C) 2010-2020 Apple Inc. All rights reserved.
+# Copyright (C) 2010-2022 Apple Inc. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
@@ -160,7 +160,7 @@
#if PLATFORM(IOS_FAMILY)
InterpretKeyEvent(struct WebKit::EditorState state, bool isCharEvent) -> (bool handled) Synchronous
DidReceivePositionInformation(struct WebKit::InteractionInformationAtPosition information)
- SaveImageToLibrary(WebKit::SharedMemory::IPCHandle handle)
+ SaveImageToLibrary(WebKit::SharedMemory::IPCHandle handle, String authorizationToken)
ShowPlaybackTargetPicker(bool hasVideo, WebCore::IntRect elementRect, enum:uint8_t WebCore::RouteSharingPolicy policy, String routingContextUID)
CommitPotentialTapFailed()
DidNotHandleTapAsClick(WebCore::IntPoint point)
@@ -525,7 +525,7 @@
DidInsertAttachmentWithIdentifier(String identifier, String source, bool hasEnclosingImage)
DidRemoveAttachmentWithIdentifier(String identifier)
SerializedAttachmentDataForIdentifiers(Vector<String> identifiers) -> (Vector<WebCore::SerializedAttachmentData> seralizedData) Synchronous
- WritePromisedAttachmentToPasteboard(struct WebCore::PromisedAttachmentInfo info)
+ WritePromisedAttachmentToPasteboard(struct WebCore::PromisedAttachmentInfo info, String authorizationToken)
RequestAttachmentIcon(String identifier, String contentType, String path, String title, WebCore::FloatSize size)
#endif
Modified: trunk/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm (291370 => 291371)
--- trunk/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm 2022-03-16 21:55:12 UTC (rev 291370)
+++ trunk/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm 2022-03-16 21:58:52 UTC (rev 291371)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2022 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -594,14 +594,30 @@
m_process->send(Messages::WebPage::StopInteraction(), m_webPageID);
}
+bool WebPageProxy::isValidPerformActionOnElementAuthorizationToken(const String& authorizationToken) const
+{
+ return !authorizationToken.isNull() && m_performActionOnElementAuthTokens.contains(authorizationToken);
+}
+
void WebPageProxy::performActionOnElement(uint32_t action)
{
- m_process->send(Messages::WebPage::PerformActionOnElement(action), m_webPageID);
+ auto authorizationToken = createVersion4UUIDString();
+
+ m_performActionOnElementAuthTokens.add(authorizationToken);
+
+ sendWithAsyncReply(Messages::WebPage::PerformActionOnElement(action, authorizationToken), [weakThis = WeakPtr { *this }, authorizationToken] () mutable {
+ if (!weakThis)
+ return;
+
+ ASSERT(weakThis->isValidPerformActionOnElementAuthorizationToken(authorizationToken));
+ weakThis->m_performActionOnElementAuthTokens.remove(authorizationToken);
+ });
}
-void WebPageProxy::saveImageToLibrary(const SharedMemory::IPCHandle& imageHandle)
+void WebPageProxy::saveImageToLibrary(const SharedMemory::IPCHandle& imageHandle, const String& authorizationToken)
{
MESSAGE_CHECK(!imageHandle.handle.isNull());
+ MESSAGE_CHECK(isValidPerformActionOnElementAuthorizationToken(authorizationToken));
auto sharedMemoryBuffer = SharedMemory::map(imageHandle.handle, SharedMemory::Protection::ReadOnly);
if (!sharedMemoryBuffer)
Modified: trunk/Source/WebKit/WebProcess/WebPage/WebPage.h (291370 => 291371)
--- trunk/Source/WebKit/WebProcess/WebPage/WebPage.h 2022-03-16 21:55:12 UTC (rev 291370)
+++ trunk/Source/WebKit/WebProcess/WebPage/WebPage.h 2022-03-16 21:58:52 UTC (rev 291371)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2022 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -819,7 +819,7 @@
void requestPositionInformation(const InteractionInformationRequest&);
void startInteractionWithElementContextOrPosition(std::optional<WebCore::ElementContext>&&, WebCore::IntPoint&&);
void stopInteraction();
- void performActionOnElement(uint32_t action);
+ void performActionOnElement(uint32_t action, const String& authorizationToken, CompletionHandler<void()>&&);
void focusNextFocusedElement(bool isForward, CompletionHandler<void()>&&);
void autofillLoginCredentials(const String&, const String&);
void setFocusedElementValue(const WebCore::ElementContext&, const String&);
Modified: trunk/Source/WebKit/WebProcess/WebPage/WebPage.messages.in (291370 => 291371)
--- trunk/Source/WebKit/WebProcess/WebPage/WebPage.messages.in 2022-03-16 21:55:12 UTC (rev 291370)
+++ trunk/Source/WebKit/WebProcess/WebPage/WebPage.messages.in 2022-03-16 21:58:52 UTC (rev 291371)
@@ -1,4 +1,4 @@
-# Copyright (C) 2010-2021 Apple Inc. All rights reserved.
+# Copyright (C) 2010-2022 Apple Inc. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
@@ -96,7 +96,7 @@
RequestPositionInformation(struct WebKit::InteractionInformationRequest request)
StartInteractionWithElementContextOrPosition(std::optional<WebCore::ElementContext> elementContext, WebCore::IntPoint point)
StopInteraction()
- PerformActionOnElement(uint32_t action)
+ PerformActionOnElement(uint32_t action, String authenticationToken) -> ()
FocusNextFocusedElement(bool isForward) -> ()
AutofillLoginCredentials(String username, String password)
SetFocusedElementValue(struct WebCore::ElementContext context, String value)
Modified: trunk/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm (291370 => 291371)
--- trunk/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm 2022-03-16 21:55:12 UTC (rev 291370)
+++ trunk/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm 2022-03-16 21:58:52 UTC (rev 291371)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2022 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -3252,8 +3252,10 @@
m_interactionNode = nullptr;
}
-void WebPage::performActionOnElement(uint32_t action)
+void WebPage::performActionOnElement(uint32_t action, const String& authorizationToken, CompletionHandler<void()>&& completionHandler)
{
+ CompletionHandlerCallingScope callCompletionHandler(WTFMove(completionHandler));
+
if (!is<HTMLElement>(m_interactionNode))
return;
@@ -3279,7 +3281,7 @@
m_interactionNode->document().editor().copyURL(element.document().completeURL(stripLeadingAndTrailingHTMLSpaces(element.attributeWithoutSynchronization(HTMLNames::hrefAttr))), element.textContent());
#if ENABLE(ATTACHMENT_ELEMENT)
else if (auto attachmentInfo = element.document().editor().promisedAttachmentInfo(element))
- send(Messages::WebPageProxy::WritePromisedAttachmentToPasteboard(WTFMove(attachmentInfo)));
+ send(Messages::WebPageProxy::WritePromisedAttachmentToPasteboard(WTFMove(attachmentInfo), authorizationToken));
#endif
} else if (static_cast<SheetAction>(action) == SheetAction::SaveImage) {
if (!is<RenderImage>(*element.renderer()))
@@ -3295,7 +3297,7 @@
return;
SharedMemory::Handle handle;
sharedMemoryBuffer->createHandle(handle, SharedMemory::Protection::ReadOnly);
- send(Messages::WebPageProxy::SaveImageToLibrary(SharedMemory::IPCHandle { WTFMove(handle), buffer->size() }));
+ send(Messages::WebPageProxy::SaveImageToLibrary(SharedMemory::IPCHandle { WTFMove(handle), buffer->size() }, authorizationToken));
}
}
