Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0f8aafd122c29180189e7bb05729231a6d9adbce
https://github.com/WebKit/WebKit/commit/0f8aafd122c29180189e7bb05729231a6d9adbce
Author: Andy Estes <[email protected]>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.cpp
M Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.h
M Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.messages.in
M Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.cpp
M Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.h
Log Message:
-----------
WebContent process can create files at arbitrary locations by calling
RemoteMediaPlayerManagerProxy::OriginsInMediaCache
https://bugs.webkit.org/show_bug.cgi?id=257875
rdar://107931180
Reviewed by Eric Carlson.
MediaPlayerPrivateAVFoundationObjC implements cache management by creating an
AVAssetCache at a
specified path, and AVAssetCache creates an empty directory at this path if one
doesn't exist. When
MediaPlayer's installedMediaEngines() are accessed from the WebContent process
and the GPU process
is in use, RemoteMediaPlayerManager creates media player factories that proxy
cache management calls
to the GPU process via RemoteMediaPlayerManagerProxy IPC messages, passing the
media cache directory
specified by the website data store as an argument. If a compromised WebContent
process were to send
these messages with a path of its choosing, it could convince the GPU process
to create a directory
at an arbitrary location within the GPU process sandbox.
Fixed this by removing the cache management IPC messages (OriginsInMediaCache,
ClearMediaCache, and
ClearMediaCacheForOrigins) from RemoteMediaPlayerManagerProxy and calling
ASSERT_NOT_REACHED() if
the WebContent process attempts to perform MediaPlayer cache management while
the GPU process is in
use. This is OK because the cache management subset of MediaPlayerFactory's
interface is exclusively
called from WebsiteDataStore in the UI process where media engines are accessed
directly rather than
via RemoteMediaPlayerManagerProxy.
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.cpp:
(WebKit::RemoteMediaPlayerManagerProxy::originsInMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManagerProxy::clearMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManagerProxy::clearMediaCacheForOrigins): Deleted.
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.h:
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.messages.in:
* Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.cpp:
(WebKit::RemoteMediaPlayerManager::originsInMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManager::clearMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManager::clearMediaCacheForOrigins): Deleted.
* Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.h:
Originally-landed-as: 259548.815@safari-7615-branch (7b6d48342b82).
rdar://107931180
Canonical link: https://commits.webkit.org/266437@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
