Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d85455322dae47dcb4235d0ca0dce0fee75a0fb5
https://github.com/WebKit/WebKit/commit/d85455322dae47dcb4235d0ca0dce0fee75a0fb5
Author: Chris Dumez <[email protected]>
Date: 2026-05-23 (Sat, 23 May 2026)
Changed paths:
M Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.h
M Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabaseTransaction.h
M Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.cpp
M Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.h
M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp
M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.h
Log Message:
-----------
IndexedDB Connection/Transaction Identifier Confusion
https://bugs.webkit.org/show_bug.cgi?id=310076
rdar://172392524
Reviewed by Brady Eidson.
NetworkStorageManager fails to validate that Connection/Transaction
identifiers belong to the IPC connection that sent the IPC. This could
lead to data leakage.
I added the MESSAGE_CHECK calls inside the IDBStorageRegistry::connection()
and IDBStorageRegistry::transaction() getter. Those are convenient
choke-points and it makes it way less likely we forget to add such
MESSAGE_CHECK when introducing new IPC.
* Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.h:
* Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabaseTransaction.h:
* Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.cpp:
(WebKit::IDBStorageRegistry::ensureConnectionToClient):
(WebKit::IDBStorageRegistry::isValidConnectionForIPC):
(WebKit::IDBStorageRegistry::connection):
(WebKit::IDBStorageRegistry::transaction):
* Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.h:
* Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp:
(WebKit::NetworkStorageManager::openDatabase):
(WebKit::NetworkStorageManager::deleteDatabase):
(WebKit::NetworkStorageManager::establishTransaction):
(WebKit::NetworkStorageManager::databaseConnectionPendingClose):
(WebKit::NetworkStorageManager::databaseConnectionClosed):
(WebKit::NetworkStorageManager::abortOpenAndUpgradeNeeded):
(WebKit::NetworkStorageManager::didFireVersionChangeEvent):
(WebKit::NetworkStorageManager::didGenerateIndexKeyForRecord):
(WebKit::NetworkStorageManager::abortTransaction):
(WebKit::NetworkStorageManager::commitTransaction):
(WebKit::NetworkStorageManager::didFinishHandlingVersionChangeTransaction):
(WebKit::NetworkStorageManager::idbTransaction):
(WebKit::NetworkStorageManager::createObjectStore):
(WebKit::NetworkStorageManager::deleteObjectStore):
(WebKit::NetworkStorageManager::renameObjectStore):
(WebKit::NetworkStorageManager::clearObjectStore):
(WebKit::NetworkStorageManager::createIndex):
(WebKit::NetworkStorageManager::deleteIndex):
(WebKit::NetworkStorageManager::renameIndex):
(WebKit::NetworkStorageManager::putOrAdd):
(WebKit::NetworkStorageManager::getRecord):
(WebKit::NetworkStorageManager::getAllRecords):
(WebKit::NetworkStorageManager::getCount):
(WebKit::NetworkStorageManager::deleteRecord):
(WebKit::NetworkStorageManager::openCursor):
(WebKit::NetworkStorageManager::iterateCursor):
(WebKit::NetworkStorageManager::getAllDatabaseNamesAndVersions):
* Source/WebKit/NetworkProcess/storage/NetworkStorageManager.h:
Originally-landed-as: 305413.515@rapid/safari-7624.2.5.110-branch
(293e2d766d11). rdar://176062499
Canonical link: https://commits.webkit.org/313802@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
