[webkit-changes] [WebKit/WebKit] c6cd4e: Missing validation for incoming file paths from we...

Mon, 15 Jun 2026 21:13:47 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c6cd4e07e9afcb0f5a8dc696182822e21fafd913
      
https://github.com/WebKit/WebKit/commit/c6cd4e07e9afcb0f5a8dc696182822e21fafd913
  Author: Wenson Hsieh <[email protected]>
  Date:   2026-06-15 (Mon, 15 Jun 2026)

  Changed paths:
    M Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.h
    M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKAttachmentTests.mm

  Log Message:
  -----------
  Missing validation for incoming file paths from web content process when 
attachment elements are enabled
https://bugs.webkit.org/show_bug.cgi?id=309698
rdar://170082216

Reviewed by Abrar Rahman Protyasha, Richard Robinson, and Charlie Wolfe.

Maintain an allowlist of file paths (`m_allowedAttachmentFilePaths`) in 
`WebProcessProxy` that
tracks paths legitimately provided to the web process via pasteboard and 
drag-drop operations.
Validate incoming paths in `RegisterAttachmentIdentifierFromFilePath` against 
this allowlist using
`MESSAGE_CHECK`, terminating the web process for unauthorized paths.

Tests:  
WKAttachmentTestsMac.RegisterAttachmentIdentifierFromFilePathWithUnauthorizedPathTerminatesProcess
        WKAttachmentTestsMac.PastedFileURLsUseAuthorizedPaths

Test: Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKAttachmentTests.mm
* Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
(WebKit::addAllowedAttachmentFilePaths):
(WebKit::WebPasteboardProxy::getPasteboardPathnamesForType):
(WebKit::WebPasteboardProxy::allPasteboardItemInfo):
(WebKit::WebPasteboardProxy::informationForItemAtIndex):
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::performDragOperation):
(WebKit::WebPageProxy::registerAttachmentIdentifierFromFilePath):
(WebKit::WebPageProxy::registerAttachmentsFromSerializedData):
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::addAllowedAttachmentFilePath):
(WebKit::WebProcessProxy::isAllowedAttachmentFilePath const):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKAttachmentTests.mm:
(TestWebKitAPI::TEST(WKAttachmentTestsMac, 
RegisterAttachmentIdentifierFromFilePathWithUnauthorizedPathTerminatesProcess)):
(TestWebKitAPI::TEST(WKAttachmentTestsMac, PastedFileURLsUseAuthorizedPaths)):

Canonical link: https://commits.webkit.org/315269@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to