Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 074d3804f08e1882337a3307e960ca3e356b517e
      
https://github.com/WebKit/WebKit/commit/074d3804f08e1882337a3307e960ca3e356b517e
  Author: Brady Eidson <[email protected]>
  Date:   2026-07-01 (Wed, 01 Jul 2026)

  Changed paths:
    M Source/WebKit/UIProcess/WebBackForwardList.cpp
    M Source/WebKit/UIProcess/WebBackForwardList.swift

  Log Message:
  -----------
  Compromised WebContent process can gain arbitrary file URL access by spoofing 
back/forward list messages
rdar://174512192

Reviewed by Ben Nham and Per Arne Vollan.

Instead of debug-only asserting that an updated item belongs to the process, 
actaully message check it.

Test: Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm

* Source/WebKit/UIProcess/WebBackForwardList.cpp:
(WebKit::WebBackForwardList::backForwardUpdateItem):
* Source/WebKit/UIProcess/WebBackForwardList.swift:
(MakeAPIArray.backForwardUpdateItem(_:frameState:)):
* Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm:
(ForgedFileURLItemIsRejected)):

Originally-landed-as: 305413.830@safari-7624-branch (34c25063c9cf). 
rdar://180436677
Canonical link: https://commits.webkit.org/316361@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to