Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 074d3804f08e1882337a3307e960ca3e356b517e
https://github.com/WebKit/WebKit/commit/074d3804f08e1882337a3307e960ca3e356b517e
Author: Brady Eidson <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
M Source/WebKit/UIProcess/WebBackForwardList.cpp
M Source/WebKit/UIProcess/WebBackForwardList.swift
Log Message:
-----------
Compromised WebContent process can gain arbitrary file URL access by spoofing
back/forward list messages
rdar://174512192
Reviewed by Ben Nham and Per Arne Vollan.
Instead of debug-only asserting that an updated item belongs to the process,
actaully message check it.
Test: Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm
* Source/WebKit/UIProcess/WebBackForwardList.cpp:
(WebKit::WebBackForwardList::backForwardUpdateItem):
* Source/WebKit/UIProcess/WebBackForwardList.swift:
(MakeAPIArray.backForwardUpdateItem(_:frameState:)):
* Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm:
(ForgedFileURLItemIsRejected)):
Originally-landed-as: 305413.830@safari-7624-branch (34c25063c9cf).
rdar://180436677
Canonical link: https://commits.webkit.org/316361@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications