Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a9de782f906f9c52c0a7e61db3625973ed9d6114
https://github.com/WebKit/WebKit/commit/a9de782f906f9c52c0a7e61db3625973ed9d6114
Author: Ahmad Saleem <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
M Source/WebCore/inspector/agents/InspectorPageAgent.cpp
Log Message:
-----------
[Web Inspector] Empty std::optional dereference in Page.setCookie when
"session" is omitted but "expires" is present
https://bugs.webkit.org/show_bug.cgi?id=318422
rdar://181204053
Reviewed by Devin Rousso.
InspectorPageAgent::parseCookieObject() read the optional "session"
boolean and the optional "expires" double, then bailed only when *both*
were absent (`!session && !cookie.expires`). It unconditionally
dereferenced the optional afterwards with `cookie.session = *session;`.
When a client sends a cookie object with "expires" present but "session"
omitted, the guard's condition is false, so execution falls through and
dereferences an empty std::optional<bool> — undefined behavior. The
input is fully controlled by the inspector frontend via the
Page.setCookie protocol command.
Since reaching the code past the guard already guarantees that either
"session" or "expires" is valid, default the session flag to false with
session.value_or(false) instead of dereferencing the optional. When
"expires" is set but "session" is omitted, defaulting to false is the
intended behavior anyway.
* Source/WebCore/inspector/agents/InspectorPageAgent.cpp:
(WebCore::parseCookieObject):
Canonical link: https://commits.webkit.org/316462@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications