Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a9de782f906f9c52c0a7e61db3625973ed9d6114
      
https://github.com/WebKit/WebKit/commit/a9de782f906f9c52c0a7e61db3625973ed9d6114
  Author: Ahmad Saleem <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/WebCore/inspector/agents/InspectorPageAgent.cpp

  Log Message:
  -----------
  [Web Inspector] Empty std::optional dereference in Page.setCookie when 
"session" is omitted but "expires" is present
https://bugs.webkit.org/show_bug.cgi?id=318422
rdar://181204053

Reviewed by Devin Rousso.

InspectorPageAgent::parseCookieObject() read the optional "session"
boolean and the optional "expires" double, then bailed only when *both*
were absent (`!session && !cookie.expires`). It unconditionally
dereferenced the optional afterwards with `cookie.session = *session;`.

When a client sends a cookie object with "expires" present but "session"
omitted, the guard's condition is false, so execution falls through and
dereferences an empty std::optional<bool> — undefined behavior. The
input is fully controlled by the inspector frontend via the
Page.setCookie protocol command.

Since reaching the code past the guard already guarantees that either
"session" or "expires" is valid, default the session flag to false with
session.value_or(false) instead of dereferencing the optional. When
"expires" is set but "session" is omitted, defaulting to false is the
intended behavior anyway.

* Source/WebCore/inspector/agents/InspectorPageAgent.cpp:
(WebCore::parseCookieObject):

Canonical link: https://commits.webkit.org/316462@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to