[webkit-changes] [246552] trunk/Source/WebKit

[youenn]

Title: [246552] trunk/Source/WebKit

Revision

246552

Author

you...@apple.com

Date

2019-06-18 11:10:08 -0700 (Tue, 18 Jun 2019)

Log Message

StorageManager::removeAllowedSessionStorageNamespaceConnection should make sure its storageNamespaceID is valid
https://bugs.webkit.org/show_bug.cgi?id=198966
rdar://problem/51352080

Reviewed by Alex Christensen.

Make sure the namespace ID is a key of the map before using the value.
The namespace ID is coming straight from IPC so should not be trusted.
Also, namespace IDs are added/removed based on web pages being created/deleted.
Namespace IDs are supposed to be scoped by session IDs.
Using page IDs for namespace IDs works as long as the page does not change of session ID during its lifetime, which is not guaranteed.

* NetworkProcess/WebStorage/StorageManager.cpp:
(WebKit::StorageManager::removeAllowedSessionStorageNamespaceConnection):

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/NetworkProcess/WebStorage/StorageManager.cpp

Diff

Modified: trunk/Source/WebKit/ChangeLog (246551 => 246552)

--- trunk/Source/WebKit/ChangeLog	2019-06-18 17:51:05 UTC (rev 246551)
+++ trunk/Source/WebKit/ChangeLog	2019-06-18 18:10:08 UTC (rev 246552)
@@ -1,3 +1,20 @@
+2019-06-18  Youenn Fablet  <you...@apple.com>
+
+        StorageManager::removeAllowedSessionStorageNamespaceConnection should make sure its storageNamespaceID is valid
+        https://bugs.webkit.org/show_bug.cgi?id=198966
+        rdar://problem/51352080
+
+        Reviewed by Alex Christensen.
+
+        Make sure the namespace ID is a key of the map before using the value.
+        The namespace ID is coming straight from IPC so should not be trusted.
+        Also, namespace IDs are added/removed based on web pages being created/deleted.
+        Namespace IDs are supposed to be scoped by session IDs.
+        Using page IDs for namespace IDs works as long as the page does not change of session ID during its lifetime, which is not guaranteed.
+
+        * NetworkProcess/WebStorage/StorageManager.cpp:
+        (WebKit::StorageManager::removeAllowedSessionStorageNamespaceConnection):
+
 2019-06-18  David Quesada  <david_ques...@apple.com>
 
         Network process crash in SandboxExtension::consume() via Download::publishProgress

Modified: trunk/Source/WebKit/NetworkProcess/WebStorage/StorageManager.cpp (246551 => 246552)

--- trunk/Source/WebKit/NetworkProcess/WebStorage/StorageManager.cpp	2019-06-18 17:51:05 UTC (rev 246551)
+++ trunk/Source/WebKit/NetworkProcess/WebStorage/StorageManager.cpp	2019-06-18 18:10:08 UTC (rev 246552)
@@ -551,8 +551,8 @@
     auto allowedConnectionID = allowedConnection.uniqueID();
     m_queue->dispatch([this, protectedThis = makeRef(*this), allowedConnectionID, storageNamespaceID]() mutable {
         ASSERT(m_sessionStorageNamespaces.contains(storageNamespaceID));
-
-        m_sessionStorageNamespaces.get(storageNamespaceID)->removeAllowedConnection(allowedConnectionID);
+        if (auto* sessionStorageNamespace = m_sessionStorageNamespaces.get(storageNamespaceID))
+            sessionStorageNamespace->removeAllowedConnection(allowedConnectionID);
     });
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes