Diff
Modified: branches/safari-612-branch/Source/WebCore/ChangeLog (282914 => 282915)
--- branches/safari-612-branch/Source/WebCore/ChangeLog 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebCore/ChangeLog 2021-09-23 04:29:32 UTC (rev 282915)
@@ -1,5 +1,92 @@
2021-09-22 Alan Coon <alanc...@apple.com>
+ Cherry-pick r282393. rdar://problem/83429703
+
+ [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+ https://bugs.webkit.org/show_bug.cgi?id=230233
+ <rdar://79562514>
+
+ Reviewed by Brady Eidson.
+
+ Source/WebCore:
+
+ Rename writeBlobsToTemporaryFiles() to writeBlobsToTemporaryFilesForIndexedDB() for clarity
+ since it is currently only used for IndexedDB and we wouldn't want to expand usage to
+ other things.
+
+ * bindings/js/SerializedScriptValue.cpp:
+ (WebCore::SerializedScriptValue::writeBlobsToDiskForIndexedDB):
+ * platform/network/BlobRegistry.h:
+ * platform/network/BlobRegistryImpl.cpp:
+ (WebCore::BlobRegistryImpl::writeBlobsToTemporaryFilesForIndexedDB):
+ * platform/network/BlobRegistryImpl.h:
+
+ Source/WebKit:
+
+ When the SerializedScriptValue contains BlobURLs, IDBTransaction::putOrAddOnServer()
+ calls SerializedScriptValue::writeBlobsToDiskForIndexedDB() before sending the
+ WebIDBServer::PutOrAdd IPC to the network process. writeBlobsToDiskForIndexedDB()
+ sends a NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB IPC to the
+ network process and the network process will write the blobs to temporary files and
+ then return the file paths to those temporary files to the WebProcess. The file paths
+ are then stored inside the IDBValue object that gets sent in the WebIDBServer::PutOrAdd
+ IPC.
+
+ This patch hardens our IPC by validating in WebIDBServer::PutOrAdd() that the IDBValue's
+ Blob file paths were indeed file paths previously created by the network process on behalf
+ of the WebProcess sending the IPC. If it is not, we ignore the IPC.
+
+ * NetworkProcess/IndexedDB/WebIDBServer.cpp:
+ (WebKit::WebIDBServer::putOrAdd):
+ (WebKit::WebIDBServer::removeConnection):
+ (WebKit::WebIDBServer::registerTemporaryBlobFilePaths):
+ * NetworkProcess/IndexedDB/WebIDBServer.h:
+ * NetworkProcess/IndexedDB/WebIDBServer.messages.in:
+ * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+ (WebKit::NetworkConnectionToWebProcess::writeBlobsToTemporaryFilesForIndexedDB):
+ * NetworkProcess/NetworkConnectionToWebProcess.h:
+ * NetworkProcess/NetworkConnectionToWebProcess.messages.in:
+ * NetworkProcess/NetworkProcessPlatformStrategies.cpp:
+ (WebKit::NetworkProcessPlatformStrategies::createBlobRegistry):
+ * WebProcess/FileAPI/BlobRegistryProxy.cpp:
+ (WebKit::BlobRegistryProxy::writeBlobsToTemporaryFilesForIndexedDB):
+ * WebProcess/FileAPI/BlobRegistryProxy.h:
+ * WebProcess/Network/NetworkProcessConnection.cpp:
+ (WebKit::NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB):
+ * WebProcess/Network/NetworkProcessConnection.h:
+
+ Source/WebKitLegacy/mac:
+
+ * WebCoreSupport/WebPlatformStrategies.mm:
+
+ Source/WebKitLegacy/win:
+
+ * WebCoreSupport/WebPlatformStrategies.cpp:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282393 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-09-14 Chris Dumez <cdu...@apple.com>
+
+ [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+ https://bugs.webkit.org/show_bug.cgi?id=230233
+ <rdar://79562514>
+
+ Reviewed by Brady Eidson.
+
+ Rename writeBlobsToTemporaryFiles() to writeBlobsToTemporaryFilesForIndexedDB() for clarity
+ since it is currently only used for IndexedDB and we wouldn't want to expand usage to
+ other things.
+
+ * bindings/js/SerializedScriptValue.cpp:
+ (WebCore::SerializedScriptValue::writeBlobsToDiskForIndexedDB):
+ * platform/network/BlobRegistry.h:
+ * platform/network/BlobRegistryImpl.cpp:
+ (WebCore::BlobRegistryImpl::writeBlobsToTemporaryFilesForIndexedDB):
+ * platform/network/BlobRegistryImpl.h:
+
+2021-09-22 Alan Coon <alanc...@apple.com>
+
Cherry-pick r282358. rdar://problem/83429732
AX: Make PDFs loaded via <embed> accessible
Modified: branches/safari-612-branch/Source/WebCore/bindings/js/SerializedScriptValue.cpp (282914 => 282915)
--- branches/safari-612-branch/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2021-09-23 04:29:32 UTC (rev 282915)
@@ -4377,7 +4377,7 @@
ASSERT(isMainThread());
ASSERT(hasBlobURLs());
- blobRegistry().writeBlobsToTemporaryFiles(blobURLs(), [completionHandler = WTFMove(completionHandler), this, protectedThis = makeRef(*this)] (auto&& blobFilePaths) mutable {
+ blobRegistry().writeBlobsToTemporaryFilesForIndexedDB(blobURLs(), [completionHandler = WTFMove(completionHandler), this, protectedThis = makeRef(*this)] (auto&& blobFilePaths) mutable {
ASSERT(isMainThread());
if (blobFilePaths.isEmpty()) {
Modified: branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistry.h (282914 => 282915)
--- branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistry.h 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistry.h 2021-09-23 04:29:32 UTC (rev 282915)
@@ -71,7 +71,7 @@
virtual unsigned long long blobSize(const URL&) = 0;
- virtual void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&) = 0;
+ virtual void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&) = 0;
virtual BlobRegistryImpl* blobRegistryImpl() { return nullptr; }
Modified: branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistryImpl.cpp (282914 => 282915)
--- branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistryImpl.cpp 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistryImpl.cpp 2021-09-23 04:29:32 UTC (rev 282915)
@@ -311,7 +311,7 @@
return true;
}
-void BlobRegistryImpl::writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler)
+void BlobRegistryImpl::writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler)
{
Vector<BlobForFileWriting> blobsForWriting;
if (!populateBlobsForFileWriting(blobURLs, blobsForWriting)) {
Modified: branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistryImpl.h (282914 => 282915)
--- branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistryImpl.h 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistryImpl.h 2021-09-23 04:29:32 UTC (rev 282915)
@@ -72,7 +72,7 @@
unsigned long long blobSize(const URL&);
- void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&);
+ void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&);
struct BlobForFileWriting {
String blobURL;
Modified: branches/safari-612-branch/Source/WebKit/ChangeLog (282914 => 282915)
--- branches/safari-612-branch/Source/WebKit/ChangeLog 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/ChangeLog 2021-09-23 04:29:32 UTC (rev 282915)
@@ -1,5 +1,113 @@
2021-09-22 Alan Coon <alanc...@apple.com>
+ Cherry-pick r282393. rdar://problem/83429703
+
+ [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+ https://bugs.webkit.org/show_bug.cgi?id=230233
+ <rdar://79562514>
+
+ Reviewed by Brady Eidson.
+
+ Source/WebCore:
+
+ Rename writeBlobsToTemporaryFiles() to writeBlobsToTemporaryFilesForIndexedDB() for clarity
+ since it is currently only used for IndexedDB and we wouldn't want to expand usage to
+ other things.
+
+ * bindings/js/SerializedScriptValue.cpp:
+ (WebCore::SerializedScriptValue::writeBlobsToDiskForIndexedDB):
+ * platform/network/BlobRegistry.h:
+ * platform/network/BlobRegistryImpl.cpp:
+ (WebCore::BlobRegistryImpl::writeBlobsToTemporaryFilesForIndexedDB):
+ * platform/network/BlobRegistryImpl.h:
+
+ Source/WebKit:
+
+ When the SerializedScriptValue contains BlobURLs, IDBTransaction::putOrAddOnServer()
+ calls SerializedScriptValue::writeBlobsToDiskForIndexedDB() before sending the
+ WebIDBServer::PutOrAdd IPC to the network process. writeBlobsToDiskForIndexedDB()
+ sends a NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB IPC to the
+ network process and the network process will write the blobs to temporary files and
+ then return the file paths to those temporary files to the WebProcess. The file paths
+ are then stored inside the IDBValue object that gets sent in the WebIDBServer::PutOrAdd
+ IPC.
+
+ This patch hardens our IPC by validating in WebIDBServer::PutOrAdd() that the IDBValue's
+ Blob file paths were indeed file paths previously created by the network process on behalf
+ of the WebProcess sending the IPC. If it is not, we ignore the IPC.
+
+ * NetworkProcess/IndexedDB/WebIDBServer.cpp:
+ (WebKit::WebIDBServer::putOrAdd):
+ (WebKit::WebIDBServer::removeConnection):
+ (WebKit::WebIDBServer::registerTemporaryBlobFilePaths):
+ * NetworkProcess/IndexedDB/WebIDBServer.h:
+ * NetworkProcess/IndexedDB/WebIDBServer.messages.in:
+ * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+ (WebKit::NetworkConnectionToWebProcess::writeBlobsToTemporaryFilesForIndexedDB):
+ * NetworkProcess/NetworkConnectionToWebProcess.h:
+ * NetworkProcess/NetworkConnectionToWebProcess.messages.in:
+ * NetworkProcess/NetworkProcessPlatformStrategies.cpp:
+ (WebKit::NetworkProcessPlatformStrategies::createBlobRegistry):
+ * WebProcess/FileAPI/BlobRegistryProxy.cpp:
+ (WebKit::BlobRegistryProxy::writeBlobsToTemporaryFilesForIndexedDB):
+ * WebProcess/FileAPI/BlobRegistryProxy.h:
+ * WebProcess/Network/NetworkProcessConnection.cpp:
+ (WebKit::NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB):
+ * WebProcess/Network/NetworkProcessConnection.h:
+
+ Source/WebKitLegacy/mac:
+
+ * WebCoreSupport/WebPlatformStrategies.mm:
+
+ Source/WebKitLegacy/win:
+
+ * WebCoreSupport/WebPlatformStrategies.cpp:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282393 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-09-14 Chris Dumez <cdu...@apple.com>
+
+ [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+ https://bugs.webkit.org/show_bug.cgi?id=230233
+ <rdar://79562514>
+
+ Reviewed by Brady Eidson.
+
+ When the SerializedScriptValue contains BlobURLs, IDBTransaction::putOrAddOnServer()
+ calls SerializedScriptValue::writeBlobsToDiskForIndexedDB() before sending the
+ WebIDBServer::PutOrAdd IPC to the network process. writeBlobsToDiskForIndexedDB()
+ sends a NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB IPC to the
+ network process and the network process will write the blobs to temporary files and
+ then return the file paths to those temporary files to the WebProcess. The file paths
+ are then stored inside the IDBValue object that gets sent in the WebIDBServer::PutOrAdd
+ IPC.
+
+ This patch hardens our IPC by validating in WebIDBServer::PutOrAdd() that the IDBValue's
+ Blob file paths were indeed file paths previously created by the network process on behalf
+ of the WebProcess sending the IPC. If it is not, we ignore the IPC.
+
+ * NetworkProcess/IndexedDB/WebIDBServer.cpp:
+ (WebKit::WebIDBServer::putOrAdd):
+ (WebKit::WebIDBServer::removeConnection):
+ (WebKit::WebIDBServer::registerTemporaryBlobFilePaths):
+ * NetworkProcess/IndexedDB/WebIDBServer.h:
+ * NetworkProcess/IndexedDB/WebIDBServer.messages.in:
+ * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+ (WebKit::NetworkConnectionToWebProcess::writeBlobsToTemporaryFilesForIndexedDB):
+ * NetworkProcess/NetworkConnectionToWebProcess.h:
+ * NetworkProcess/NetworkConnectionToWebProcess.messages.in:
+ * NetworkProcess/NetworkProcessPlatformStrategies.cpp:
+ (WebKit::NetworkProcessPlatformStrategies::createBlobRegistry):
+ * WebProcess/FileAPI/BlobRegistryProxy.cpp:
+ (WebKit::BlobRegistryProxy::writeBlobsToTemporaryFilesForIndexedDB):
+ * WebProcess/FileAPI/BlobRegistryProxy.h:
+ * WebProcess/Network/NetworkProcessConnection.cpp:
+ (WebKit::NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB):
+ * WebProcess/Network/NetworkProcessConnection.h:
+
+2021-09-22 Alan Coon <alanc...@apple.com>
+
Cherry-pick r282365. rdar://problem/83429982
Crash under WebPage::runJavaScript()
Modified: branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.cpp (282914 => 282915)
--- branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.cpp 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.cpp 2021-09-23 04:29:32 UTC (rev 282915)
@@ -255,10 +255,35 @@
m_server->renameIndex(requestData, objectStoreIdentifier, indexIdentifier, newName);
}
-void WebIDBServer::putOrAdd(const WebCore::IDBRequestData& requestData, const WebCore::IDBKeyData& keyData, const WebCore::IDBValue& value, WebCore::IndexedDB::ObjectStoreOverwriteMode overWriteMode)
+void WebIDBServer::putOrAdd(IPC::Connection& connection, const WebCore::IDBRequestData& requestData, const WebCore::IDBKeyData& keyData, const WebCore::IDBValue& value, WebCore::IndexedDB::ObjectStoreOverwriteMode overWriteMode)
{
ASSERT(!RunLoop::isMain());
+ if (value.blobURLs().size() != value.blobFilePaths().size()) {
+ RELEASE_LOG_FAULT(IndexedDB, "WebIDBServer::putOrAdd: Number of blob URLs doesn't match the number of blob file paths.");
+ ASSERT_NOT_REACHED();
+ return;
+ }
+
+ // Validate temporary blob paths in |value| to make sure they belong to the source process.
+ if (!value.blobFilePaths().isEmpty()) {
+ auto it = m_temporaryBlobPathsPerConnection.find(connection.uniqueID());
+ if (it == m_temporaryBlobPathsPerConnection.end()) {
+ RELEASE_LOG_FAULT(IndexedDB, "WebIDBServer::putOrAdd: IDBValue contains blob paths but none are allowed for this process");
+ ASSERT_NOT_REACHED();
+ return;
+ }
+
+ auto& temporaryBlobPathsForConnection = it->value;
+ for (auto& blobFilePath : value.blobFilePaths()) {
+ if (!temporaryBlobPathsForConnection.remove(blobFilePath)) {
+ RELEASE_LOG_FAULT(IndexedDB, "WebIDBServer::putOrAdd: Blob path was not created for this WebProcess");
+ ASSERT_NOT_REACHED();
+ return;
+ }
+ }
+ }
+
Locker locker { m_serverLock };
m_server->putOrAdd(requestData, keyData, value, overWriteMode);
}
@@ -397,6 +422,7 @@
connection.removeWorkQueueMessageReceiver(Messages::WebIDBServer::messageReceiverName());
postTask([this, protectedThis = makeRef(*this), connectionID = connection.uniqueID()] {
+ m_temporaryBlobPathsPerConnection.remove(connectionID);
auto connection = m_connectionMap.take(connectionID);
ASSERT(connection);
@@ -406,6 +432,19 @@
});
}
+void WebIDBServer::registerTemporaryBlobFilePaths(IPC::Connection& connection, const Vector<String>& filePaths)
+{
+ ASSERT(RunLoop::isMain());
+
+ postTask([this, protectedThis = makeRef(*this), connectionID = connection.uniqueID(), filePaths = crossThreadCopy(filePaths)] {
+ if (!m_connectionMap.contains(connectionID))
+ return;
+
+ auto& temporaryBlobPaths = m_temporaryBlobPathsPerConnection.ensure(connectionID, [] { return HashSet<String> { }; }).iterator->value;
+ temporaryBlobPaths.add(filePaths.begin(), filePaths.end());
+ });
+}
+
void WebIDBServer::postTask(Function<void()>&& task)
{
ASSERT(RunLoop::isMain());
Modified: branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.h (282914 => 282915)
--- branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.h 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.h 2021-09-23 04:29:32 UTC (rev 282915)
@@ -56,6 +56,8 @@
bool suspend(SuspensionCondition = SuspensionCondition::Always);
void resume();
+ void registerTemporaryBlobFilePaths(IPC::Connection&, const Vector<String>&);
+
// Message handlers.
void openDatabase(const WebCore::IDBRequestData&);
void deleteDatabase(const WebCore::IDBRequestData&);
@@ -69,7 +71,7 @@
void createIndex(const WebCore::IDBRequestData&, const WebCore::IDBIndexInfo&);
void deleteIndex(const WebCore::IDBRequestData&, uint64_t objectStoreIdentifier, const String& indexName);
void renameIndex(const WebCore::IDBRequestData&, uint64_t objectStoreIdentifier, uint64_t indexIdentifier, const String& newName);
- void putOrAdd(const WebCore::IDBRequestData&, const WebCore::IDBKeyData&, const WebCore::IDBValue&, WebCore::IndexedDB::ObjectStoreOverwriteMode);
+ void putOrAdd(IPC::Connection&, const WebCore::IDBRequestData&, const WebCore::IDBKeyData&, const WebCore::IDBValue&, WebCore::IndexedDB::ObjectStoreOverwriteMode);
void getRecord(const WebCore::IDBRequestData&, const WebCore::IDBGetRecordData&);
void getAllRecords(const WebCore::IDBRequestData&, const WebCore::IDBGetAllRecordsData&);
void getCount(const WebCore::IDBRequestData&, const WebCore::IDBKeyRangeData&);
@@ -103,6 +105,7 @@
std::unique_ptr<WebCore::IDBServer::IDBServer> m_server WTF_GUARDED_BY_LOCK(m_serverLock);
bool m_isSuspended { false };
+ HashMap<IPC::Connection::UniqueID, HashSet<String>> m_temporaryBlobPathsPerConnection; // Only used on the work queue.
HashMap<IPC::Connection::UniqueID, std::unique_ptr<WebIDBConnectionToClient>> m_connectionMap;
WeakHashSet<IPC::Connection> m_connections; // Only used on the main thread.
};
Modified: branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.messages.in (282914 => 282915)
--- branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.messages.in 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.messages.in 2021-09-23 04:29:32 UTC (rev 282915)
@@ -33,7 +33,7 @@
CreateIndex(WebCore::IDBRequestData requestData, WebCore::IDBIndexInfo info)
DeleteIndex(WebCore::IDBRequestData requestData, uint64_t objectStoreIdentifier, String indexName)
RenameIndex(WebCore::IDBRequestData requestData, uint64_t objectStoreIdentifier, uint64_t indexIdentifier, String newName)
- PutOrAdd(WebCore::IDBRequestData requestData, WebCore::IDBKeyData key, WebCore::IDBValue value, WebCore::IndexedDB::ObjectStoreOverwriteMode overwriteMode)
+ PutOrAdd(WebCore::IDBRequestData requestData, WebCore::IDBKeyData key, WebCore::IDBValue value, WebCore::IndexedDB::ObjectStoreOverwriteMode overwriteMode) WantsConnection
GetRecord(WebCore::IDBRequestData requestData, struct WebCore::IDBGetRecordData getRecordData)
GetAllRecords(WebCore::IDBRequestData requestData, struct WebCore::IDBGetAllRecordsData getAllRecordsData)
GetCount(WebCore::IDBRequestData requestData, struct WebCore::IDBKeyRangeData range)
Modified: branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp (282914 => 282915)
--- branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp 2021-09-23 04:29:32 UTC (rev 282915)
@@ -890,7 +890,7 @@
completionHandler(session ? session->blobRegistry().blobSize(url) : 0);
}
-void NetworkConnectionToWebProcess::writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&&)>&& completionHandler)
+void NetworkConnectionToWebProcess::writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&&)>&& completionHandler)
{
auto* session = networkSession();
if (!session)
@@ -903,10 +903,12 @@
for (auto& file : fileReferences)
file->prepareForFileAccess();
- session->blobRegistry().writeBlobsToTemporaryFiles(blobURLs, [fileReferences = WTFMove(fileReferences), completionHandler = WTFMove(completionHandler)](auto&& fileNames) mutable {
+ session->blobRegistry().writeBlobsToTemporaryFilesForIndexedDB(blobURLs, [this, protectedThis = makeRef(*this), fileReferences = WTFMove(fileReferences), completionHandler = WTFMove(completionHandler)](auto&& filePaths) mutable {
for (auto& file : fileReferences)
file->revokeFileAccess();
- completionHandler(WTFMove(fileNames));
+
+ m_networkProcess->webIDBServer(m_sessionID).registerTemporaryBlobFilePaths(m_connection, filePaths);
+ completionHandler(WTFMove(filePaths));
});
}
Modified: branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h (282914 => 282915)
--- branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h 2021-09-23 04:29:32 UTC (rev 282915)
@@ -235,7 +235,7 @@
void registerBlobURLForSlice(const URL&, const URL& srcURL, int64_t start, int64_t end, const String& contentType);
void blobSize(const URL&, CompletionHandler<void(uint64_t)>&&);
void unregisterBlobURL(const URL&);
- void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&&)>&&);
+ void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&&)>&&);
void registerBlobURLHandle(const URL&);
void unregisterBlobURLHandle(const URL&);
Modified: branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in (282914 => 282915)
--- branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in 2021-09-23 04:29:32 UTC (rev 282915)
@@ -55,7 +55,7 @@
RegisterBlobURLForSlice(URL url, URL srcURL, int64_t start, int64_t end, String contentType)
UnregisterBlobURL(URL url)
BlobSize(URL url) -> (uint64_t resultSize) Synchronous
- WriteBlobsToTemporaryFiles(Vector<String> blobURLs) -> (Vector<String> fileNames) Async
+ WriteBlobsToTemporaryFilesForIndexedDB(Vector<String> blobURLs) -> (Vector<String> fileNames) Async
RegisterBlobURLHandle(URL url);
UnregisterBlobURLHandle(URL url);
Modified: branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkProcessPlatformStrategies.cpp (282914 => 282915)
--- branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkProcessPlatformStrategies.cpp 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkProcessPlatformStrategies.cpp 2021-09-23 04:29:32 UTC (rev 282915)
@@ -64,7 +64,7 @@
void registerBlobURLForSlice(const URL&, const URL& srcURL, long long start, long long end, const String& contentType) final { ASSERT_NOT_REACHED(); }
void unregisterBlobURL(const URL&) final { ASSERT_NOT_REACHED(); }
unsigned long long blobSize(const URL&) final { ASSERT_NOT_REACHED(); return 0; }
- void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&) final { ASSERT_NOT_REACHED(); }
+ void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&) final { ASSERT_NOT_REACHED(); }
void registerBlobURLHandle(const URL&) final { ASSERT_NOT_REACHED(); }
void unregisterBlobURLHandle(const URL&) final { ASSERT_NOT_REACHED(); }
};
Modified: branches/safari-612-branch/Source/WebKit/WebProcess/FileAPI/BlobRegistryProxy.cpp (282914 => 282915)
--- branches/safari-612-branch/Source/WebKit/WebProcess/FileAPI/BlobRegistryProxy.cpp 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/WebProcess/FileAPI/BlobRegistryProxy.cpp 2021-09-23 04:29:32 UTC (rev 282915)
@@ -95,9 +95,9 @@
return resultSize;
}
-void BlobRegistryProxy::writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler)
+void BlobRegistryProxy::writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler)
{
- WebProcess::singleton().ensureNetworkProcessConnection().writeBlobsToTemporaryFiles(blobURLs, WTFMove(completionHandler));
+ WebProcess::singleton().ensureNetworkProcessConnection().writeBlobsToTemporaryFilesForIndexedDB(blobURLs, WTFMove(completionHandler));
}
}
Modified: branches/safari-612-branch/Source/WebKit/WebProcess/FileAPI/BlobRegistryProxy.h (282914 => 282915)
--- branches/safari-612-branch/Source/WebKit/WebProcess/FileAPI/BlobRegistryProxy.h 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/WebProcess/FileAPI/BlobRegistryProxy.h 2021-09-23 04:29:32 UTC (rev 282915)
@@ -38,7 +38,7 @@
void unregisterBlobURL(const URL&) final;
void registerBlobURLForSlice(const URL&, const URL& srcURL, long long start, long long end, const String& contentType) final;
unsigned long long blobSize(const URL&) final;
- void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&) final;
+ void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&) final;
void registerBlobURLHandle(const URL&) final;
void unregisterBlobURLHandle(const URL&) final;
};
Modified: branches/safari-612-branch/Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp (282914 => 282915)
--- branches/safari-612-branch/Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp 2021-09-23 04:29:32 UTC (rev 282915)
@@ -221,9 +221,9 @@
{
}
-void NetworkProcessConnection::writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler)
+void NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler)
{
- connection().sendWithAsyncReply(Messages::NetworkConnectionToWebProcess::WriteBlobsToTemporaryFiles(blobURLs), WTFMove(completionHandler));
+ connection().sendWithAsyncReply(Messages::NetworkConnectionToWebProcess::WriteBlobsToTemporaryFilesForIndexedDB(blobURLs), WTFMove(completionHandler));
}
void NetworkProcessConnection::didFinishPingLoad(uint64_t pingLoadIdentifier, ResourceError&& error, ResourceResponse&& response)
Modified: branches/safari-612-branch/Source/WebKit/WebProcess/Network/NetworkProcessConnection.h (282914 => 282915)
--- branches/safari-612-branch/Source/WebKit/WebProcess/Network/NetworkProcessConnection.h 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/WebProcess/Network/NetworkProcessConnection.h 2021-09-23 04:29:32 UTC (rev 282915)
@@ -64,7 +64,7 @@
void didReceiveNetworkProcessConnectionMessage(IPC::Connection&, IPC::Decoder&);
- void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&);
+ void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&);
WebIDBConnectionToServer* existingIDBConnectionToServer() const { return m_webIDBConnection.get(); };
WebIDBConnectionToServer& idbConnectionToServer();
Modified: branches/safari-612-branch/Source/WebKitLegacy/mac/ChangeLog (282914 => 282915)
--- branches/safari-612-branch/Source/WebKitLegacy/mac/ChangeLog 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKitLegacy/mac/ChangeLog 2021-09-23 04:29:32 UTC (rev 282915)
@@ -1,3 +1,81 @@
+2021-09-22 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r282393. rdar://problem/83429703
+
+ [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+ https://bugs.webkit.org/show_bug.cgi?id=230233
+ <rdar://79562514>
+
+ Reviewed by Brady Eidson.
+
+ Source/WebCore:
+
+ Rename writeBlobsToTemporaryFiles() to writeBlobsToTemporaryFilesForIndexedDB() for clarity
+ since it is currently only used for IndexedDB and we wouldn't want to expand usage to
+ other things.
+
+ * bindings/js/SerializedScriptValue.cpp:
+ (WebCore::SerializedScriptValue::writeBlobsToDiskForIndexedDB):
+ * platform/network/BlobRegistry.h:
+ * platform/network/BlobRegistryImpl.cpp:
+ (WebCore::BlobRegistryImpl::writeBlobsToTemporaryFilesForIndexedDB):
+ * platform/network/BlobRegistryImpl.h:
+
+ Source/WebKit:
+
+ When the SerializedScriptValue contains BlobURLs, IDBTransaction::putOrAddOnServer()
+ calls SerializedScriptValue::writeBlobsToDiskForIndexedDB() before sending the
+ WebIDBServer::PutOrAdd IPC to the network process. writeBlobsToDiskForIndexedDB()
+ sends a NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB IPC to the
+ network process and the network process will write the blobs to temporary files and
+ then return the file paths to those temporary files to the WebProcess. The file paths
+ are then stored inside the IDBValue object that gets sent in the WebIDBServer::PutOrAdd
+ IPC.
+
+ This patch hardens our IPC by validating in WebIDBServer::PutOrAdd() that the IDBValue's
+ Blob file paths were indeed file paths previously created by the network process on behalf
+ of the WebProcess sending the IPC. If it is not, we ignore the IPC.
+
+ * NetworkProcess/IndexedDB/WebIDBServer.cpp:
+ (WebKit::WebIDBServer::putOrAdd):
+ (WebKit::WebIDBServer::removeConnection):
+ (WebKit::WebIDBServer::registerTemporaryBlobFilePaths):
+ * NetworkProcess/IndexedDB/WebIDBServer.h:
+ * NetworkProcess/IndexedDB/WebIDBServer.messages.in:
+ * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+ (WebKit::NetworkConnectionToWebProcess::writeBlobsToTemporaryFilesForIndexedDB):
+ * NetworkProcess/NetworkConnectionToWebProcess.h:
+ * NetworkProcess/NetworkConnectionToWebProcess.messages.in:
+ * NetworkProcess/NetworkProcessPlatformStrategies.cpp:
+ (WebKit::NetworkProcessPlatformStrategies::createBlobRegistry):
+ * WebProcess/FileAPI/BlobRegistryProxy.cpp:
+ (WebKit::BlobRegistryProxy::writeBlobsToTemporaryFilesForIndexedDB):
+ * WebProcess/FileAPI/BlobRegistryProxy.h:
+ * WebProcess/Network/NetworkProcessConnection.cpp:
+ (WebKit::NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB):
+ * WebProcess/Network/NetworkProcessConnection.h:
+
+ Source/WebKitLegacy/mac:
+
+ * WebCoreSupport/WebPlatformStrategies.mm:
+
+ Source/WebKitLegacy/win:
+
+ * WebCoreSupport/WebPlatformStrategies.cpp:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282393 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-09-14 Chris Dumez <cdu...@apple.com>
+
+ [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+ https://bugs.webkit.org/show_bug.cgi?id=230233
+ <rdar://79562514>
+
+ Reviewed by Brady Eidson.
+
+ * WebCoreSupport/WebPlatformStrategies.mm:
+
2021-08-16 David Kilzer <ddkil...@apple.com>
"make analyze" should run clang static analyzer in deep mode
Modified: branches/safari-612-branch/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm (282914 => 282915)
--- branches/safari-612-branch/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm 2021-09-23 04:29:32 UTC (rev 282915)
@@ -90,7 +90,7 @@
void registerBlobURLForSlice(const URL& url, const URL& srcURL, long long start, long long end, const String& contentType) final { m_blobRegistry.registerBlobURLForSlice(url, srcURL, start, end, contentType); }
void unregisterBlobURL(const URL& url) final { m_blobRegistry.unregisterBlobURL(url); }
unsigned long long blobSize(const URL& url) final { return m_blobRegistry.blobSize(url); }
- void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler) final { m_blobRegistry.writeBlobsToTemporaryFiles(blobURLs, WTFMove(completionHandler)); }
+ void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler) final { m_blobRegistry.writeBlobsToTemporaryFilesForIndexedDB(blobURLs, WTFMove(completionHandler)); }
void registerBlobURLHandle(const URL& url) final { m_blobRegistry.registerBlobURLHandle(url); }
void unregisterBlobURLHandle(const URL& url) final { m_blobRegistry.unregisterBlobURLHandle(url); }
Modified: branches/safari-612-branch/Source/WebKitLegacy/win/ChangeLog (282914 => 282915)
--- branches/safari-612-branch/Source/WebKitLegacy/win/ChangeLog 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKitLegacy/win/ChangeLog 2021-09-23 04:29:32 UTC (rev 282915)
@@ -1,3 +1,81 @@
+2021-09-22 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r282393. rdar://problem/83429703
+
+ [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+ https://bugs.webkit.org/show_bug.cgi?id=230233
+ <rdar://79562514>
+
+ Reviewed by Brady Eidson.
+
+ Source/WebCore:
+
+ Rename writeBlobsToTemporaryFiles() to writeBlobsToTemporaryFilesForIndexedDB() for clarity
+ since it is currently only used for IndexedDB and we wouldn't want to expand usage to
+ other things.
+
+ * bindings/js/SerializedScriptValue.cpp:
+ (WebCore::SerializedScriptValue::writeBlobsToDiskForIndexedDB):
+ * platform/network/BlobRegistry.h:
+ * platform/network/BlobRegistryImpl.cpp:
+ (WebCore::BlobRegistryImpl::writeBlobsToTemporaryFilesForIndexedDB):
+ * platform/network/BlobRegistryImpl.h:
+
+ Source/WebKit:
+
+ When the SerializedScriptValue contains BlobURLs, IDBTransaction::putOrAddOnServer()
+ calls SerializedScriptValue::writeBlobsToDiskForIndexedDB() before sending the
+ WebIDBServer::PutOrAdd IPC to the network process. writeBlobsToDiskForIndexedDB()
+ sends a NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB IPC to the
+ network process and the network process will write the blobs to temporary files and
+ then return the file paths to those temporary files to the WebProcess. The file paths
+ are then stored inside the IDBValue object that gets sent in the WebIDBServer::PutOrAdd
+ IPC.
+
+ This patch hardens our IPC by validating in WebIDBServer::PutOrAdd() that the IDBValue's
+ Blob file paths were indeed file paths previously created by the network process on behalf
+ of the WebProcess sending the IPC. If it is not, we ignore the IPC.
+
+ * NetworkProcess/IndexedDB/WebIDBServer.cpp:
+ (WebKit::WebIDBServer::putOrAdd):
+ (WebKit::WebIDBServer::removeConnection):
+ (WebKit::WebIDBServer::registerTemporaryBlobFilePaths):
+ * NetworkProcess/IndexedDB/WebIDBServer.h:
+ * NetworkProcess/IndexedDB/WebIDBServer.messages.in:
+ * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+ (WebKit::NetworkConnectionToWebProcess::writeBlobsToTemporaryFilesForIndexedDB):
+ * NetworkProcess/NetworkConnectionToWebProcess.h:
+ * NetworkProcess/NetworkConnectionToWebProcess.messages.in:
+ * NetworkProcess/NetworkProcessPlatformStrategies.cpp:
+ (WebKit::NetworkProcessPlatformStrategies::createBlobRegistry):
+ * WebProcess/FileAPI/BlobRegistryProxy.cpp:
+ (WebKit::BlobRegistryProxy::writeBlobsToTemporaryFilesForIndexedDB):
+ * WebProcess/FileAPI/BlobRegistryProxy.h:
+ * WebProcess/Network/NetworkProcessConnection.cpp:
+ (WebKit::NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB):
+ * WebProcess/Network/NetworkProcessConnection.h:
+
+ Source/WebKitLegacy/mac:
+
+ * WebCoreSupport/WebPlatformStrategies.mm:
+
+ Source/WebKitLegacy/win:
+
+ * WebCoreSupport/WebPlatformStrategies.cpp:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282393 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-09-14 Chris Dumez <cdu...@apple.com>
+
+ [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+ https://bugs.webkit.org/show_bug.cgi?id=230233
+ <rdar://79562514>
+
+ Reviewed by Brady Eidson.
+
+ * WebCoreSupport/WebPlatformStrategies.cpp:
+
2021-08-19 Youenn Fablet <you...@apple.com>
Rename MediaPlayer::setVisible to MediaPlayer::setPageIsVisible
Modified: branches/safari-612-branch/Source/WebKitLegacy/win/WebCoreSupport/WebPlatformStrategies.cpp (282914 => 282915)
--- branches/safari-612-branch/Source/WebKitLegacy/win/WebCoreSupport/WebPlatformStrategies.cpp 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKitLegacy/win/WebCoreSupport/WebPlatformStrategies.cpp 2021-09-23 04:29:32 UTC (rev 282915)
@@ -86,7 +86,7 @@
void registerBlobURLForSlice(const URL& url, const URL& srcURL, long long start, long long end, const String& contentType) final { m_blobRegistry.registerBlobURLForSlice(url, srcURL, start, end, contentType); }
void unregisterBlobURL(const URL& url) final { m_blobRegistry.unregisterBlobURL(url); }
unsigned long long blobSize(const URL& url) final { return m_blobRegistry.blobSize(url); }
- void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler) final { m_blobRegistry.writeBlobsToTemporaryFiles(blobURLs, WTFMove(completionHandler)); }
+ void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler) final { m_blobRegistry.writeBlobsToTemporaryFilesForIndexedDB(blobURLs, WTFMove(completionHandler)); }
void registerBlobURLHandle(const URL& url) final { m_blobRegistry.registerBlobURLHandle(url); }
void unregisterBlobURLHandle(const URL& url) final { m_blobRegistry.unregisterBlobURLHandle(url); }