Diff
Modified: branches/safari-613-branch/Source/WebKit/ChangeLog (293179 => 293180)
--- branches/safari-613-branch/Source/WebKit/ChangeLog 2022-04-21 20:11:46 UTC (rev 293179)
+++ branches/safari-613-branch/Source/WebKit/ChangeLog 2022-04-21 20:11:51 UTC (rev 293180)
@@ -333,6 +333,64 @@
2022-04-19 Alan Coon <alanc...@apple.com>
+ Cherry-pick r291371. rdar://problem/72058321
+
+ CoreIPC Hardening: Add user gesture check when saving images
+ https://bugs.webkit.org/show_bug.cgi?id=237839
+ <rdar://72058321>
+
+ Reviewed by Chris Dumez.
+
+ Add check to confirm that attempts to store images in the user's Photo
+ Library and attempts to store data in the pasteboard were triggered by
+ a user gesture.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::writePromisedAttachmentToPasteboard): Message check the authorization token before
+ performing the write.
+ * UIProcess/WebPageProxy.h:
+ * UIProcess/WebPageProxy.messages.in:
+ * UIProcess/ios/WebPageProxyIOS.mm:
+ (WebKit::WebPageProxy::isValidPerformActionOnElementAuthorizationToken const): Added.
+ (WebKit::WebPageProxy::performActionOnElement): Added.
+ (WebKit::WebPageProxy::saveImageToLibrary): Message check the authorization token before
+ performing the save.
+ * WebProcess/WebPage/WebPage.h:
+ * WebProcess/WebPage/WebPage.messages.in:
+ * WebProcess/WebPage/ios/WebPageIOS.mm:
+ (WebKit::WebPage::performActionOnElement):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@291371 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-03-16 Brent Fulgham <bfulg...@apple.com>
+
+ CoreIPC Hardening: Add user gesture check when saving images
+ https://bugs.webkit.org/show_bug.cgi?id=237839
+ <rdar://72058321>
+
+ Reviewed by Chris Dumez.
+
+ Add check to confirm that attempts to store images in the user's Photo
+ Library and attempts to store data in the pasteboard were triggered by
+ a user gesture.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::writePromisedAttachmentToPasteboard): Message check the authorization token before
+ performing the write.
+ * UIProcess/WebPageProxy.h:
+ * UIProcess/WebPageProxy.messages.in:
+ * UIProcess/ios/WebPageProxyIOS.mm:
+ (WebKit::WebPageProxy::isValidPerformActionOnElementAuthorizationToken const): Added.
+ (WebKit::WebPageProxy::performActionOnElement): Added.
+ (WebKit::WebPageProxy::saveImageToLibrary): Message check the authorization token before
+ performing the save.
+ * WebProcess/WebPage/WebPage.h:
+ * WebProcess/WebPage/WebPage.messages.in:
+ * WebProcess/WebPage/ios/WebPageIOS.mm:
+ (WebKit::WebPage::performActionOnElement):
+
+2022-04-19 Alan Coon <alanc...@apple.com>
+
Cherry-pick r290874. rdar://problem/84869202
Push HTMLMediaElement renderer's contentBox rect to GPU process
Modified: branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.cpp (293179 => 293180)
--- branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.cpp 2022-04-21 20:11:46 UTC (rev 293179)
+++ branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.cpp 2022-04-21 20:11:51 UTC (rev 293180)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2022 Apple Inc. All rights reserved.
* Copyright (C) 2012 Intel Corporation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -10145,9 +10145,16 @@
#if ENABLE(ATTACHMENT_ELEMENT)
-void WebPageProxy::writePromisedAttachmentToPasteboard(WebCore::PromisedAttachmentInfo&& info)
+void WebPageProxy::writePromisedAttachmentToPasteboard(WebCore::PromisedAttachmentInfo&& info, const String& authorizationToken)
{
+#if PLATFORM(IOS_FAMILY)
+ MESSAGE_CHECK(m_process, isValidPerformActionOnElementAuthorizationToken(authorizationToken));
+
pageClient().writePromisedAttachmentToPasteboard(WTFMove(info));
+#else
+ UNUSED_PARAM(info);
+ UNUSED_PARAM(authorizationToken);
+#endif
}
RefPtr<API::Attachment> WebPageProxy::attachmentForIdentifier(const String& identifier) const
Modified: branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.h (293179 => 293180)
--- branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.h 2022-04-21 20:11:46 UTC (rev 293179)
+++ branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.h 2022-04-21 20:11:51 UTC (rev 293180)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2022 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -876,7 +876,7 @@
void startInteractionWithPositionInformation(const InteractionInformationAtPosition&);
void stopInteraction();
void performActionOnElement(uint32_t action);
- void saveImageToLibrary(const SharedMemory::IPCHandle& imageHandle);
+ void saveImageToLibrary(const SharedMemory::IPCHandle& imageHandle, const String& authorizationToken);
void focusNextFocusedElement(bool isForward, CompletionHandler<void()>&& = [] { });
void setFocusedElementValue(const WebCore::ElementContext&, const String&);
void setFocusedElementSelectedIndex(const WebCore::ElementContext&, uint32_t index, bool allowMultipleSelection = false);
@@ -2357,6 +2357,8 @@
void showPlaybackTargetPicker(bool hasVideo, const WebCore::IntRect& elementRect, WebCore::RouteSharingPolicy, const String&);
void updateStringForFind(const String&);
+
+ bool isValidPerformActionOnElementAuthorizationToken(const String& authorizationToken) const;
#endif
void focusedFrameChanged(const std::optional<WebCore::FrameIdentifier>&);
@@ -2504,7 +2506,7 @@
Ref<API::Attachment> ensureAttachment(const String& identifier);
void invalidateAllAttachments();
- void writePromisedAttachmentToPasteboard(WebCore::PromisedAttachmentInfo&&);
+ void writePromisedAttachmentToPasteboard(WebCore::PromisedAttachmentInfo&&, const String& authorizationToken);
#endif
void reportPageLoadResult(const WebCore::ResourceError& = { });
@@ -3024,6 +3026,7 @@
Function<bool()> m_deviceOrientationUserPermissionHandlerForTesting;
bool m_waitingForPostLayoutEditorStateUpdateAfterFocusingElement { false };
bool m_lastObservedStateWasBackground { false };
+ HashSet<String> m_performActionOnElementAuthTokens;
#endif
std::optional<WebCore::FontAttributes> m_cachedFontAttributesAtSelectionStart;
Modified: branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.messages.in (293179 => 293180)
--- branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.messages.in 2022-04-21 20:11:46 UTC (rev 293179)
+++ branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.messages.in 2022-04-21 20:11:51 UTC (rev 293180)
@@ -1,4 +1,4 @@
-# Copyright (C) 2010-2020 Apple Inc. All rights reserved.
+# Copyright (C) 2010-2022 Apple Inc. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
@@ -160,7 +160,7 @@
#if PLATFORM(IOS_FAMILY)
InterpretKeyEvent(struct WebKit::EditorState state, bool isCharEvent) -> (bool handled) Synchronous
DidReceivePositionInformation(struct WebKit::InteractionInformationAtPosition information)
- SaveImageToLibrary(WebKit::SharedMemory::IPCHandle handle)
+ SaveImageToLibrary(WebKit::SharedMemory::IPCHandle handle, String authorizationToken)
ShowPlaybackTargetPicker(bool hasVideo, WebCore::IntRect elementRect, enum:uint8_t WebCore::RouteSharingPolicy policy, String routingContextUID)
CommitPotentialTapFailed()
DidNotHandleTapAsClick(WebCore::IntPoint point)
@@ -525,7 +525,7 @@
DidInsertAttachmentWithIdentifier(String identifier, String source, bool hasEnclosingImage)
DidRemoveAttachmentWithIdentifier(String identifier)
SerializedAttachmentDataForIdentifiers(Vector<String> identifiers) -> (Vector<WebCore::SerializedAttachmentData> seralizedData) Synchronous
- WritePromisedAttachmentToPasteboard(struct WebCore::PromisedAttachmentInfo info)
+ WritePromisedAttachmentToPasteboard(struct WebCore::PromisedAttachmentInfo info, String authorizationToken)
#endif
#if ENABLE(APP_HIGHLIGHTS)
Modified: branches/safari-613-branch/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm (293179 => 293180)
--- branches/safari-613-branch/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm 2022-04-21 20:11:46 UTC (rev 293179)
+++ branches/safari-613-branch/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm 2022-04-21 20:11:51 UTC (rev 293180)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2022 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -562,14 +562,30 @@
m_process->send(Messages::WebPage::StopInteraction(), m_webPageID);
}
+bool WebPageProxy::isValidPerformActionOnElementAuthorizationToken(const String& authorizationToken) const
+{
+ return !authorizationToken.isNull() && m_performActionOnElementAuthTokens.contains(authorizationToken);
+}
+
void WebPageProxy::performActionOnElement(uint32_t action)
{
- m_process->send(Messages::WebPage::PerformActionOnElement(action), m_webPageID);
+ auto authorizationToken = createVersion4UUIDString();
+
+ m_performActionOnElementAuthTokens.add(authorizationToken);
+
+ sendWithAsyncReply(Messages::WebPage::PerformActionOnElement(action, authorizationToken), [weakThis = WeakPtr { *this }, authorizationToken] () mutable {
+ if (!weakThis)
+ return;
+
+ ASSERT(weakThis->isValidPerformActionOnElementAuthorizationToken(authorizationToken));
+ weakThis->m_performActionOnElementAuthTokens.remove(authorizationToken);
+ });
}
-void WebPageProxy::saveImageToLibrary(const SharedMemory::IPCHandle& imageHandle)
+void WebPageProxy::saveImageToLibrary(const SharedMemory::IPCHandle& imageHandle, const String& authorizationToken)
{
MESSAGE_CHECK(!imageHandle.handle.isNull());
+ MESSAGE_CHECK(isValidPerformActionOnElementAuthorizationToken(authorizationToken));
auto sharedMemoryBuffer = SharedMemory::map(imageHandle.handle, SharedMemory::Protection::ReadOnly);
if (!sharedMemoryBuffer)
Modified: branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/WebPage.h (293179 => 293180)
--- branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/WebPage.h 2022-04-21 20:11:46 UTC (rev 293179)
+++ branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/WebPage.h 2022-04-21 20:11:51 UTC (rev 293180)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2022 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -807,7 +807,7 @@
void requestPositionInformation(const InteractionInformationRequest&);
void startInteractionWithElementContextOrPosition(std::optional<WebCore::ElementContext>&&, WebCore::IntPoint&&);
void stopInteraction();
- void performActionOnElement(uint32_t action);
+ void performActionOnElement(uint32_t action, const String& authorizationToken, CompletionHandler<void()>&&);
void focusNextFocusedElement(bool isForward, CompletionHandler<void()>&&);
void autofillLoginCredentials(const String&, const String&);
void setFocusedElementValue(const WebCore::ElementContext&, const String&);
Modified: branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/WebPage.messages.in (293179 => 293180)
--- branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/WebPage.messages.in 2022-04-21 20:11:46 UTC (rev 293179)
+++ branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/WebPage.messages.in 2022-04-21 20:11:51 UTC (rev 293180)
@@ -1,4 +1,4 @@
-# Copyright (C) 2010-2021 Apple Inc. All rights reserved.
+# Copyright (C) 2010-2022 Apple Inc. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
@@ -90,7 +90,7 @@
RequestPositionInformation(struct WebKit::InteractionInformationRequest request)
StartInteractionWithElementContextOrPosition(std::optional<WebCore::ElementContext> elementContext, WebCore::IntPoint point)
StopInteraction()
- PerformActionOnElement(uint32_t action)
+ PerformActionOnElement(uint32_t action, String authenticationToken) -> ()
FocusNextFocusedElement(bool isForward) -> () Async
AutofillLoginCredentials(String username, String password)
SetFocusedElementValue(struct WebCore::ElementContext context, String value)
Modified: branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm (293179 => 293180)
--- branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm 2022-04-21 20:11:46 UTC (rev 293179)
+++ branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm 2022-04-21 20:11:51 UTC (rev 293180)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2022 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -3173,8 +3173,10 @@
m_interactionNode = nullptr;
}
-void WebPage::performActionOnElement(uint32_t action)
+void WebPage::performActionOnElement(uint32_t action, const String& authorizationToken, CompletionHandler<void()>&& completionHandler)
{
+ CompletionHandlerCallingScope callCompletionHandler(WTFMove(completionHandler));
+
if (!is<HTMLElement>(m_interactionNode))
return;
@@ -3200,7 +3202,7 @@
m_interactionNode->document().editor().copyURL(element.document().completeURL(stripLeadingAndTrailingHTMLSpaces(element.attributeWithoutSynchronization(HTMLNames::hrefAttr))), element.textContent());
#if ENABLE(ATTACHMENT_ELEMENT)
else if (auto attachmentInfo = element.document().editor().promisedAttachmentInfo(element))
- send(Messages::WebPageProxy::WritePromisedAttachmentToPasteboard(WTFMove(attachmentInfo)));
+ send(Messages::WebPageProxy::WritePromisedAttachmentToPasteboard(WTFMove(attachmentInfo), authorizationToken));
#endif
} else if (static_cast<SheetAction>(action) == SheetAction::SaveImage) {
if (!is<RenderImage>(*element.renderer()))
@@ -3216,7 +3218,7 @@
return;
SharedMemory::Handle handle;
sharedMemoryBuffer->createHandle(handle, SharedMemory::Protection::ReadOnly);
- send(Messages::WebPageProxy::SaveImageToLibrary(SharedMemory::IPCHandle { WTFMove(handle), buffer->size() }));
+ send(Messages::WebPageProxy::SaveImageToLibrary(SharedMemory::IPCHandle { WTFMove(handle), buffer->size() }, authorizationToken));
}
}
