Title: [246552] trunk/Source/WebKit
- Revision
- 246552
- Author
- you...@apple.com
- Date
- 2019-06-18 11:10:08 -0700 (Tue, 18 Jun 2019)
Log Message
StorageManager::removeAllowedSessionStorageNamespaceConnection should make sure its storageNamespaceID is valid
https://bugs.webkit.org/show_bug.cgi?id=198966
rdar://problem/51352080
Reviewed by Alex Christensen.
Make sure the namespace ID is a key of the map before using the value.
The namespace ID is coming straight from IPC so should not be trusted.
Also, namespace IDs are added/removed based on web pages being created/deleted.
Namespace IDs are supposed to be scoped by session IDs.
Using page IDs for namespace IDs works as long as the page does not change of session ID during its lifetime, which is not guaranteed.
* NetworkProcess/WebStorage/StorageManager.cpp:
(WebKit::StorageManager::removeAllowedSessionStorageNamespaceConnection):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (246551 => 246552)
--- trunk/Source/WebKit/ChangeLog 2019-06-18 17:51:05 UTC (rev 246551)
+++ trunk/Source/WebKit/ChangeLog 2019-06-18 18:10:08 UTC (rev 246552)
@@ -1,3 +1,20 @@
+2019-06-18 Youenn Fablet <you...@apple.com>
+
+ StorageManager::removeAllowedSessionStorageNamespaceConnection should make sure its storageNamespaceID is valid
+ https://bugs.webkit.org/show_bug.cgi?id=198966
+ rdar://problem/51352080
+
+ Reviewed by Alex Christensen.
+
+ Make sure the namespace ID is a key of the map before using the value.
+ The namespace ID is coming straight from IPC so should not be trusted.
+ Also, namespace IDs are added/removed based on web pages being created/deleted.
+ Namespace IDs are supposed to be scoped by session IDs.
+ Using page IDs for namespace IDs works as long as the page does not change of session ID during its lifetime, which is not guaranteed.
+
+ * NetworkProcess/WebStorage/StorageManager.cpp:
+ (WebKit::StorageManager::removeAllowedSessionStorageNamespaceConnection):
+
2019-06-18 David Quesada <david_ques...@apple.com>
Network process crash in SandboxExtension::consume() via Download::publishProgress
Modified: trunk/Source/WebKit/NetworkProcess/WebStorage/StorageManager.cpp (246551 => 246552)
--- trunk/Source/WebKit/NetworkProcess/WebStorage/StorageManager.cpp 2019-06-18 17:51:05 UTC (rev 246551)
+++ trunk/Source/WebKit/NetworkProcess/WebStorage/StorageManager.cpp 2019-06-18 18:10:08 UTC (rev 246552)
@@ -551,8 +551,8 @@
auto allowedConnectionID = allowedConnection.uniqueID();
m_queue->dispatch([this, protectedThis = makeRef(*this), allowedConnectionID, storageNamespaceID]() mutable {
ASSERT(m_sessionStorageNamespaces.contains(storageNamespaceID));
-
- m_sessionStorageNamespaces.get(storageNamespaceID)->removeAllowedConnection(allowedConnectionID);
+ if (auto* sessionStorageNamespace = m_sessionStorageNamespaces.get(storageNamespaceID))
+ sessionStorageNamespace->removeAllowedConnection(allowedConnectionID);
});
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
