Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 76a6ff4a88da11885fb1c5b8af8b41bf0a7844b5 https://github.com/WebKit/WebKit/commit/76a6ff4a88da11885fb1c5b8af8b41bf0a7844b5 Author: Ryosuke Niwa <rn...@webkit.org> Date: 2024-05-22 (Wed, 22 May 2024)
Changed paths: A LayoutTests/http/tests/security/contentSecurityPolicy/nonce-hiding-on-svg-script-expected.txt A LayoutTests/http/tests/security/contentSecurityPolicy/nonce-hiding-on-svg-script.py M Source/WebCore/dom/ScriptElement.cpp M Source/WebCore/svg/SVGElement.cpp Log Message: ----------- nonce hiding in SVG is buggy https://bugs.webkit.org/show_bug.cgi?id=268598 rdar://122151552 Reviewed by Chris Dumez. The bug was caused by SVGElement::insertedIntoAncestor hiding nonce after it had an early exit for returning InsertedIntoAncestorResult::NeedsPostInsertionCallback. Fixed the bug by hiding it before this early exit. * LayoutTests/http/tests/security/contentSecurityPolicy/nonce-hiding-on-svg-script-expected.txt: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/nonce-hiding-on-svg-script.py: Added. * Source/WebCore/dom/ScriptElement.cpp: (WebCore::ScriptElement::didFinishInsertingNode): * Source/WebCore/svg/SVGElement.cpp: (WebCore::SVGElement::insertedIntoAncestor): Originally-landed-as: 272448.567@safari-7618-branch (d915a3b6357c). rdar://128504044 Canonical link: https://commits.webkit.org/279131@main Commit: 9e5283739c9809f145488a20f8a52f09fd3a85f4 https://github.com/WebKit/WebKit/commit/9e5283739c9809f145488a20f8a52f09fd3a85f4 Author: Chris Dumez <cdu...@apple.com> Date: 2024-05-22 (Wed, 22 May 2024) Changed paths: M Source/WebCore/workers/WorkerOrWorkletThread.cpp Log Message: ----------- Flaky crash under WorkerDedicatedRunLoop::runCleanupTasks() during fuzzing https://bugs.webkit.org/show_bug.cgi?id=269731 rdar://121961101 Reviewed by Brent Fulgham. I haven't been able to reproduce but based on the ASAN report, it looks like the WorkerOrWorkletGlobalScope is getting destroyed in the middle of WorkerDedicatedRunLoop::runCleanupTasks(), causing a use-after free of the context. To make sure this can't happen, apply our smart pointer adoption rules and make sure the WorkerOrWorkletGlobalScope is being protected on the stack at the call site of WorkerDedicatedRunLoop::run() before passing it in argument. * Source/WebCore/workers/WorkerOrWorkletThread.cpp: (WebCore::WorkerOrWorkletThread::runEventLoop): Originally-landed-as: 272448.578@safari-7618-branch (459d377c63c2). rdar://128504577 Canonical link: https://commits.webkit.org/279132@main Commit: 5944980db644fb2ea879bf3e2d6e5efd47156cdc https://github.com/WebKit/WebKit/commit/5944980db644fb2ea879bf3e2d6e5efd47156cdc Author: Wenson Hsieh <wenson_hs...@apple.com> Date: 2024-05-22 (Wed, 22 May 2024) Changed paths: M Source/WebCore/loader/EmptyClients.cpp M Source/WebCore/page/EditorClient.h M Source/WebCore/page/LocalFrame.cpp M Source/WebKit/UIProcess/WebPageProxy.cpp M Source/WebKit/UIProcess/WebPageProxy.h M Source/WebKit/UIProcess/WebPageProxy.messages.in M Source/WebKit/WebProcess/WebCoreSupport/WebEditorClient.cpp M Source/WebKit/WebProcess/WebCoreSupport/WebEditorClient.h M Source/WebKit/WebProcess/WebPage/WebPage.cpp M Source/WebKit/WebProcess/WebPage/WebPage.h M Source/WebKitLegacy/mac/WebCoreSupport/WebEditorClient.h Log Message: ----------- Compromised web process can grant pasteboard access by spamming WebPage::RequestDOMPasteAccess https://bugs.webkit.org/show_bug.cgi?id=269769 rdar://97343267 Reviewed by Ryosuke Niwa and Richard Robinson. It's currently possible for a compromised web process to send arbitrary `originIdentifiers` through `requestDOMPasteAccess` to the UI process during programmatic paste. Since the UI process automatically grants programmatic pasteboard access in the case where the incoming origin ID matches the origin ID of the current pasteboard content, it's possible to send a large number of origins through this IPC endpoint, with the end goal of discovering both (1) which website origin the user last copied from, and (2) the contents of the pasteboard in the case where the pasteboard copied from web content in WebKit. To mitigate this attack vector, we add a `FrameIdentifier` in the IPC endpoint, which is used in the UI process to verify that: 1. The incoming frame ID corresponds to a frame underneath the destination page. 2. The pasteboard origin matches the origin of the frame, unless the pasteboard origin is an opaque (null) origin. Additionally, we throttle pasteboard access requests to a maximum of 10 different domains every 5 seconds, to mitigate another variation on this attack vector where the compromised web process loads a large number of cross-origin frames and requests pasteboard access on behalf of those origins, in an attempt to get around the limitations above. With this change, a compromised web process is only capable of grabbing data for a pasteboard origin that matches itself, or another origin under the same `WebPage`. * Source/WebCore/loader/EmptyClients.cpp: * Source/WebCore/page/EditorClient.h: * Source/WebCore/page/LocalFrame.cpp: (WebCore::LocalFrame::requestDOMPasteAccess): * Source/WebKit/UIProcess/WebPageProxy.cpp: (WebKit::WebPageProxy::requestDOMPasteAccess): Add the new `MESSAGE_CHECK`s. * Source/WebKit/UIProcess/WebPageProxy.h: * Source/WebKit/UIProcess/WebPageProxy.messages.in: * Source/WebKit/WebProcess/WebCoreSupport/WebEditorClient.cpp: (WebKit::WebEditorClient::requestDOMPasteAccess): * Source/WebKit/WebProcess/WebCoreSupport/WebEditorClient.h: * Source/WebKit/WebProcess/WebPage/WebPage.cpp: (WebKit::WebPage::requestDOMPasteAccess): * Source/WebKit/WebProcess/WebPage/WebPage.h: * Source/WebKitLegacy/mac/WebCoreSupport/WebEditorClient.h: Originally-landed-as: 272448.579@safari-7618-branch (be0e10372eb5). rdar://128504822 Canonical link: https://commits.webkit.org/279133@main Commit: 2d8b1474ab48e248a1548ed59cf91fd1223b381f https://github.com/WebKit/WebKit/commit/2d8b1474ab48e248a1548ed59cf91fd1223b381f Author: Wenson Hsieh <wenson_hs...@apple.com> Date: 2024-05-22 (Wed, 22 May 2024) Changed paths: M Source/WebKit/UIProcess/API/APIAttachment.h M Source/WebKit/UIProcess/API/Cocoa/APIAttachmentCocoa.mm M Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm M Source/WebKit/UIProcess/WebPageProxy.cpp Log Message: ----------- Harden IPC endpoints for decoding images from arbitrary file wrappers when using the attachment API https://bugs.webkit.org/show_bug.cgi?id=269877 rdar://99194803 Reviewed by Abrar Rahman Protyasha and Aditya Keerthi. It's currently possible for a compromised web process to use two IPC endpoints: • `WebPageProxy::RegisterAttachmentsFromSerializedData` • `WebPageProxy::RequestAttachmentIcon` ...in order to force image decoding through an `NSFileWrapper` created from arbitrary data, underneath a call to `-[NSFileWrapper icon]`. This icon image is only meant to be used to generate icons for folder attachments (e.g. a bundle icon for bundle directories, or Xcode icon for Xcode projects), and should only ever be exercised in the case where the file wrapper was created from an existing file path on the system (as opposed to untrusted data directly from the web process). As such, we can lock this down by: 1. Adding a `m_isCreatedFromSerializedRepresentation` flag, to track whether an `API::Attachment` was created using an arbitrary serialized representation. 2. Before asking for `-icon`, verify that the file wrapper doesn't have the flag set in (1), and that the file wrapper is also actually a directory. * Source/WebKit/UIProcess/API/APIAttachment.h: * Source/WebKit/UIProcess/API/Cocoa/APIAttachmentCocoa.mm: (API::Attachment::updateFromSerializedRepresentation): (API::Attachment::cloneFileWrapperTo): (API::Attachment::shouldUseFileWrapperIconForDirectory const): * Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm: (WebKit::WebPageProxy::platformCloneAttachment): Add logic here to ensure that a compromised web content process can't bypass the aforementioned mitigation by cloning an attachment created from arbitrary data to an attachment that doesn't have the `m_isCreatedFromSerializedRepresentation` flag. * Source/WebKit/UIProcess/WebPageProxy.cpp: (WebKit::WebPageProxy::requestAttachmentIcon): Originally-landed-as: 272448.599@safari-7618-branch (6d9bbe958980). rdar://128505199 Canonical link: https://commits.webkit.org/279134@main Compare: https://github.com/WebKit/WebKit/compare/2c9a11ae2283...2d8b1474ab48 To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes