Google Git
Sign in
webkit / WebKit / 76bde2b874e1ea4e31cfba4c7a4870089de44adf^! / .
commit76bde2b874e1ea4e31cfba4c7a4870089de44adf[log] [tgz]
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Fri Jan 17 00:13:48 2020 +0000
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Fri Jan 17 00:13:48 2020 +0000
treeb4e8fd2fa736ead07f527137f5441c8965f5a97c
parent5fa07300f33d82320b2f41af52db2d408cd0d2d4 [diff]
IPC hardening for WebPageProxy::RegisterAttachmentIdentifier*
https://bugs.webkit.org/show_bug.cgi?id=206376
<rdar://problem/58622645>

Reviewed by David Kilzer.

IPC hardening for WebPageProxy::RegisterAttachmentIdentifier*, validate identifiers sent over
IPC to make sure they are valid keys in our HashMap.

* UIProcess/WebPageProxy.cpp:
* UIProcess/WebPageProxy.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@254718 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
index 6ba20c4..5c4553f 100644
--- a/Source/WebKit/ChangeLog
+++ b/Source/WebKit/ChangeLog

@@ -1,3 +1,17 @@
+2020-01-16  Chris Dumez  <cdumez@apple.com>
+
+        IPC hardening for WebPageProxy::RegisterAttachmentIdentifier*
+        https://bugs.webkit.org/show_bug.cgi?id=206376
+        <rdar://problem/58622645>
+
+        Reviewed by David Kilzer.
+
+        IPC hardening for WebPageProxy::RegisterAttachmentIdentifier*, validate identifiers sent over
+        IPC to make sure they are valid keys in our HashMap.
+
+        * UIProcess/WebPageProxy.cpp:
+        * UIProcess/WebPageProxy.h:
+
 2020-01-16  Don Olmstead  <don.olmstead@sony.com>
 
         [PlayStation] Enable WebKit

diff --git a/Source/WebKit/UIProcess/WebPageProxy.cpp b/Source/WebKit/UIProcess/WebPageProxy.cpp
index a5114e8..a22f212 100644
--- a/Source/WebKit/UIProcess/WebPageProxy.cpp
+++ b/Source/WebKit/UIProcess/WebPageProxy.cpp

@@ -9172,6 +9172,8 @@
 
 void WebPageProxy::registerAttachmentIdentifierFromData(const String& identifier, const String& contentType, const String& preferredFileName, const IPC::DataReference& data)
 {
+    MESSAGE_CHECK(m_process, IdentifierToAttachmentMap::isValidKey(identifier));
+
     if (attachmentForIdentifier(identifier))
         return;
 
@@ -9184,6 +9186,8 @@
 
 void WebPageProxy::registerAttachmentIdentifierFromFilePath(const String& identifier, const String& contentType, const String& filePath)
 {
+    MESSAGE_CHECK(m_process, IdentifierToAttachmentMap::isValidKey(identifier));
+
     if (attachmentForIdentifier(identifier))
         return;
 
@@ -9197,6 +9201,8 @@
 
 void WebPageProxy::registerAttachmentIdentifier(const String& identifier)
 {
+    MESSAGE_CHECK(m_process, IdentifierToAttachmentMap::isValidKey(identifier));
+
     if (!attachmentForIdentifier(identifier))
         m_attachmentIdentifierToAttachmentMap.set(identifier, ensureAttachment(identifier));
 }
@@ -9212,6 +9218,9 @@
 
 void WebPageProxy::cloneAttachmentData(const String& fromIdentifier, const String& toIdentifier)
 {
+    MESSAGE_CHECK(m_process, IdentifierToAttachmentMap::isValidKey(fromIdentifier));
+    MESSAGE_CHECK(m_process, IdentifierToAttachmentMap::isValidKey(toIdentifier));
+
     auto newAttachment = ensureAttachment(toIdentifier);
     auto existingAttachment = attachmentForIdentifier(fromIdentifier);
     if (!existingAttachment) {

diff --git a/Source/WebKit/UIProcess/WebPageProxy.h b/Source/WebKit/UIProcess/WebPageProxy.h
index d8e4287..96bf246 100644
--- a/Source/WebKit/UIProcess/WebPageProxy.h
+++ b/Source/WebKit/UIProcess/WebPageProxy.h

@@ -2631,7 +2631,8 @@
     HashMap<uint64_t, Ref<WebURLSchemeHandler>> m_urlSchemeHandlersByIdentifier;
 
 #if ENABLE(ATTACHMENT_ELEMENT)
-    HashMap<String, Ref<API::Attachment>> m_attachmentIdentifierToAttachmentMap;
+    using IdentifierToAttachmentMap = HashMap<String, Ref<API::Attachment>>;
+    IdentifierToAttachmentMap m_attachmentIdentifierToAttachmentMap;
 #endif
 
     const std::unique_ptr<WebPageInspectorController> m_inspectorController;