IPC hardening for WebPageProxy::RegisterAttachmentIdentifier*
https://bugs.webkit.org/show_bug.cgi?id=206376
<rdar://problem/58622645>
Reviewed by David Kilzer.
IPC hardening for WebPageProxy::RegisterAttachmentIdentifier*, validate identifiers sent over
IPC to make sure they are valid keys in our HashMap.
* UIProcess/WebPageProxy.cpp:
* UIProcess/WebPageProxy.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@254718 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
index 6ba20c4..5c4553f 100644
--- a/Source/WebKit/ChangeLog
+++ b/Source/WebKit/ChangeLog
@@ -1,3 +1,17 @@
+2020-01-16 Chris Dumez <cdumez@apple.com>
+
+ IPC hardening for WebPageProxy::RegisterAttachmentIdentifier*
+ https://bugs.webkit.org/show_bug.cgi?id=206376
+ <rdar://problem/58622645>
+
+ Reviewed by David Kilzer.
+
+ IPC hardening for WebPageProxy::RegisterAttachmentIdentifier*, validate identifiers sent over
+ IPC to make sure they are valid keys in our HashMap.
+
+ * UIProcess/WebPageProxy.cpp:
+ * UIProcess/WebPageProxy.h:
+
2020-01-16 Don Olmstead <don.olmstead@sony.com>
[PlayStation] Enable WebKit
diff --git a/Source/WebKit/UIProcess/WebPageProxy.cpp b/Source/WebKit/UIProcess/WebPageProxy.cpp
index a5114e8..a22f212 100644
--- a/Source/WebKit/UIProcess/WebPageProxy.cpp
+++ b/Source/WebKit/UIProcess/WebPageProxy.cpp
@@ -9172,6 +9172,8 @@
void WebPageProxy::registerAttachmentIdentifierFromData(const String& identifier, const String& contentType, const String& preferredFileName, const IPC::DataReference& data)
{
+ MESSAGE_CHECK(m_process, IdentifierToAttachmentMap::isValidKey(identifier));
+
if (attachmentForIdentifier(identifier))
return;
@@ -9184,6 +9186,8 @@
void WebPageProxy::registerAttachmentIdentifierFromFilePath(const String& identifier, const String& contentType, const String& filePath)
{
+ MESSAGE_CHECK(m_process, IdentifierToAttachmentMap::isValidKey(identifier));
+
if (attachmentForIdentifier(identifier))
return;
@@ -9197,6 +9201,8 @@
void WebPageProxy::registerAttachmentIdentifier(const String& identifier)
{
+ MESSAGE_CHECK(m_process, IdentifierToAttachmentMap::isValidKey(identifier));
+
if (!attachmentForIdentifier(identifier))
m_attachmentIdentifierToAttachmentMap.set(identifier, ensureAttachment(identifier));
}
@@ -9212,6 +9218,9 @@
void WebPageProxy::cloneAttachmentData(const String& fromIdentifier, const String& toIdentifier)
{
+ MESSAGE_CHECK(m_process, IdentifierToAttachmentMap::isValidKey(fromIdentifier));
+ MESSAGE_CHECK(m_process, IdentifierToAttachmentMap::isValidKey(toIdentifier));
+
auto newAttachment = ensureAttachment(toIdentifier);
auto existingAttachment = attachmentForIdentifier(fromIdentifier);
if (!existingAttachment) {
diff --git a/Source/WebKit/UIProcess/WebPageProxy.h b/Source/WebKit/UIProcess/WebPageProxy.h
index d8e4287..96bf246 100644
--- a/Source/WebKit/UIProcess/WebPageProxy.h
+++ b/Source/WebKit/UIProcess/WebPageProxy.h
@@ -2631,7 +2631,8 @@
HashMap<uint64_t, Ref<WebURLSchemeHandler>> m_urlSchemeHandlersByIdentifier;
#if ENABLE(ATTACHMENT_ELEMENT)
- HashMap<String, Ref<API::Attachment>> m_attachmentIdentifierToAttachmentMap;
+ using IdentifierToAttachmentMap = HashMap<String, Ref<API::Attachment>>;
+ IdentifierToAttachmentMap m_attachmentIdentifierToAttachmentMap;
#endif
const std::unique_ptr<WebPageInspectorController> m_inspectorController;