IPC hardening for WebPageProxy::savePDFToTemporaryFolder* / WebPageProxy::openPDFFromTemporaryFolder* messages
https://bugs.webkit.org/show_bug.cgi?id=206378
<rdar://problem/58622919>
Reviewed by Geoffrey Garen.
IPC hardening for WebPageProxy::savePDFToTemporaryFolder* / WebPageProxy::openPDFFromTemporaryFolder* messages.
Make sure the UUID passed over IPC is a valid HashMap key.
* UIProcess/WebPageProxy.h:
* UIProcess/mac/WebPageProxyMac.mm:
(WebKit::WebPageProxy::savePDFToTemporaryFolderAndOpenWithNativeApplication):
(WebKit::WebPageProxy::openPDFFromTemporaryFolderWithNativeApplication):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@254719 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
index 5c4553f..4393f94 100644
--- a/Source/WebKit/ChangeLog
+++ b/Source/WebKit/ChangeLog
@@ -1,5 +1,21 @@
2020-01-16 Chris Dumez <cdumez@apple.com>
+ IPC hardening for WebPageProxy::savePDFToTemporaryFolder* / WebPageProxy::openPDFFromTemporaryFolder* messages
+ https://bugs.webkit.org/show_bug.cgi?id=206378
+ <rdar://problem/58622919>
+
+ Reviewed by Geoffrey Garen.
+
+ IPC hardening for WebPageProxy::savePDFToTemporaryFolder* / WebPageProxy::openPDFFromTemporaryFolder* messages.
+ Make sure the UUID passed over IPC is a valid HashMap key.
+
+ * UIProcess/WebPageProxy.h:
+ * UIProcess/mac/WebPageProxyMac.mm:
+ (WebKit::WebPageProxy::savePDFToTemporaryFolderAndOpenWithNativeApplication):
+ (WebKit::WebPageProxy::openPDFFromTemporaryFolderWithNativeApplication):
+
+2020-01-16 Chris Dumez <cdumez@apple.com>
+
IPC hardening for WebPageProxy::RegisterAttachmentIdentifier*
https://bugs.webkit.org/show_bug.cgi?id=206376
<rdar://problem/58622645>
diff --git a/Source/WebKit/UIProcess/WebPageProxy.h b/Source/WebKit/UIProcess/WebPageProxy.h
index 96bf246..6c49ecd 100644
--- a/Source/WebKit/UIProcess/WebPageProxy.h
+++ b/Source/WebKit/UIProcess/WebPageProxy.h
@@ -2561,7 +2561,8 @@
bool m_shouldSuppressNextAutomaticNavigationSnapshot { false };
#if PLATFORM(COCOA)
- HashMap<String, String> m_temporaryPDFFiles;
+ using TemporaryPDFFileMap = HashMap<String, String>;
+ TemporaryPDFFileMap m_temporaryPDFFiles;
std::unique_ptr<WebCore::RunLoopObserver> m_activityStateChangeDispatcher;
std::unique_ptr<RemoteLayerTreeScrollingPerformanceData> m_scrollingPerformanceData;
diff --git a/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm b/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm
index a7679b0..82e005d 100644
--- a/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm
+++ b/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm
@@ -495,6 +495,8 @@
void WebPageProxy::savePDFToTemporaryFolderAndOpenWithNativeApplication(const String& suggestedFilename, const String& originatingURLString, const IPC::DataReference& data, const String& pdfUUID)
{
+ MESSAGE_CHECK(TemporaryPDFFileMap::isValidKey(pdfUUID));
+
// FIXME: Write originatingURLString to the file's originating URL metadata (perhaps FileSystem::setMetadataURL()?).
UNUSED_PARAM(originatingURLString);
@@ -532,6 +534,8 @@
void WebPageProxy::openPDFFromTemporaryFolderWithNativeApplication(const String& pdfUUID)
{
+ MESSAGE_CHECK(TemporaryPDFFileMap::isValidKey(pdfUUID));
+
String pdfFilename = m_temporaryPDFFiles.get(pdfUUID);
if (!pdfFilename.endsWithIgnoringASCIICase(".pdf"))
