Changeset 260820 in webkit


Ignore:
Timestamp:
Apr 28, 2020 6:09:22 AM (4 years ago)
Author:
pvollan@apple.com
Message:

[iOS] Fix sandbox violation when uploading a file
https://bugs.webkit.org/show_bug.cgi?id=210937

Reviewed by Darin Adler.

Source/WebKit:

On iOS, the file chooser needs access to frontboard and icon services in the WebContent process. Create and
consume extensions for these services when choosing files. When done, the extensions should be revoked. This
patch also fixes an out-of-bounds array exception when running the test created for this patch. Additionally,
the function thumbnailSizedImageForImage should return a RetainPtr<UIImage>, since it seems unsafe to not
retain the UIImage after the image context is released in that function.

Test: fast/forms/file/open-file-panel-crash.html

  • Shared/ios/WebIconUtilities.h:
  • Shared/ios/WebIconUtilities.mm:

(WebKit::thumbnailSizedImageForImage):
(WebKit::fallbackIconForFile):
(WebKit::iconForImageFile):
(WebKit::iconForVideoFile):
(WebKit::iconForFile):

  • UIProcess/WebPageProxy.cpp:
  • UIProcess/ios/forms/WKFileUploadPanel.mm:

(-[_WKFileUploadItem displayImage]):
(-[_WKImageFileUploadItem displayImage]):
(-[_WKVideoFileUploadItem displayImage]):
(-[WKFileUploadPanel documentPicker:didPickDocumentsAtURLs:]):
(-[WKFileUploadPanel imagePickerController:didFinishPickingMediaWithInfo:]):
(-[WKFileUploadPanel imagePickerController:didFinishPickingMultipleMediaWithInfo:]):

  • WebProcess/WebCoreSupport/ios/WebChromeClientIOS.mm:

(WebKit::WebChromeClient::createIconForFiles):

  • WebProcess/WebPage/WebPage.cpp:

(WebKit::WebPage::didChooseFilesForOpenPanelWithDisplayStringAndIcon):

  • WebProcess/WebPage/WebPage.h:
  • WebProcess/WebPage/WebPage.messages.in:

LayoutTests:

  • fast/forms/file/open-file-panel-crash-expected.txt: Added.
  • fast/forms/file/open-file-panel-crash.html: Added.
  • platform/win/TestExpectations:
Location:
trunk
Files:
2 added
11 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r260814 r260820  
     12020-04-28  Per Arne Vollan  <pvollan@apple.com>
     2
     3        [iOS] Fix sandbox violation when uploading a file
     4        https://bugs.webkit.org/show_bug.cgi?id=210937
     5
     6        Reviewed by Darin Adler.
     7
     8        * fast/forms/file/open-file-panel-crash-expected.txt: Added.
     9        * fast/forms/file/open-file-panel-crash.html: Added.
     10        * platform/win/TestExpectations:
     11
    1122020-04-28  Youenn Fablet  <youenn@apple.com>
    213
  • trunk/LayoutTests/platform/win/TestExpectations

    r260270 r260820  
    44904490fast/text/combining-character-sequence-vertical.html [ Failure ]
    44914491
     4492fast/forms/file/open-file-panel-crash.html [ Skip ]
  • trunk/Source/WebKit/ChangeLog

    r260819 r260820  
     12020-04-28  Per Arne Vollan  <pvollan@apple.com>
     2
     3        [iOS] Fix sandbox violation when uploading a file
     4        https://bugs.webkit.org/show_bug.cgi?id=210937
     5
     6        Reviewed by Darin Adler.
     7
     8        On iOS, the file chooser needs access to frontboard and icon services in the WebContent process. Create and
     9        consume extensions for these services when choosing files. When done, the extensions should be revoked. This
     10        patch also fixes an out-of-bounds array exception when running the test created for this patch. Additionally,
     11        the function thumbnailSizedImageForImage should return a RetainPtr<UIImage>, since it seems unsafe to not
     12        retain the UIImage after the image context is released in that function.
     13
     14        Test: fast/forms/file/open-file-panel-crash.html
     15
     16        * Shared/ios/WebIconUtilities.h:
     17        * Shared/ios/WebIconUtilities.mm:
     18        (WebKit::thumbnailSizedImageForImage):
     19        (WebKit::fallbackIconForFile):
     20        (WebKit::iconForImageFile):
     21        (WebKit::iconForVideoFile):
     22        (WebKit::iconForFile):
     23        * UIProcess/WebPageProxy.cpp:
     24        * UIProcess/ios/forms/WKFileUploadPanel.mm:
     25        (-[_WKFileUploadItem displayImage]):
     26        (-[_WKImageFileUploadItem displayImage]):
     27        (-[_WKVideoFileUploadItem displayImage]):
     28        (-[WKFileUploadPanel documentPicker:didPickDocumentsAtURLs:]):
     29        (-[WKFileUploadPanel imagePickerController:didFinishPickingMediaWithInfo:]):
     30        (-[WKFileUploadPanel imagePickerController:didFinishPickingMultipleMediaWithInfo:]):
     31        * WebProcess/WebCoreSupport/ios/WebChromeClientIOS.mm:
     32        (WebKit::WebChromeClient::createIconForFiles):
     33        * WebProcess/WebPage/WebPage.cpp:
     34        (WebKit::WebPage::didChooseFilesForOpenPanelWithDisplayStringAndIcon):
     35        * WebProcess/WebPage/WebPage.h:
     36        * WebProcess/WebPage/WebPage.messages.in:
     37
    1382020-04-27  Carlos Garcia Campos  <cgarcia@igalia.com>
    239
  • trunk/Source/WebKit/Shared/ios/WebIconUtilities.h

    r237266 r260820  
    3232namespace WebKit {
    3333
    34 UIImage *fallbackIconForFile(NSURL *file);
    35 UIImage *iconForImageFile(NSURL *file);
    36 UIImage *iconForVideoFile(NSURL *file);
    37 UIImage *iconForFile(NSURL *file);
     34RetainPtr<UIImage> fallbackIconForFile(NSURL *file);
     35RetainPtr<UIImage> iconForImageFile(NSURL *file);
     36RetainPtr<UIImage> iconForVideoFile(NSURL *file);
     37RetainPtr<UIImage> iconForFile(NSURL *file);
    3838
    3939}
  • trunk/Source/WebKit/Shared/ios/WebIconUtilities.mm

    r260366 r260820  
    7272}
    7373
    74 static UIImage *thumbnailSizedImageForImage(CGImageRef image)
     74static RetainPtr<UIImage> thumbnailSizedImageForImage(CGImageRef image)
    7575{
    7676    UIImage *squaredImage = squareImage(image);
     
    8282    CGContextSetInterpolationQuality(UIGraphicsGetCurrentContext(), kCGInterpolationHigh);
    8383    [squaredImage drawInRect:destRect];
    84     UIImage *resultImage = UIGraphicsGetImageFromCurrentImageContext();
     84    RetainPtr<UIImage> resultImage = UIGraphicsGetImageFromCurrentImageContext();
    8585    UIGraphicsEndImageContext();
    8686    return resultImage;
    8787}
    8888
    89 UIImage* fallbackIconForFile(NSURL *file)
     89RetainPtr<UIImage> fallbackIconForFile(NSURL *file)
    9090{
    9191    ASSERT_ARG(file, [file isFileURL]);
    9292
    9393    UIDocumentInteractionController *interactionController = [UIDocumentInteractionController interactionControllerWithURL:file];
     94    if (![interactionController.icons count])
     95        return nil;
    9496    return thumbnailSizedImageForImage(interactionController.icons[0].CGImage);
    9597}
    9698
    97 UIImage* iconForImageFile(NSURL *file)
     99RetainPtr<UIImage> iconForImageFile(NSURL *file)
    98100{
    99101    ASSERT_ARG(file, [file isFileURL]);
     
    114116}
    115117
    116 UIImage* iconForVideoFile(NSURL *file)
     118RetainPtr<UIImage> iconForVideoFile(NSURL *file)
    117119{
    118120    ASSERT_ARG(file, [file isFileURL]);
     
    132134}
    133135
    134 UIImage* iconForFile(NSURL *file)
     136RetainPtr<UIImage> iconForFile(NSURL *file)
    135137{
    136138    ASSERT_ARG(file, [file isFileURL]);
  • trunk/Source/WebKit/UIProcess/WebPageProxy.cpp

    r260793 r260820  
    66416641#endif
    66426642
    6643     send(Messages::WebPage::DidChooseFilesForOpenPanelWithDisplayStringAndIcon(fileURLs, displayString, iconData ? iconData->dataReference() : IPC::DataReference()));
     6643    SandboxExtension::Handle frontboardServicesSandboxExtension, iconServicesSandboxExtension;
     6644    SandboxExtension::createHandleForMachLookup("com.apple.frontboard.systemappservices", WTF::nullopt, frontboardServicesSandboxExtension);
     6645    SandboxExtension::createHandleForMachLookup("com.apple.iconservices", WTF::nullopt, iconServicesSandboxExtension);
     6646
     6647    send(Messages::WebPage::DidChooseFilesForOpenPanelWithDisplayStringAndIcon(fileURLs, displayString, iconData ? iconData->dataReference() : IPC::DataReference(), frontboardServicesSandboxExtension, iconServicesSandboxExtension));
    66446648
    66456649    m_openPanelResultListener->invalidate();
  • trunk/Source/WebKit/UIProcess/ios/forms/WKFileUploadPanel.mm

    r260116 r260820  
    7575@property (nonatomic, readonly, getter=isVideo) BOOL video;
    7676@property (nonatomic, readonly) NSURL *fileURL;
    77 @property (nonatomic, readonly) UIImage *displayImage;
     77@property (nonatomic, readonly) RetainPtr<UIImage> displayImage;
    7878@end
    7979
     
    104104}
    105105
    106 - (UIImage *)displayImage
     106- (RetainPtr<UIImage>)displayImage
    107107{
    108108    ASSERT_NOT_REACHED();
     
    123123}
    124124
    125 - (UIImage *)displayImage
     125- (RetainPtr<UIImage>)displayImage
    126126{
    127127    return iconForImageFile(self.fileURL);
     
    141141}
    142142
    143 - (UIImage *)displayImage
     143- (RetainPtr<UIImage>)displayImage
    144144{
    145145    return iconForVideoFile(self.fileURL);
     
    630630    ASSERT(urls.count);
    631631    [self _dismissDisplayAnimated:YES];
    632     [self _chooseFiles:urls displayString:displayStringForDocumentsAtURLs(urls) iconImage:iconForFile(urls[0])];
     632    [self _chooseFiles:urls displayString:displayStringForDocumentsAtURLs(urls) iconImage:iconForFile(urls[0]).get()];
    633633}
    634634
     
    668668            _WKFileUploadItem *result = [processedResults objectAtIndex:0];
    669669            dispatch_async(dispatch_get_main_queue(), ^{
    670                 [self _chooseFiles:@[result.fileURL] displayString:displayString iconImage:result.displayImage];
     670                [self _chooseFiles:@[result.fileURL] displayString:displayString iconImage:result.displayImage.get()];
    671671            });
    672672        }
     
    685685    [self _processMediaInfoDictionaries:infos
    686686        successBlock:^(NSArray *processedResults, NSString *displayString) {
    687             UIImage *iconImage = nil;
     687            RetainPtr<UIImage> iconImage = nil;
    688688            NSMutableArray *fileURLs = [NSMutableArray array];
    689689            for (_WKFileUploadItem *result in processedResults) {
     
    697697
    698698            dispatch_async(dispatch_get_main_queue(), ^{
    699                 [self _chooseFiles:fileURLs displayString:displayString iconImage:iconImage];
     699                [self _chooseFiles:fileURLs displayString:displayString iconImage:iconImage.get()];
    700700            });
    701701        }
  • trunk/Source/WebKit/WebProcess/WebCoreSupport/ios/WebChromeClientIOS.mm

    r258721 r260820  
    152152    // FIXME: We should generate an icon showing multiple files here, if applicable. Currently, if there are multiple
    153153    // files, we only use the first URL to generate an icon.
    154     return Icon::createIconForImage(iconForFile([NSURL fileURLWithPath:filenames[0] isDirectory:NO]).CGImage);
     154    return Icon::createIconForImage(iconForFile([NSURL fileURLWithPath:filenames[0] isDirectory:NO]).get().CGImage);
    155155}
    156156
  • trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp

    r260764 r260820  
    272272#include <WebCore/UTIRegistry.h>
    273273#include <wtf/MachSendRight.h>
     274#include <wtf/spi/darwin/SandboxSPI.h>
    274275#endif
    275276
     
    42164217
    42174218#if PLATFORM(IOS_FAMILY)
    4218 void WebPage::didChooseFilesForOpenPanelWithDisplayStringAndIcon(const Vector<String>& files, const String& displayString, const IPC::DataReference& iconData)
     4219void WebPage::didChooseFilesForOpenPanelWithDisplayStringAndIcon(const Vector<String>& files, const String& displayString, const IPC::DataReference& iconData, SandboxExtension::Handle&& frontboardServicesSandboxExtensionHandle, SandboxExtension::Handle&& iconServicesSandboxExtensionHandle)
    42194220{
    42204221    if (!m_activeOpenPanelResultListener)
    42214222        return;
     4223
     4224    auto frontboardServicesSandboxExtension = SandboxExtension::create(WTFMove(frontboardServicesSandboxExtensionHandle));
     4225    if (frontboardServicesSandboxExtension) {
     4226        bool consumed = frontboardServicesSandboxExtension->consume();
     4227        ASSERT_UNUSED(consumed, consumed);
     4228    }
     4229
     4230    auto iconServicesSandboxExtension = SandboxExtension::create(WTFMove(iconServicesSandboxExtensionHandle));
     4231    if (iconServicesSandboxExtension) {
     4232        bool consumed = iconServicesSandboxExtension->consume();
     4233        ASSERT_UNUSED(consumed, consumed);
     4234    }
     4235
     4236    RELEASE_ASSERT(!sandbox_check(getpid(), "mach-lookup", static_cast<enum sandbox_filter_type>(SANDBOX_FILTER_GLOBAL_NAME | SANDBOX_CHECK_NO_REPORT), "com.apple.frontboard.systemappservices"));
     4237    RELEASE_ASSERT(!sandbox_check(getpid(), "mach-lookup", static_cast<enum sandbox_filter_type>(SANDBOX_FILTER_GLOBAL_NAME | SANDBOX_CHECK_NO_REPORT), "com.apple.frontboard.iconservices"));
    42224238
    42234239    RefPtr<Icon> icon;
     
    42314247    m_activeOpenPanelResultListener->didChooseFilesWithDisplayStringAndIcon(files, displayString, icon.get());
    42324248    m_activeOpenPanelResultListener = nullptr;
     4249
     4250    if (frontboardServicesSandboxExtension) {
     4251        bool revoked = frontboardServicesSandboxExtension->revoke();
     4252        ASSERT_UNUSED(revoked, revoked);
     4253    }
     4254
     4255    if (iconServicesSandboxExtension) {
     4256        bool revoked = iconServicesSandboxExtension->revoke();
     4257        ASSERT_UNUSED(revoked, revoked);
     4258    }
     4259
    42334260}
    42344261#endif
  • trunk/Source/WebKit/WebProcess/WebPage/WebPage.h

    r260764 r260820  
    15851585
    15861586#if PLATFORM(IOS_FAMILY)
    1587     void didChooseFilesForOpenPanelWithDisplayStringAndIcon(const Vector<String>&, const String& displayString, const IPC::DataReference& iconData);
     1587    void didChooseFilesForOpenPanelWithDisplayStringAndIcon(const Vector<String>&, const String& displayString, const IPC::DataReference& iconData, WebKit::SandboxExtension::Handle&&, WebKit::SandboxExtension::Handle&&);
    15881588    bool isTransparentOrFullyClipped(const WebCore::Element&) const;
    15891589#endif
  • trunk/Source/WebKit/WebProcess/WebPage/WebPage.messages.in

    r260764 r260820  
    339339    # Open panel.
    340340#if PLATFORM(IOS_FAMILY)
    341     DidChooseFilesForOpenPanelWithDisplayStringAndIcon(Vector<String> fileURLs, String displayString, IPC::DataReference iconData)
     341    DidChooseFilesForOpenPanelWithDisplayStringAndIcon(Vector<String> fileURLs, String displayString, IPC::DataReference iconData, WebKit::SandboxExtension::Handle frontboardServicesSandboxExtension, WebKit::SandboxExtension::Handle iconServicesSandboxExtension)
    342342#endif
    343343    DidChooseFilesForOpenPanel(Vector<String> fileURLs)
Note: See TracChangeset for help on using the changeset viewer.