Changeset 83362 in webkit

Timestamp:

Apr 8, 2011 5:04:50 PM (13 years ago)

Author:

andersca@apple.com

Message:

2011-04-08 Anders Carlsson <​andersca@apple.com>

Reviewed by Dan Bernstein.

Sandboxing doesn't work if a local file is dropped on the content area
​https://bugs.webkit.org/show_bug.cgi?id=58177
<rdar://problem/9019253>

When performing a drag and the dragging pasteboard contains a local file, create a
sandbox extension and pass it along. If we end up loading the file, the sandbox extension
tracker will consume the extension.

• UIProcess/API/mac/WKView.mm: (maybeCreateSandboxExtensionFromPasteboard): Add helper function.

(-[WKView performDragOperation:]):
Create a sandbox extension handle and pass it to performDrag.

• UIProcess/WebPageProxy.cpp: (WebKit::WebPageProxy::dragEntered): (WebKit::WebPageProxy::dragUpdated): (WebKit::WebPageProxy::dragExited): Pass an empty sandbox extension handle to performDragControllerAction.

(WebKit::WebPageProxy::performDrag):
Pass the sandbox extension handle along to performDragControllerAction.

(WebKit::WebPageProxy::performDragControllerAction):
Send along the sandbox extension handle.

• WebProcess/WebCoreSupport/WebDragClient.cpp: (WebKit::WebDragClient::willPerformDragDestinationAction): If the destination action is a load action, call WebPage::willPerformLoadDragDestinationAction.

• WebProcess/WebPage/WebPage.cpp: (WebKit::WebPage::performDragControllerAction): Create a sandbox extension.

(WebKit::WebPage::willPerformLoadDragDestinationAction):
If we have a sandbox extension, pass it along to the sandbox extension tracker.

(WebKit::WebPage::SandboxExtensionTracker::willPerformLoadDragDestinationAction):
Call setPendingProvisionalSandboxExtension.

(WebKit::WebPage::SandboxExtensionTracker::beginLoad):
Call setPendingProvisionalSandboxExtension.

(WebKit::WebPage::SandboxExtensionTracker::setPendingProvisionalSandboxExtension):
Factor code from beginLoad out into a separate function.

• WebProcess/WebPage/WebPage.messages.in: PerformDragControllerAction now takes a sandbox extension handle.

Location:

trunk/Source/WebKit2

Files:

• ChangeLog (modified) (1 diff)
• UIProcess/API/mac/WKView.mm (modified) (2 diffs)
• UIProcess/WebPageProxy.cpp (modified) (2 diffs)
• UIProcess/WebPageProxy.h (modified) (2 diffs)
• WebProcess/WebCoreSupport/WebDragClient.cpp (modified) (2 diffs)
• WebProcess/WebPage/WebPage.cpp (modified) (5 diffs)
• WebProcess/WebPage/WebPage.h (modified) (3 diffs)
• WebProcess/WebPage/WebPage.messages.in (modified) (1 diff)

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2011-04-08  Anders Carlsson  <andersca@apple.com>
+
+        Reviewed by Dan Bernstein.
+
+        Sandboxing doesn't work if a local file is dropped on the content area
+        https://bugs.webkit.org/show_bug.cgi?id=58177
+        <rdar://problem/9019253>
+
+        When performing a drag and the dragging pasteboard contains a local file, create a
+        sandbox extension and pass it along. If we end up loading the file, the sandbox extension
+        tracker will consume the extension.
+
+        * UIProcess/API/mac/WKView.mm:
+        (maybeCreateSandboxExtensionFromPasteboard):
+        Add helper function.
+
+        (-[WKView performDragOperation:]):
+        Create a sandbox extension handle and pass it to performDrag.
+
+        * UIProcess/WebPageProxy.cpp:
+        (WebKit::WebPageProxy::dragEntered):
+        (WebKit::WebPageProxy::dragUpdated):
+        (WebKit::WebPageProxy::dragExited):
+        Pass an empty sandbox extension handle to performDragControllerAction.
+
+        (WebKit::WebPageProxy::performDrag):
+        Pass the sandbox extension handle along to performDragControllerAction.
+
+        (WebKit::WebPageProxy::performDragControllerAction):
+        Send along the sandbox extension handle.
+
+        * WebProcess/WebCoreSupport/WebDragClient.cpp:
+        (WebKit::WebDragClient::willPerformDragDestinationAction):
+        If the destination action is a load action, call WebPage::willPerformLoadDragDestinationAction.
+
+        * WebProcess/WebPage/WebPage.cpp:
+        (WebKit::WebPage::performDragControllerAction):
+        Create a sandbox extension.
+
+        (WebKit::WebPage::willPerformLoadDragDestinationAction):
+        If we have a sandbox extension, pass it along to the sandbox extension tracker.
+
+        (WebKit::WebPage::SandboxExtensionTracker::willPerformLoadDragDestinationAction):
+        Call setPendingProvisionalSandboxExtension.
+
+        (WebKit::WebPage::SandboxExtensionTracker::beginLoad):
+        Call setPendingProvisionalSandboxExtension.
+
+        (WebKit::WebPage::SandboxExtensionTracker::setPendingProvisionalSandboxExtension):
+        Factor code from beginLoad out into a separate function.
+
+        * WebProcess/WebPage/WebPage.messages.in:
+        PerformDragControllerAction now takes a sandbox extension handle.
+
 2011-04-08  Alice Liu  <alice.liu@apple.com>
 

trunk/Source/WebKit2/UIProcess/API/mac/WKView.mm

@@ -1464 +1464 @@
 }
 
+// FIXME: This code is more or less copied from Pasteboard::getBestURL.
+// It would be nice to be able to share the code somehow.
+static void maybeCreateSandboxExtensionFromPasteboard(NSPasteboard *pasteboard, SandboxExtension::Handle& sandboxExtensionHandle)
+{
+    NSArray *types = [pasteboard types];
+    if (![types containsObject:NSFilenamesPboardType])
+        return;
+
+    NSArray *files = [pasteboard propertyListForType:NSFilenamesPboardType];
+    if ([files count] != 1)
+        return;
+
+    NSString *file = [files objectAtIndex:0];
+    BOOL isDirectory;
+    if (![[NSFileManager defaultManager] fileExistsAtPath:file isDirectory:&isDirectory])
+        return;
+
+    if (isDirectory)
+        return;
+
+    SandboxExtension::createHandle("/", SandboxExtension::ReadOnly, sandboxExtensionHandle);
+}
+
 - (BOOL)performDragOperation:(id <NSDraggingInfo>)draggingInfo
 {
@@ -1469 +1492 @@
     IntPoint global(globalPoint([draggingInfo draggingLocation], [self window]));
     DragData dragData(draggingInfo, client, global, static_cast<DragOperation>([draggingInfo draggingSourceOperationMask]), [self applicationFlags:draggingInfo]);
-    _data->_page->performDrag(&dragData, [[draggingInfo draggingPasteboard] name]);
+
+    SandboxExtension::Handle sandboxExtensionHandle;
+    maybeCreateSandboxExtensionFromPasteboard([draggingInfo draggingPasteboard], sandboxExtensionHandle);
+
+    _data->_page->performDrag(&dragData, [[draggingInfo draggingPasteboard] name], sandboxExtensionHandle);
+
     return YES;
 }

trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp

@@ -701 +701 @@
 void WebPageProxy::dragEntered(WebCore::DragData* dragData, const String& dragStorageName)
 {
-    performDragControllerAction(DragControllerActionEntered, dragData, dragStorageName);
+    SandboxExtension::Handle sandboxExtensionHandle;
+    performDragControllerAction(DragControllerActionEntered, dragData, dragStorageName, sandboxExtensionHandle);
 }
 
 void WebPageProxy::dragUpdated(WebCore::DragData* dragData, const String& dragStorageName)
 {
-    performDragControllerAction(DragControllerActionUpdated, dragData, dragStorageName);
+    SandboxExtension::Handle sandboxExtensionHandle;
+    performDragControllerAction(DragControllerActionUpdated, dragData, dragStorageName, sandboxExtensionHandle);
 }
 
 void WebPageProxy::dragExited(WebCore::DragData* dragData, const String& dragStorageName)
 {
-    performDragControllerAction(DragControllerActionExited, dragData, dragStorageName);
-}
-
-void WebPageProxy::performDrag(WebCore::DragData* dragData, const String& dragStorageName)
-{
-    performDragControllerAction(DragControllerActionPerformDrag, dragData, dragStorageName);
-}
-
-void WebPageProxy::performDragControllerAction(DragControllerAction action, WebCore::DragData* dragData, const String& dragStorageName)
+    SandboxExtension::Handle sandboxExtensionHandle;
+    performDragControllerAction(DragControllerActionExited, dragData, dragStorageName, sandboxExtensionHandle);
+}
+
+void WebPageProxy::performDrag(WebCore::DragData* dragData, const String& dragStorageName, const SandboxExtension::Handle& sandboxExtensionHandle)
+{
+    performDragControllerAction(DragControllerActionPerformDrag, dragData, dragStorageName, sandboxExtensionHandle);
+}
+
+void WebPageProxy::performDragControllerAction(DragControllerAction action, WebCore::DragData* dragData, const String& dragStorageName, const SandboxExtension::Handle& sandboxExtensionHandle)
 {
     if (!isValid())
@@ -728 +731 @@
         dragData->draggingSourceOperationMask(), dragData->dragDataMap(), dragData->flags()), m_pageID);
 #else
-    process()->send(Messages::WebPage::PerformDragControllerAction(action, dragData->clientPosition(), dragData->globalPosition(), dragData->draggingSourceOperationMask(), dragStorageName, dragData->flags()), m_pageID);
+    process()->send(Messages::WebPage::PerformDragControllerAction(action, dragData->clientPosition(), dragData->globalPosition(), dragData->draggingSourceOperationMask(), dragStorageName, dragData->flags(), sandboxExtensionHandle), m_pageID);
 #endif
 }

trunk/Source/WebKit2/UIProcess/WebPageProxy.h

@@ -385 +385 @@
     void dragUpdated(WebCore::DragData*, const String& dragStorageName = String());
     void dragExited(WebCore::DragData*, const String& dragStorageName = String());
-    void performDrag(WebCore::DragData*, const String& dragStorageName = String());
+    void performDrag(WebCore::DragData*, const String& dragStorageName, const SandboxExtension::Handle&);
 
     void didPerformDragControllerAction(uint64_t resultOperation);
@@ -697 +697 @@
     void clearLoadDependentCallbacks();
 
-    void performDragControllerAction(DragControllerAction, WebCore::DragData*, const String& dragStorageName);
+    void performDragControllerAction(DragControllerAction, WebCore::DragData*, const String& dragStorageName, const SandboxExtension::Handle&);
 
     PageClient* m_pageClient;

trunk/Source/WebKit2/WebProcess/WebCoreSupport/WebDragClient.cpp

@@ -27 +27 @@
 #include "WebDragClient.h"
 
-#include <WebCore/NotImplemented.h>
+#include "WebPage.h"
 
 using namespace WebCore;
@@ -33 +33 @@
 namespace WebKit {
 
-void WebDragClient::willPerformDragDestinationAction(DragDestinationAction, DragData*)
+void WebDragClient::willPerformDragDestinationAction(DragDestinationAction action, DragData*)
 {
+    if (action == DragDestinationActionLoad)
+        m_page->willPerformLoadDragDestinationAction();
 }
 

trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp

@@ -1489 +1489 @@
 }
 #else
-void WebPage::performDragControllerAction(uint64_t action, WebCore::IntPoint clientPosition, WebCore::IntPoint globalPosition, uint64_t draggingSourceOperationMask, const String& dragStorageName, uint32_t flags)
+void WebPage::performDragControllerAction(uint64_t action, WebCore::IntPoint clientPosition, WebCore::IntPoint globalPosition, uint64_t draggingSourceOperationMask, const String& dragStorageName, uint32_t flags, const SandboxExtension::Handle& sandboxExtensionHandle)
 {
     if (!m_page) {
@@ -1510 +1510 @@
         break;
         
-    case DragControllerActionPerformDrag:
+    case DragControllerActionPerformDrag: {
+        ASSERT(!m_pendingDropSandboxExtension);
+
+        m_pendingDropSandboxExtension = SandboxExtension::create(sandboxExtensionHandle);
+
         m_page->dragController()->performDrag(&dragData);
+
+        // If we started loading a local file, the sandbox extension tracker would have adopted this
+        // pending drop sandbox extension. If not, we'll play it safe and invalidate it.
+        if (m_pendingDropSandboxExtension) {
+            m_pendingDropSandboxExtension->invalidate();
+            m_pendingDropSandboxExtension = nullptr;
+        }
+
         break;
-        
+    }
+
     default:
         ASSERT_NOT_REACHED();
@@ -1535 +1548 @@
 }
 
+void WebPage::willPerformLoadDragDestinationAction()
+{
+    m_sandboxExtensionTracker.willPerformLoadDragDestinationAction(m_pendingDropSandboxExtension.release());
+}
+
 WebEditCommand* WebPage::webEditCommand(uint64_t commandID)
 {
@@ -1862 +1880 @@
 }
 
+void WebPage::SandboxExtensionTracker::willPerformLoadDragDestinationAction(PassRefPtr<SandboxExtension> pendingDropSandboxExtension)
+{
+    setPendingProvisionalSandboxExtension(pendingDropSandboxExtension);
+}
+
 void WebPage::SandboxExtensionTracker::beginLoad(WebFrame* frame, const SandboxExtension::Handle& handle)
 {
     ASSERT(frame->isMainFrame());
 
+    setPendingProvisionalSandboxExtension(SandboxExtension::create(handle));
+}
+
+void WebPage::SandboxExtensionTracker::setPendingProvisionalSandboxExtension(PassRefPtr<SandboxExtension> pendingProvisionalSandboxExtension)
+{
     // If we get two beginLoad calls in succession, without a provisional load starting, then
     // m_pendingProvisionalSandboxExtension will be non-null. Invalidate and null out the extension if that is the case.
@@ -1872 +1900 @@
         m_pendingProvisionalSandboxExtension = nullptr;
     }
-        
-    m_pendingProvisionalSandboxExtension = SandboxExtension::create(handle);
+    
+    m_pendingProvisionalSandboxExtension = pendingProvisionalSandboxExtension;    
 }
 

trunk/Source/WebKit2/WebProcess/WebPage/WebPage.h

@@ -291 +291 @@
 
         void beginLoad(WebFrame*, const SandboxExtension::Handle& handle);
+        void willPerformLoadDragDestinationAction(PassRefPtr<SandboxExtension> pendingDropSandboxExtension);
         void didStartProvisionalLoad(WebFrame*);
         void didCommitProvisionalLoad(WebFrame*);
         void didFailProvisionalLoad(WebFrame*);
+
     private:
+        void setPendingProvisionalSandboxExtension(PassRefPtr<SandboxExtension>);
+
         RefPtr<SandboxExtension> m_pendingProvisionalSandboxExtension;
         RefPtr<SandboxExtension> m_provisionalSandboxExtension;
@@ -349 +353 @@
     void performDragControllerAction(uint64_t action, WebCore::IntPoint clientPosition, WebCore::IntPoint globalPosition, uint64_t draggingSourceOperationMask, const WebCore::DragDataMap&, uint32_t flags);
 #else
-    void performDragControllerAction(uint64_t action, WebCore::IntPoint clientPosition, WebCore::IntPoint globalPosition, uint64_t draggingSourceOperationMask, const WTF::String& dragStorageName, uint32_t flags);
+    void performDragControllerAction(uint64_t action, WebCore::IntPoint clientPosition, WebCore::IntPoint globalPosition, uint64_t draggingSourceOperationMask, const WTF::String& dragStorageName, uint32_t flags, const SandboxExtension::Handle&);
 #endif
     void dragEnded(WebCore::IntPoint clientPosition, WebCore::IntPoint globalPosition, uint64_t operation);
+
+    void willPerformLoadDragDestinationAction();
 
     void beginPrinting(uint64_t frameID, const PrintInfo&);
@@ -615 +621 @@
     uint64_t m_pageID;
 
+    RefPtr<SandboxExtension> m_pendingDropSandboxExtension;
+
     bool m_canRunBeforeUnloadConfirmPanel;
 

trunk/Source/WebKit2/WebProcess/WebPage/WebPage.messages.in

@@ -121 +121 @@
 #endif
 #if !PLATFORM(WIN)
-    PerformDragControllerAction(uint64_t action, WebCore::IntPoint clientPosition, WebCore::IntPoint globalPosition, uint64_t draggingSourceOperationMask, WTF::String dragStorageName, uint32_t flags)
+    PerformDragControllerAction(uint64_t action, WebCore::IntPoint clientPosition, WebCore::IntPoint globalPosition, uint64_t draggingSourceOperationMask, WTF::String dragStorageName, uint32_t flags, WebKit::SandboxExtension::Handle sandboxExtensionHandle)
 #endif
     DragEnded(WebCore::IntPoint clientPosition, WebCore::IntPoint globalPosition, uint64_t operation)