Changeset 95747 in webkit

Timestamp:

Sep 22, 2011 12:41:00 PM (13 years ago)

Author:

ap@apple.com

Message:

[WK2] UIProcess should check that WebProcess isn't sending unexpected file: URLs to it
​https://bugs.webkit.org/show_bug.cgi?id=68573

Reviewed by Anders Carlsson.

Re-landing with a slightly less aggressive check.

Location:

trunk/Source/WebKit2

Files:

• ChangeLog (modified) (1 diff)
• UIProcess/API/mac/WKView.mm (modified) (2 diffs)
• UIProcess/WebContext.cpp (modified) (5 diffs)
• UIProcess/WebPageProxy.cpp (modified) (20 diffs)
• UIProcess/WebPageProxy.h (modified) (1 diff)
• UIProcess/WebProcessProxy.cpp (modified) (3 diffs)
• UIProcess/WebProcessProxy.h (modified) (2 diffs)
• UIProcess/cf/WebPageProxyCF.cpp (modified) (1 diff)

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2011-09-22  Alexey Proskuryakov  <ap@apple.com>
+
+        [WK2] UIProcess should check that WebProcess isn't sending unexpected file: URLs to it
+        https://bugs.webkit.org/show_bug.cgi?id=68573
+
+        Reviewed by Anders Carlsson.
+
+        Re-landing with a slightly less aggressive check.
+
+        * UIProcess/API/mac/WKView.mm:
+        (maybeCreateSandboxExtensionFromPasteboard): Return a boolean, telling the caller whether
+        an extension actually needed to be created
+        (-[WKView performDragOperation:]): Tell process proxy when the process is going to get
+        universal file read sandbox extension.
+
+        * UIProcess/WebContext.cpp:
+        (WebKit::WebContext::didPerformClientRedirect): Check the URLs.
+        (WebKit::WebContext::didPerformServerRedirect): Ditto.
+        (WebKit::WebContext::didUpdateHistoryTitle): Ditto.
+        (WebKit::WebContext::getPluginPath): Ditto. Also, properly parse the URL - we can never
+        assume that a string coming from WebProcess is a ParsedURLString.
+
+        * UIProcess/WebPageProxy.cpp:
+        (WebKit::WebPageProxy::reattachToWebProcessWithItem): Tell process proxy when the process
+        is going to get universal file read sandbox extension.
+        (WebKit::WebPageProxy::maybeInitializeSandboxExtensionHandle): Changed to return a boolean,
+        telling the caller whether an extension actually needed to be created.
+        (WebKit::WebPageProxy::loadURL): Tell process proxy about extension.
+        (WebKit::WebPageProxy::loadURLRequest): Ditto.
+        (WebKit::WebPageProxy::loadHTMLString): Tell process proxy if a file URL was used as a base
+        one for a string. In this case, WebKit2 assumes that WebProcess has access to a subdirectory,
+        (typically, one where error page resources live), and can load from it.
+        (WebKit::WebPageProxy::loadAlternateHTMLString): Ditto.
+        (WebKit::WebPageProxy::goForward): Tell process proxy about extension.
+        (WebKit::WebPageProxy::goBack): Tell process proxy about extension.
+        (WebKit::WebPageProxy::goToBackForwardItem): Tell process proxy about extension.
+        (WebKit::WebPageProxy::didStartProvisionalLoadForFrame): Check the URL.
+        (WebKit::WebPageProxy::didReceiveServerRedirectForProvisionalLoadForFrame): Ditto.
+        (WebKit::WebPageProxy::didSameDocumentNavigationForFrame): Ditto.
+        (WebKit::WebPageProxy::decidePolicyForNavigationAction): Ditto.
+        (WebKit::WebPageProxy::decidePolicyForNewWindowAction): Ditto.
+        (WebKit::WebPageProxy::decidePolicyForResponse): Ditto.
+        (WebKit::WebPageProxy::didInitiateLoadForResource): Ditto.
+        (WebKit::WebPageProxy::didSendRequestForResource): Ditto.
+        (WebKit::WebPageProxy::didReceiveResponseForResource): Ditto.
+        (WebKit::WebPageProxy::missingPluginButtonClicked): Ditto.
+
+        * UIProcess/WebPageProxy.h: Changed initializeSandboxExtensionHandle() to return a bool,
+        and renamed to maybeInitializeSandboxExtensionHandle (matching WKView counterpart).
+
+        * UIProcess/WebProcessProxy.cpp:
+        (WebKit::WebProcessProxy::WebProcessProxy): Initialize m_mayHaveUniversalFileReadSandboxExtension.
+        It's going to be true if we ever granted an extension for "/".
+        (WebKit::WebProcessProxy::willLoadHTMLStringWithBaseURL): Remember the path, we should expect
+        that WebProcess will load subresources from it.
+        (WebKit::WebProcessProxy::checkURLReceivedFromWebProcess): Check that it's reasonable to expect
+        WebProcess send us a URL like this.
+        (WebKit::WebProcessProxy::addBackForwardItem): Check the URLs.
+
+        * UIProcess/WebProcessProxy.h: Added data members remembering what to expect from this process.
+
+        * UIProcess/cf/WebPageProxyCF.cpp: (WebKit::WebPageProxy::restoreFromSessionStateData):
+        Tell process proxy when the process is going to get universal file read sandbox extension.
+
 2011-09-22  Alpha Lam  <hclam@chromium.org>
 

trunk/Source/WebKit2/UIProcess/API/mac/WKView.mm

@@ -1661 +1661 @@
 // FIXME: This code is more or less copied from Pasteboard::getBestURL.
 // It would be nice to be able to share the code somehow.
-static void maybeCreateSandboxExtensionFromPasteboard(NSPasteboard *pasteboard, SandboxExtension::Handle& sandboxExtensionHandle)
+static bool maybeCreateSandboxExtensionFromPasteboard(NSPasteboard *pasteboard, SandboxExtension::Handle& sandboxExtensionHandle)
 {
     NSArray *types = [pasteboard types];
     if (![types containsObject:NSFilenamesPboardType])
-        return;
+        return false;
 
     NSArray *files = [pasteboard propertyListForType:NSFilenamesPboardType];
     if ([files count] != 1)
-        return;
+        return false;
 
     NSString *file = [files objectAtIndex:0];
     BOOL isDirectory;
     if (![[NSFileManager defaultManager] fileExistsAtPath:file isDirectory:&isDirectory])
-        return;
+        return false;
 
     if (isDirectory)
-        return;
+        return false;
 
     SandboxExtension::createHandle("/", SandboxExtension::ReadOnly, sandboxExtensionHandle);
+    return true;
 }
 
@@ -1689 +1690 @@
 
     SandboxExtension::Handle sandboxExtensionHandle;
-    maybeCreateSandboxExtensionFromPasteboard([draggingInfo draggingPasteboard], sandboxExtensionHandle);
+    bool createdExtension = maybeCreateSandboxExtensionFromPasteboard([draggingInfo draggingPasteboard], sandboxExtensionHandle);
+    if (createdExtension)
+        _data->_page->process()->willAcquireUniversalFileReadSandboxExtension();
 
     _data->_page->performDrag(&dragData, [[draggingInfo draggingPasteboard] name], sandboxExtensionHandle);

trunk/Source/WebKit2/UIProcess/WebContext.cpp

@@ -66 +66 @@
 #endif
 
-#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, process()->connection())
+#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, m_process->connection())
+#define MESSAGE_CHECK_URL(url) MESSAGE_CHECK_BASE(m_process->checkURLReceivedFromWebProcess(url), m_process->connection())
 
 using namespace WebCore;
@@ -440 +441 @@
     MESSAGE_CHECK(frame);
     MESSAGE_CHECK(frame->page() == page);
-    
+    MESSAGE_CHECK_URL(sourceURLString);
+    MESSAGE_CHECK_URL(destinationURLString);
+
     m_historyClient.didPerformClientRedirect(this, page, sourceURLString, destinationURLString, frame);
 }
@@ -456 +459 @@
     MESSAGE_CHECK(frame);
     MESSAGE_CHECK(frame->page() == page);
-    
+    MESSAGE_CHECK_URL(sourceURLString);
+    MESSAGE_CHECK_URL(destinationURLString);
+
     m_historyClient.didPerformServerRedirect(this, page, sourceURLString, destinationURLString, frame);
 }
@@ -469 +474 @@
     MESSAGE_CHECK(frame);
     MESSAGE_CHECK(frame->page() == page);
+    MESSAGE_CHECK_URL(url);
 
     m_historyClient.didUpdateHistoryTitle(this, page, title, url, frame);
@@ -554 +560 @@
 void WebContext::getPluginPath(const String& mimeType, const String& urlString, String& pluginPath)
 {
+    MESSAGE_CHECK_URL(urlString);
+
     String newMimeType = mimeType.lower();
 
-    PluginModuleInfo plugin = pluginInfoStore().findPlugin(newMimeType, KURL(ParsedURLString, urlString));
+    PluginModuleInfo plugin = pluginInfoStore().findPlugin(newMimeType, KURL(KURL(), urlString));
     if (!plugin.path)
         return;

trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp

@@ -91 +91 @@
 #define MERGE_WHEEL_EVENTS 1
 
-#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, process()->connection())
+#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, m_process->connection())
+#define MESSAGE_CHECK_URL(url) MESSAGE_CHECK_BASE(m_process->checkURLReceivedFromWebProcess(url), m_process->connection())
 
 using namespace WebCore;
@@ -297 +298 @@
 
     SandboxExtension::Handle sandboxExtensionHandle;
-    initializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle);
+    bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle);
+    if (createdExtension)
+        process()->willAcquireUniversalFileReadSandboxExtension();
     process()->send(Messages::WebPage::GoToBackForwardItem(item->itemID(), sandboxExtensionHandle), m_pageID);
     process()->responsivenessTimer()->start();
@@ -397 +400 @@
 }
 
-void WebPageProxy::initializeSandboxExtensionHandle(const KURL& url, SandboxExtension::Handle& sandboxExtensionHandle)
+bool WebPageProxy::maybeInitializeSandboxExtensionHandle(const KURL& url, SandboxExtension::Handle& sandboxExtensionHandle)
 {
     if (!url.isLocalFile())
-        return;
+        return false;
 
     // Don't give the inspector full access to the file system.
     if (WebInspectorProxy::isInspectorPage(this))
-        return;
+        return false;
 
     SandboxExtension::createHandle("/", SandboxExtension::ReadOnly, sandboxExtensionHandle);
+    return true;
 }
 
@@ -417 +421 @@
 
     SandboxExtension::Handle sandboxExtensionHandle;
-    initializeSandboxExtensionHandle(KURL(KURL(), url), sandboxExtensionHandle);
+    bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), url), sandboxExtensionHandle);
+    if (createdExtension)
+        process()->willAcquireUniversalFileReadSandboxExtension();
     process()->send(Messages::WebPage::LoadURL(url, sandboxExtensionHandle), m_pageID);
     process()->responsivenessTimer()->start();
@@ -430 +436 @@
 
     SandboxExtension::Handle sandboxExtensionHandle;
-    initializeSandboxExtensionHandle(urlRequest->resourceRequest().url(), sandboxExtensionHandle);
+    bool createdExtension = maybeInitializeSandboxExtensionHandle(urlRequest->resourceRequest().url(), sandboxExtensionHandle);
+    if (createdExtension)
+        process()->willAcquireUniversalFileReadSandboxExtension();
     process()->send(Messages::WebPage::LoadURLRequest(urlRequest->resourceRequest(), sandboxExtensionHandle), m_pageID);
     process()->responsivenessTimer()->start();
@@ -440 +448 @@
         reattachToWebProcess();
 
+    process()->willLoadHTMLStringWithBaseURL(baseURL);
     process()->send(Messages::WebPage::LoadHTMLString(htmlString, baseURL), m_pageID);
     process()->responsivenessTimer()->start();
@@ -452 +461 @@
         m_mainFrame->setUnreachableURL(unreachableURL);
 
+    process()->willLoadHTMLStringWithBaseURL(baseURL);
     process()->send(Messages::WebPage::LoadAlternateHTMLString(htmlString, baseURL, unreachableURL), m_pageID);
     process()->responsivenessTimer()->start();
@@ -503 +513 @@
 
     SandboxExtension::Handle sandboxExtensionHandle;
-    initializeSandboxExtensionHandle(KURL(KURL(), forwardItem->url()), sandboxExtensionHandle);
+    bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), forwardItem->url()), sandboxExtensionHandle);
+    if (createdExtension)
+        process()->willAcquireUniversalFileReadSandboxExtension();
     process()->send(Messages::WebPage::GoForward(forwardItem->itemID(), sandboxExtensionHandle), m_pageID);
     process()->responsivenessTimer()->start();
@@ -528 +540 @@
 
     SandboxExtension::Handle sandboxExtensionHandle;
-    initializeSandboxExtensionHandle(KURL(KURL(), backItem->url()), sandboxExtensionHandle);
+    bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), backItem->url()), sandboxExtensionHandle);
+    if (createdExtension)
+        process()->willAcquireUniversalFileReadSandboxExtension();
     process()->send(Messages::WebPage::GoBack(backItem->itemID(), sandboxExtensionHandle), m_pageID);
     process()->responsivenessTimer()->start();
@@ -548 +562 @@
 
     SandboxExtension::Handle sandboxExtensionHandle;
-    initializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle);
+    bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle);
+    if (createdExtension)
+        process()->willAcquireUniversalFileReadSandboxExtension();
     process()->send(Messages::WebPage::GoToBackForwardItem(item->itemID(), sandboxExtensionHandle), m_pageID);
     process()->responsivenessTimer()->start();
@@ -1525 +1541 @@
     WebFrameProxy* frame = process()->webFrame(frameID);
     MESSAGE_CHECK(frame);
+    MESSAGE_CHECK_URL(url);
 
     frame->setUnreachableURL(unreachableURL);
@@ -1541 +1558 @@
     WebFrameProxy* frame = process()->webFrame(frameID);
     MESSAGE_CHECK(frame);
+    MESSAGE_CHECK_URL(url);
 
     frame->didReceiveServerRedirectForProvisionalLoad(url);
@@ -1662 +1680 @@
     WebFrameProxy* frame = process()->webFrame(frameID);
     MESSAGE_CHECK(frame);
+    MESSAGE_CHECK_URL(url);
 
     clearPendingAPIRequestURL();
@@ -1774 +1793 @@
     WebFrameProxy* frame = process()->webFrame(frameID);
     MESSAGE_CHECK(frame);
+    MESSAGE_CHECK_URL(request.url());
 
     NavigationType navigationType = static_cast<NavigationType>(opaqueNavigationType);
@@ -1808 +1828 @@
     WebFrameProxy* frame = process()->webFrame(frameID);
     MESSAGE_CHECK(frame);
+    MESSAGE_CHECK_URL(request.url());
 
     NavigationType navigationType = static_cast<NavigationType>(opaqueNavigationType);
@@ -1827 +1848 @@
     WebFrameProxy* frame = process()->webFrame(frameID);
     MESSAGE_CHECK(frame);
-
+    MESSAGE_CHECK_URL(request.url());
+    MESSAGE_CHECK_URL(response.url());
+    
     RefPtr<WebFramePolicyListenerProxy> listener = frame->setUpPolicyListenerProxy(listenerID);
 
@@ -1887 +1910 @@
     WebFrameProxy* frame = process()->webFrame(frameID);
     MESSAGE_CHECK(frame);
+    MESSAGE_CHECK_URL(request.url());
 
     m_resourceLoadClient.didInitiateLoadForResource(this, frame, resourceIdentifier, request, pageIsProvisionallyLoading);
@@ -1895 +1919 @@
     WebFrameProxy* frame = process()->webFrame(frameID);
     MESSAGE_CHECK(frame);
+    MESSAGE_CHECK_URL(request.url());
 
     m_resourceLoadClient.didSendRequestForResource(this, frame, resourceIdentifier, request, redirectResponse);
@@ -1903 +1928 @@
     WebFrameProxy* frame = process()->webFrame(frameID);
     MESSAGE_CHECK(frame);
+    MESSAGE_CHECK_URL(response.url());
 
     m_resourceLoadClient.didReceiveResponseForResource(this, frame, resourceIdentifier, response);
@@ -2017 +2043 @@
 void WebPageProxy::missingPluginButtonClicked(const String& mimeType, const String& url, const String& pluginsPageURL)
 {
+    MESSAGE_CHECK_URL(url);
+    MESSAGE_CHECK_URL(pluginsPageURL);
+
     m_uiClient.missingPluginButtonClicked(this, mimeType, url, pluginsPageURL);
 }

trunk/Source/WebKit2/UIProcess/WebPageProxy.h

@@ -775 +775 @@
     void setPendingAPIRequestURL(const String& pendingAPIRequestURL) { m_pendingAPIRequestURL = pendingAPIRequestURL; }
 
-    void initializeSandboxExtensionHandle(const WebCore::KURL&, SandboxExtension::Handle&);
+    bool maybeInitializeSandboxExtensionHandle(const WebCore::KURL&, SandboxExtension::Handle&);
 
 #if PLATFORM(MAC)

trunk/Source/WebKit2/UIProcess/WebProcessProxy.cpp

@@ -46 +46 @@
 using namespace std;
 
+#define MESSAGE_CHECK_URL(url) MESSAGE_CHECK_BASE(checkURLReceivedFromWebProcess(url), connection())
+
 namespace WebKit {
 
@@ -68 +70 @@
     : m_responsivenessTimer(this)
     , m_context(context)
+    , m_mayHaveUniversalFileReadSandboxExtension(false)
 {
     connect();
@@ -201 +204 @@
 }
 
+void WebProcessProxy::willLoadHTMLStringWithBaseURL(const String& urlString)
+{
+    KURL url(KURL(), urlString);
+    if (!url.isLocalFile())
+        return;
+
+    // Client loads an alternate string. This doesn't grant universal file read, but the web process is assumed
+    // to have read access to this directory already.
+    m_localPathsWithAssumedReadAccess.add(url.fileSystemPath());
+}
+
+bool WebProcessProxy::checkURLReceivedFromWebProcess(const String& urlString)
+{
+    return checkURLReceivedFromWebProcess(KURL(KURL(), urlString));
+}
+
+bool WebProcessProxy::checkURLReceivedFromWebProcess(const KURL& url)
+{
+    // FIXME: Consider checking that the URL is valid. Currently, WebProcess sends invalid URLs in many cases, but it probably doesn't have good reasons to do that.
+
+    // Any other non-file URL is OK.
+    if (!url.isLocalFile())
+        return true;
+
+    // Any file URL is also OK if we've loaded a file URL through API before, granting universal read access.
+    if (m_mayHaveUniversalFileReadSandboxExtension)
+        return true;
+
+    // If we loaded a string with a file base URL before, loading resources from that subdirectory is fine.
+    // There are no ".." components, because all URLs received from WebProcess are parsed with KURL, which removes those.
+    String path = url.fileSystemPath();
+    for (HashSet<String>::const_iterator iter = m_localPathsWithAssumedReadAccess.begin(); iter != m_localPathsWithAssumedReadAccess.end(); ++iter) {
+        if (path.startsWith(*iter))
+            return true;
+    }
+
+    // A Web process that was never asked to load a file URL should not ever ask us to do anything with a file URL.
+    return false;
+}
+
 void WebProcessProxy::addBackForwardItem(uint64_t itemID, const String& originalURL, const String& url, const String& title, const CoreIPC::DataReference& backForwardData)
 {
+    MESSAGE_CHECK_URL(originalURL);
+    MESSAGE_CHECK_URL(url);
+
     std::pair<WebBackForwardListItemMap::iterator, bool> result = m_backForwardListItemMap.add(itemID, 0);
     if (result.second) {

trunk/Source/WebKit2/UIProcess/WebProcessProxy.h

@@ -105 +105 @@
     void registerNewWebBackForwardListItem(WebBackForwardListItem*);
 
+    void willAcquireUniversalFileReadSandboxExtension() { m_mayHaveUniversalFileReadSandboxExtension = true; }
+    void willLoadHTMLStringWithBaseURL(const String&);
+
+    bool checkURLReceivedFromWebProcess(const String&);
+    bool checkURLReceivedFromWebProcess(const WebCore::KURL&);
+
     // FIXME: This variant of send is deprecated. All clients should move to an overload that take a message type.
     template<typename E, typename T> bool deprecatedSend(E messageID, uint64_t destinationID, const T& arguments);
@@ -176 +182 @@
     RefPtr<WebContext> m_context;
 
+    bool m_mayHaveUniversalFileReadSandboxExtension; // True if a read extension for "/" was ever granted - we don't track whether WebProcess still has it.
+    HashSet<String> m_localPathsWithAssumedReadAccess;
+
     HashMap<uint64_t, WebPageProxy*> m_pageMap;
     WebFrameProxyMap m_frameMap;

trunk/Source/WebKit2/UIProcess/cf/WebPageProxyCF.cpp

@@ -167 +167 @@
                     SandboxExtension::Handle sandboxExtensionHandle;
                     if (WebBackForwardListItem* item = m_backForwardList->currentItem()) {
-                        initializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle);
+                        bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle);
+                        if (createdExtension)
+                            process()->willAcquireUniversalFileReadSandboxExtension();
                         setPendingAPIRequestURL(item->url());
                     }