Changeset 95747 in webkit
- Timestamp:
- Sep 22, 2011 12:41:00 PM (13 years ago)
- Location:
- trunk/Source/WebKit2
- Files:
-
- 8 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebKit2/ChangeLog
r95715 r95747 1 2011-09-22 Alexey Proskuryakov <ap@apple.com> 2 3 [WK2] UIProcess should check that WebProcess isn't sending unexpected file: URLs to it 4 https://bugs.webkit.org/show_bug.cgi?id=68573 5 6 Reviewed by Anders Carlsson. 7 8 Re-landing with a slightly less aggressive check. 9 10 * UIProcess/API/mac/WKView.mm: 11 (maybeCreateSandboxExtensionFromPasteboard): Return a boolean, telling the caller whether 12 an extension actually needed to be created 13 (-[WKView performDragOperation:]): Tell process proxy when the process is going to get 14 universal file read sandbox extension. 15 16 * UIProcess/WebContext.cpp: 17 (WebKit::WebContext::didPerformClientRedirect): Check the URLs. 18 (WebKit::WebContext::didPerformServerRedirect): Ditto. 19 (WebKit::WebContext::didUpdateHistoryTitle): Ditto. 20 (WebKit::WebContext::getPluginPath): Ditto. Also, properly parse the URL - we can never 21 assume that a string coming from WebProcess is a ParsedURLString. 22 23 * UIProcess/WebPageProxy.cpp: 24 (WebKit::WebPageProxy::reattachToWebProcessWithItem): Tell process proxy when the process 25 is going to get universal file read sandbox extension. 26 (WebKit::WebPageProxy::maybeInitializeSandboxExtensionHandle): Changed to return a boolean, 27 telling the caller whether an extension actually needed to be created. 28 (WebKit::WebPageProxy::loadURL): Tell process proxy about extension. 29 (WebKit::WebPageProxy::loadURLRequest): Ditto. 30 (WebKit::WebPageProxy::loadHTMLString): Tell process proxy if a file URL was used as a base 31 one for a string. In this case, WebKit2 assumes that WebProcess has access to a subdirectory, 32 (typically, one where error page resources live), and can load from it. 33 (WebKit::WebPageProxy::loadAlternateHTMLString): Ditto. 34 (WebKit::WebPageProxy::goForward): Tell process proxy about extension. 35 (WebKit::WebPageProxy::goBack): Tell process proxy about extension. 36 (WebKit::WebPageProxy::goToBackForwardItem): Tell process proxy about extension. 37 (WebKit::WebPageProxy::didStartProvisionalLoadForFrame): Check the URL. 38 (WebKit::WebPageProxy::didReceiveServerRedirectForProvisionalLoadForFrame): Ditto. 39 (WebKit::WebPageProxy::didSameDocumentNavigationForFrame): Ditto. 40 (WebKit::WebPageProxy::decidePolicyForNavigationAction): Ditto. 41 (WebKit::WebPageProxy::decidePolicyForNewWindowAction): Ditto. 42 (WebKit::WebPageProxy::decidePolicyForResponse): Ditto. 43 (WebKit::WebPageProxy::didInitiateLoadForResource): Ditto. 44 (WebKit::WebPageProxy::didSendRequestForResource): Ditto. 45 (WebKit::WebPageProxy::didReceiveResponseForResource): Ditto. 46 (WebKit::WebPageProxy::missingPluginButtonClicked): Ditto. 47 48 * UIProcess/WebPageProxy.h: Changed initializeSandboxExtensionHandle() to return a bool, 49 and renamed to maybeInitializeSandboxExtensionHandle (matching WKView counterpart). 50 51 * UIProcess/WebProcessProxy.cpp: 52 (WebKit::WebProcessProxy::WebProcessProxy): Initialize m_mayHaveUniversalFileReadSandboxExtension. 53 It's going to be true if we ever granted an extension for "/". 54 (WebKit::WebProcessProxy::willLoadHTMLStringWithBaseURL): Remember the path, we should expect 55 that WebProcess will load subresources from it. 56 (WebKit::WebProcessProxy::checkURLReceivedFromWebProcess): Check that it's reasonable to expect 57 WebProcess send us a URL like this. 58 (WebKit::WebProcessProxy::addBackForwardItem): Check the URLs. 59 60 * UIProcess/WebProcessProxy.h: Added data members remembering what to expect from this process. 61 62 * UIProcess/cf/WebPageProxyCF.cpp: (WebKit::WebPageProxy::restoreFromSessionStateData): 63 Tell process proxy when the process is going to get universal file read sandbox extension. 64 1 65 2011-09-22 Alpha Lam <hclam@chromium.org> 2 66 -
trunk/Source/WebKit2/UIProcess/API/mac/WKView.mm
r95708 r95747 1661 1661 // FIXME: This code is more or less copied from Pasteboard::getBestURL. 1662 1662 // It would be nice to be able to share the code somehow. 1663 static voidmaybeCreateSandboxExtensionFromPasteboard(NSPasteboard *pasteboard, SandboxExtension::Handle& sandboxExtensionHandle)1663 static bool maybeCreateSandboxExtensionFromPasteboard(NSPasteboard *pasteboard, SandboxExtension::Handle& sandboxExtensionHandle) 1664 1664 { 1665 1665 NSArray *types = [pasteboard types]; 1666 1666 if (![types containsObject:NSFilenamesPboardType]) 1667 return ;1667 return false; 1668 1668 1669 1669 NSArray *files = [pasteboard propertyListForType:NSFilenamesPboardType]; 1670 1670 if ([files count] != 1) 1671 return ;1671 return false; 1672 1672 1673 1673 NSString *file = [files objectAtIndex:0]; 1674 1674 BOOL isDirectory; 1675 1675 if (![[NSFileManager defaultManager] fileExistsAtPath:file isDirectory:&isDirectory]) 1676 return ;1676 return false; 1677 1677 1678 1678 if (isDirectory) 1679 return ;1679 return false; 1680 1680 1681 1681 SandboxExtension::createHandle("/", SandboxExtension::ReadOnly, sandboxExtensionHandle); 1682 return true; 1682 1683 } 1683 1684 … … 1689 1690 1690 1691 SandboxExtension::Handle sandboxExtensionHandle; 1691 maybeCreateSandboxExtensionFromPasteboard([draggingInfo draggingPasteboard], sandboxExtensionHandle); 1692 bool createdExtension = maybeCreateSandboxExtensionFromPasteboard([draggingInfo draggingPasteboard], sandboxExtensionHandle); 1693 if (createdExtension) 1694 _data->_page->process()->willAcquireUniversalFileReadSandboxExtension(); 1692 1695 1693 1696 _data->_page->performDrag(&dragData, [[draggingInfo draggingPasteboard] name], sandboxExtensionHandle); -
trunk/Source/WebKit2/UIProcess/WebContext.cpp
r95708 r95747 66 66 #endif 67 67 68 #define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, process()->connection()) 68 #define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, m_process->connection()) 69 #define MESSAGE_CHECK_URL(url) MESSAGE_CHECK_BASE(m_process->checkURLReceivedFromWebProcess(url), m_process->connection()) 69 70 70 71 using namespace WebCore; … … 440 441 MESSAGE_CHECK(frame); 441 442 MESSAGE_CHECK(frame->page() == page); 442 443 MESSAGE_CHECK_URL(sourceURLString); 444 MESSAGE_CHECK_URL(destinationURLString); 445 443 446 m_historyClient.didPerformClientRedirect(this, page, sourceURLString, destinationURLString, frame); 444 447 } … … 456 459 MESSAGE_CHECK(frame); 457 460 MESSAGE_CHECK(frame->page() == page); 458 461 MESSAGE_CHECK_URL(sourceURLString); 462 MESSAGE_CHECK_URL(destinationURLString); 463 459 464 m_historyClient.didPerformServerRedirect(this, page, sourceURLString, destinationURLString, frame); 460 465 } … … 469 474 MESSAGE_CHECK(frame); 470 475 MESSAGE_CHECK(frame->page() == page); 476 MESSAGE_CHECK_URL(url); 471 477 472 478 m_historyClient.didUpdateHistoryTitle(this, page, title, url, frame); … … 554 560 void WebContext::getPluginPath(const String& mimeType, const String& urlString, String& pluginPath) 555 561 { 562 MESSAGE_CHECK_URL(urlString); 563 556 564 String newMimeType = mimeType.lower(); 557 565 558 PluginModuleInfo plugin = pluginInfoStore().findPlugin(newMimeType, KURL( ParsedURLString, urlString));566 PluginModuleInfo plugin = pluginInfoStore().findPlugin(newMimeType, KURL(KURL(), urlString)); 559 567 if (!plugin.path) 560 568 return; -
trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp
r95708 r95747 91 91 #define MERGE_WHEEL_EVENTS 1 92 92 93 #define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, process()->connection()) 93 #define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, m_process->connection()) 94 #define MESSAGE_CHECK_URL(url) MESSAGE_CHECK_BASE(m_process->checkURLReceivedFromWebProcess(url), m_process->connection()) 94 95 95 96 using namespace WebCore; … … 297 298 298 299 SandboxExtension::Handle sandboxExtensionHandle; 299 initializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle); 300 bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle); 301 if (createdExtension) 302 process()->willAcquireUniversalFileReadSandboxExtension(); 300 303 process()->send(Messages::WebPage::GoToBackForwardItem(item->itemID(), sandboxExtensionHandle), m_pageID); 301 304 process()->responsivenessTimer()->start(); … … 397 400 } 398 401 399 void WebPageProxy::initializeSandboxExtensionHandle(const KURL& url, SandboxExtension::Handle& sandboxExtensionHandle)402 bool WebPageProxy::maybeInitializeSandboxExtensionHandle(const KURL& url, SandboxExtension::Handle& sandboxExtensionHandle) 400 403 { 401 404 if (!url.isLocalFile()) 402 return ;405 return false; 403 406 404 407 // Don't give the inspector full access to the file system. 405 408 if (WebInspectorProxy::isInspectorPage(this)) 406 return ;409 return false; 407 410 408 411 SandboxExtension::createHandle("/", SandboxExtension::ReadOnly, sandboxExtensionHandle); 412 return true; 409 413 } 410 414 … … 417 421 418 422 SandboxExtension::Handle sandboxExtensionHandle; 419 initializeSandboxExtensionHandle(KURL(KURL(), url), sandboxExtensionHandle); 423 bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), url), sandboxExtensionHandle); 424 if (createdExtension) 425 process()->willAcquireUniversalFileReadSandboxExtension(); 420 426 process()->send(Messages::WebPage::LoadURL(url, sandboxExtensionHandle), m_pageID); 421 427 process()->responsivenessTimer()->start(); … … 430 436 431 437 SandboxExtension::Handle sandboxExtensionHandle; 432 initializeSandboxExtensionHandle(urlRequest->resourceRequest().url(), sandboxExtensionHandle); 438 bool createdExtension = maybeInitializeSandboxExtensionHandle(urlRequest->resourceRequest().url(), sandboxExtensionHandle); 439 if (createdExtension) 440 process()->willAcquireUniversalFileReadSandboxExtension(); 433 441 process()->send(Messages::WebPage::LoadURLRequest(urlRequest->resourceRequest(), sandboxExtensionHandle), m_pageID); 434 442 process()->responsivenessTimer()->start(); … … 440 448 reattachToWebProcess(); 441 449 450 process()->willLoadHTMLStringWithBaseURL(baseURL); 442 451 process()->send(Messages::WebPage::LoadHTMLString(htmlString, baseURL), m_pageID); 443 452 process()->responsivenessTimer()->start(); … … 452 461 m_mainFrame->setUnreachableURL(unreachableURL); 453 462 463 process()->willLoadHTMLStringWithBaseURL(baseURL); 454 464 process()->send(Messages::WebPage::LoadAlternateHTMLString(htmlString, baseURL, unreachableURL), m_pageID); 455 465 process()->responsivenessTimer()->start(); … … 503 513 504 514 SandboxExtension::Handle sandboxExtensionHandle; 505 initializeSandboxExtensionHandle(KURL(KURL(), forwardItem->url()), sandboxExtensionHandle); 515 bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), forwardItem->url()), sandboxExtensionHandle); 516 if (createdExtension) 517 process()->willAcquireUniversalFileReadSandboxExtension(); 506 518 process()->send(Messages::WebPage::GoForward(forwardItem->itemID(), sandboxExtensionHandle), m_pageID); 507 519 process()->responsivenessTimer()->start(); … … 528 540 529 541 SandboxExtension::Handle sandboxExtensionHandle; 530 initializeSandboxExtensionHandle(KURL(KURL(), backItem->url()), sandboxExtensionHandle); 542 bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), backItem->url()), sandboxExtensionHandle); 543 if (createdExtension) 544 process()->willAcquireUniversalFileReadSandboxExtension(); 531 545 process()->send(Messages::WebPage::GoBack(backItem->itemID(), sandboxExtensionHandle), m_pageID); 532 546 process()->responsivenessTimer()->start(); … … 548 562 549 563 SandboxExtension::Handle sandboxExtensionHandle; 550 initializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle); 564 bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle); 565 if (createdExtension) 566 process()->willAcquireUniversalFileReadSandboxExtension(); 551 567 process()->send(Messages::WebPage::GoToBackForwardItem(item->itemID(), sandboxExtensionHandle), m_pageID); 552 568 process()->responsivenessTimer()->start(); … … 1525 1541 WebFrameProxy* frame = process()->webFrame(frameID); 1526 1542 MESSAGE_CHECK(frame); 1543 MESSAGE_CHECK_URL(url); 1527 1544 1528 1545 frame->setUnreachableURL(unreachableURL); … … 1541 1558 WebFrameProxy* frame = process()->webFrame(frameID); 1542 1559 MESSAGE_CHECK(frame); 1560 MESSAGE_CHECK_URL(url); 1543 1561 1544 1562 frame->didReceiveServerRedirectForProvisionalLoad(url); … … 1662 1680 WebFrameProxy* frame = process()->webFrame(frameID); 1663 1681 MESSAGE_CHECK(frame); 1682 MESSAGE_CHECK_URL(url); 1664 1683 1665 1684 clearPendingAPIRequestURL(); … … 1774 1793 WebFrameProxy* frame = process()->webFrame(frameID); 1775 1794 MESSAGE_CHECK(frame); 1795 MESSAGE_CHECK_URL(request.url()); 1776 1796 1777 1797 NavigationType navigationType = static_cast<NavigationType>(opaqueNavigationType); … … 1808 1828 WebFrameProxy* frame = process()->webFrame(frameID); 1809 1829 MESSAGE_CHECK(frame); 1830 MESSAGE_CHECK_URL(request.url()); 1810 1831 1811 1832 NavigationType navigationType = static_cast<NavigationType>(opaqueNavigationType); … … 1827 1848 WebFrameProxy* frame = process()->webFrame(frameID); 1828 1849 MESSAGE_CHECK(frame); 1829 1850 MESSAGE_CHECK_URL(request.url()); 1851 MESSAGE_CHECK_URL(response.url()); 1852 1830 1853 RefPtr<WebFramePolicyListenerProxy> listener = frame->setUpPolicyListenerProxy(listenerID); 1831 1854 … … 1887 1910 WebFrameProxy* frame = process()->webFrame(frameID); 1888 1911 MESSAGE_CHECK(frame); 1912 MESSAGE_CHECK_URL(request.url()); 1889 1913 1890 1914 m_resourceLoadClient.didInitiateLoadForResource(this, frame, resourceIdentifier, request, pageIsProvisionallyLoading); … … 1895 1919 WebFrameProxy* frame = process()->webFrame(frameID); 1896 1920 MESSAGE_CHECK(frame); 1921 MESSAGE_CHECK_URL(request.url()); 1897 1922 1898 1923 m_resourceLoadClient.didSendRequestForResource(this, frame, resourceIdentifier, request, redirectResponse); … … 1903 1928 WebFrameProxy* frame = process()->webFrame(frameID); 1904 1929 MESSAGE_CHECK(frame); 1930 MESSAGE_CHECK_URL(response.url()); 1905 1931 1906 1932 m_resourceLoadClient.didReceiveResponseForResource(this, frame, resourceIdentifier, response); … … 2017 2043 void WebPageProxy::missingPluginButtonClicked(const String& mimeType, const String& url, const String& pluginsPageURL) 2018 2044 { 2045 MESSAGE_CHECK_URL(url); 2046 MESSAGE_CHECK_URL(pluginsPageURL); 2047 2019 2048 m_uiClient.missingPluginButtonClicked(this, mimeType, url, pluginsPageURL); 2020 2049 } -
trunk/Source/WebKit2/UIProcess/WebPageProxy.h
r95708 r95747 775 775 void setPendingAPIRequestURL(const String& pendingAPIRequestURL) { m_pendingAPIRequestURL = pendingAPIRequestURL; } 776 776 777 void initializeSandboxExtensionHandle(const WebCore::KURL&, SandboxExtension::Handle&);777 bool maybeInitializeSandboxExtensionHandle(const WebCore::KURL&, SandboxExtension::Handle&); 778 778 779 779 #if PLATFORM(MAC) -
trunk/Source/WebKit2/UIProcess/WebProcessProxy.cpp
r95708 r95747 46 46 using namespace std; 47 47 48 #define MESSAGE_CHECK_URL(url) MESSAGE_CHECK_BASE(checkURLReceivedFromWebProcess(url), connection()) 49 48 50 namespace WebKit { 49 51 … … 68 70 : m_responsivenessTimer(this) 69 71 , m_context(context) 72 , m_mayHaveUniversalFileReadSandboxExtension(false) 70 73 { 71 74 connect(); … … 201 204 } 202 205 206 void WebProcessProxy::willLoadHTMLStringWithBaseURL(const String& urlString) 207 { 208 KURL url(KURL(), urlString); 209 if (!url.isLocalFile()) 210 return; 211 212 // Client loads an alternate string. This doesn't grant universal file read, but the web process is assumed 213 // to have read access to this directory already. 214 m_localPathsWithAssumedReadAccess.add(url.fileSystemPath()); 215 } 216 217 bool WebProcessProxy::checkURLReceivedFromWebProcess(const String& urlString) 218 { 219 return checkURLReceivedFromWebProcess(KURL(KURL(), urlString)); 220 } 221 222 bool WebProcessProxy::checkURLReceivedFromWebProcess(const KURL& url) 223 { 224 // FIXME: Consider checking that the URL is valid. Currently, WebProcess sends invalid URLs in many cases, but it probably doesn't have good reasons to do that. 225 226 // Any other non-file URL is OK. 227 if (!url.isLocalFile()) 228 return true; 229 230 // Any file URL is also OK if we've loaded a file URL through API before, granting universal read access. 231 if (m_mayHaveUniversalFileReadSandboxExtension) 232 return true; 233 234 // If we loaded a string with a file base URL before, loading resources from that subdirectory is fine. 235 // There are no ".." components, because all URLs received from WebProcess are parsed with KURL, which removes those. 236 String path = url.fileSystemPath(); 237 for (HashSet<String>::const_iterator iter = m_localPathsWithAssumedReadAccess.begin(); iter != m_localPathsWithAssumedReadAccess.end(); ++iter) { 238 if (path.startsWith(*iter)) 239 return true; 240 } 241 242 // A Web process that was never asked to load a file URL should not ever ask us to do anything with a file URL. 243 return false; 244 } 245 203 246 void WebProcessProxy::addBackForwardItem(uint64_t itemID, const String& originalURL, const String& url, const String& title, const CoreIPC::DataReference& backForwardData) 204 247 { 248 MESSAGE_CHECK_URL(originalURL); 249 MESSAGE_CHECK_URL(url); 250 205 251 std::pair<WebBackForwardListItemMap::iterator, bool> result = m_backForwardListItemMap.add(itemID, 0); 206 252 if (result.second) { -
trunk/Source/WebKit2/UIProcess/WebProcessProxy.h
r95708 r95747 105 105 void registerNewWebBackForwardListItem(WebBackForwardListItem*); 106 106 107 void willAcquireUniversalFileReadSandboxExtension() { m_mayHaveUniversalFileReadSandboxExtension = true; } 108 void willLoadHTMLStringWithBaseURL(const String&); 109 110 bool checkURLReceivedFromWebProcess(const String&); 111 bool checkURLReceivedFromWebProcess(const WebCore::KURL&); 112 107 113 // FIXME: This variant of send is deprecated. All clients should move to an overload that take a message type. 108 114 template<typename E, typename T> bool deprecatedSend(E messageID, uint64_t destinationID, const T& arguments); … … 176 182 RefPtr<WebContext> m_context; 177 183 184 bool m_mayHaveUniversalFileReadSandboxExtension; // True if a read extension for "/" was ever granted - we don't track whether WebProcess still has it. 185 HashSet<String> m_localPathsWithAssumedReadAccess; 186 178 187 HashMap<uint64_t, WebPageProxy*> m_pageMap; 179 188 WebFrameProxyMap m_frameMap; -
trunk/Source/WebKit2/UIProcess/cf/WebPageProxyCF.cpp
r95708 r95747 167 167 SandboxExtension::Handle sandboxExtensionHandle; 168 168 if (WebBackForwardListItem* item = m_backForwardList->currentItem()) { 169 initializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle); 169 bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle); 170 if (createdExtension) 171 process()->willAcquireUniversalFileReadSandboxExtension(); 170 172 setPendingAPIRequestURL(item->url()); 171 173 }
Note: See TracChangeset
for help on using the changeset viewer.