[webkit-changes] [WebKit/WebKit] 3c089e: Cherry-pick 252432.840 at safari-7614-branch (56f36c0...
Aditya Keerthi
noreply at github.com
Tue Jan 24 18:48:37 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 3c089e68eb066333c057a99dd3a511fd3495e5bf
https://github.com/WebKit/WebKit/commit/3c089e68eb066333c057a99dd3a511fd3495e5bf
Author: Aditya Keerthi <akeerthi at apple.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
M Source/WebKit/UIProcess/Cocoa/WKShareSheet.mm
Log Message:
-----------
Cherry-pick 252432.840 at safari-7614-branch (56f36c096a15). rdar://104609397
Share Sheet may parse complex image formats
https://bugs.webkit.org/show_bug.cgi?id=248097
rdar://99294213
Reviewed by Jonathan Bedard and Tim Horton.
When a URL is given to the Share Sheet, the Share Sheet displays a thumbnail
defined by the URL, in the UIProcess. The Web Share API allows the URL to be
handed to the UIProcess from the WebProcess, via IPC. Consequently, there
exists a way to trigger image decoding in the UIProcess from a compromised
WebProcess, or one-click from a user.
To fix, display a placeholder icon rather than showing a thumbnail defined by
the URL in the Share Sheet. This behavior is achieved by specifying partial
`LPLinkMetadata`.
* Source/WebKit/UIProcess/Cocoa/WKShareSheet.mm:
(-[WKShareSheetURLItemProvider initWithURL:]):
Mark the metadata as incomplete so that it may be refetched when the URL is
actually shared.
(-[WKShareSheetURLItemProvider item]):
(-[WKShareSheetURLItemProvider activityViewControllerLinkMetadata:]):
(-[WKShareSheet presentWithParameters:inRect:completionHandler:]):
Only apply this mitigation when the Share Sheet is invoked using the Web Share
API. Other contexts require more significant user interaction and are not done
through IPC from the WebProcess.
Canonical link: https://commits.webkit.org/252432.840@safari-7614-branch
Canonical link: https://commits.webkit.org/259328@main
More information about the webkit-changes
mailing list