[webkit-changes] [WebKit/WebKit] 0f8aaf: WebContent process can create files at arbitrary l...
aestes
noreply at github.com
Mon Jul 31 10:58:41 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0f8aafd122c29180189e7bb05729231a6d9adbce
https://github.com/WebKit/WebKit/commit/0f8aafd122c29180189e7bb05729231a6d9adbce
Author: Andy Estes <aestes at apple.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.cpp
M Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.h
M Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.messages.in
M Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.cpp
M Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.h
Log Message:
-----------
WebContent process can create files at arbitrary locations by calling RemoteMediaPlayerManagerProxy::OriginsInMediaCache
https://bugs.webkit.org/show_bug.cgi?id=257875
rdar://107931180
Reviewed by Eric Carlson.
MediaPlayerPrivateAVFoundationObjC implements cache management by creating an AVAssetCache at a
specified path, and AVAssetCache creates an empty directory at this path if one doesn't exist. When
MediaPlayer's installedMediaEngines() are accessed from the WebContent process and the GPU process
is in use, RemoteMediaPlayerManager creates media player factories that proxy cache management calls
to the GPU process via RemoteMediaPlayerManagerProxy IPC messages, passing the media cache directory
specified by the website data store as an argument. If a compromised WebContent process were to send
these messages with a path of its choosing, it could convince the GPU process to create a directory
at an arbitrary location within the GPU process sandbox.
Fixed this by removing the cache management IPC messages (OriginsInMediaCache, ClearMediaCache, and
ClearMediaCacheForOrigins) from RemoteMediaPlayerManagerProxy and calling ASSERT_NOT_REACHED() if
the WebContent process attempts to perform MediaPlayer cache management while the GPU process is in
use. This is OK because the cache management subset of MediaPlayerFactory's interface is exclusively
called from WebsiteDataStore in the UI process where media engines are accessed directly rather than
via RemoteMediaPlayerManagerProxy.
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.cpp:
(WebKit::RemoteMediaPlayerManagerProxy::originsInMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManagerProxy::clearMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManagerProxy::clearMediaCacheForOrigins): Deleted.
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.h:
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.messages.in:
* Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.cpp:
(WebKit::RemoteMediaPlayerManager::originsInMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManager::clearMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManager::clearMediaCacheForOrigins): Deleted.
* Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.h:
Originally-landed-as: 259548.815 at safari-7615-branch (7b6d48342b82). rdar://107931180
Canonical link: https://commits.webkit.org/266437@main
More information about the webkit-changes
mailing list