[webkit-changes] [WebKit/WebKit] b17879: Fix a few more secure decoding issues
Alex Christensen
noreply at github.com
Mon May 15 11:51:18 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b17879dcdd0ef0481319a90dac73d50fceb48f28
https://github.com/WebKit/WebKit/commit/b17879dcdd0ef0481319a90dac73d50fceb48f28
Author: Alex Christensen <achristensen at apple.com>
Date: 2023-05-15 (Mon, 15 May 2023)
Changed paths:
M Source/WebKit/Shared/Cocoa/ArgumentCodersCocoa.mm
Log Message:
-----------
Fix a few more secure decoding issues
https://bugs.webkit.org/show_bug.cgi?id=256790
rdar://109286881
Reviewed by Wenson Hsieh.
Reports indicate DDScannerResult can contain NSMutableStrings, which fail to decode
in strict mode when expecting an NSString. Fix this by doing the same transformation
from mutable to not mutable on the encoding side that we do elsewhere.
Reports also indicate that NSURLRequest can contain mutable plist types like
NSMutableURLRequest can. To be conservative, add the same allowed mutable plist types
when decoding the two classes.
The soft linking code for PAL::isDataDetectorsCoreFrameworkAvailable already effectively
caches the result of dlsym, so making our own cache is redundant. Same with the other
similar caches.
Also, as a slight perf optimization, check the bools like rewriteMutableString first
before calling dynamic_objc_cast since the former is often false, the latter is more
expensive, and both need to be true to enter the condition.
* Source/WebKit/Shared/Cocoa/ArgumentCodersCocoa.mm:
(-[WKSecureCodingArchivingDelegate archiver:willEncodeObject:]):
(-[WKSecureCodingArchivingDelegate init]):
(IPC::encodeSecureCodingInternal):
(IPC::shouldEnableStrictMode):
(IPC::decodeSecureCodingInternal):
Canonical link: https://commits.webkit.org/264079@main
More information about the webkit-changes
mailing list