<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[282915] branches/safari-612-branch/Source</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/282915">282915</a></dd>
<dt>Author</dt> <dd>repstein@apple.com</dd>
<dt>Date</dt> <dd>2021-09-22 21:29:32 -0700 (Wed, 22 Sep 2021)</dd>
</dl>

<h3>Log Message</h3>
<pre>Cherry-pick <a href="http://trac.webkit.org/projects/webkit/changeset/282393">r282393</a>. rdar://problem/83429703

    [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
    https://bugs.webkit.org/show_bug.cgi?id=230233
    <rdar://79562514>

    Reviewed by Brady Eidson.

    Source/WebCore:

    Rename writeBlobsToTemporaryFiles() to writeBlobsToTemporaryFilesForIndexedDB() for clarity
    since it is currently only used for IndexedDB and we wouldn't want to expand usage to
    other things.

    * bindings/js/SerializedScriptValue.cpp:
    (WebCore::SerializedScriptValue::writeBlobsToDiskForIndexedDB):
    * platform/network/BlobRegistry.h:
    * platform/network/BlobRegistryImpl.cpp:
    (WebCore::BlobRegistryImpl::writeBlobsToTemporaryFilesForIndexedDB):
    * platform/network/BlobRegistryImpl.h:

    Source/WebKit:

    When the SerializedScriptValue contains BlobURLs, IDBTransaction::putOrAddOnServer()
    calls SerializedScriptValue::writeBlobsToDiskForIndexedDB() before sending the
    WebIDBServer::PutOrAdd IPC to the network process. writeBlobsToDiskForIndexedDB()
    sends a NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB IPC to the
    network process and the network process will write the blobs to temporary files and
    then return the file paths to those temporary files to the WebProcess. The file paths
    are then stored inside the IDBValue object that gets sent in the WebIDBServer::PutOrAdd
    IPC.

    This patch hardens our IPC by validating in WebIDBServer::PutOrAdd() that the IDBValue's
    Blob file paths were indeed file paths previously created by the network process on behalf
    of the WebProcess sending the IPC. If it is not, we ignore the IPC.

    * NetworkProcess/IndexedDB/WebIDBServer.cpp:
    (WebKit::WebIDBServer::putOrAdd):
    (WebKit::WebIDBServer::removeConnection):
    (WebKit::WebIDBServer::registerTemporaryBlobFilePaths):
    * NetworkProcess/IndexedDB/WebIDBServer.h:
    * NetworkProcess/IndexedDB/WebIDBServer.messages.in:
    * NetworkProcess/NetworkConnectionToWebProcess.cpp:
    (WebKit::NetworkConnectionToWebProcess::writeBlobsToTemporaryFilesForIndexedDB):
    * NetworkProcess/NetworkConnectionToWebProcess.h:
    * NetworkProcess/NetworkConnectionToWebProcess.messages.in:
    * NetworkProcess/NetworkProcessPlatformStrategies.cpp:
    (WebKit::NetworkProcessPlatformStrategies::createBlobRegistry):
    * WebProcess/FileAPI/BlobRegistryProxy.cpp:
    (WebKit::BlobRegistryProxy::writeBlobsToTemporaryFilesForIndexedDB):
    * WebProcess/FileAPI/BlobRegistryProxy.h:
    * WebProcess/Network/NetworkProcessConnection.cpp:
    (WebKit::NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB):
    * WebProcess/Network/NetworkProcessConnection.h:

    Source/WebKitLegacy/mac:

    * WebCoreSupport/WebPlatformStrategies.mm:

    Source/WebKitLegacy/win:

    * WebCoreSupport/WebPlatformStrategies.cpp:

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282393 268f45cc-cd09-0410-ab3c-d52691b4dbfc</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari612branchSourceWebCoreChangeLog">branches/safari-612-branch/Source/WebCore/ChangeLog</a></li>
<li><a href="#branchessafari612branchSourceWebCorebindingsjsSerializedScriptValuecpp">branches/safari-612-branch/Source/WebCore/bindings/js/SerializedScriptValue.cpp</a></li>
<li><a href="#branchessafari612branchSourceWebCoreplatformnetworkBlobRegistryh">branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistry.h</a></li>
<li><a href="#branchessafari612branchSourceWebCoreplatformnetworkBlobRegistryImplcpp">branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistryImpl.cpp</a></li>
<li><a href="#branchessafari612branchSourceWebCoreplatformnetworkBlobRegistryImplh">branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistryImpl.h</a></li>
<li><a href="#branchessafari612branchSourceWebKitChangeLog">branches/safari-612-branch/Source/WebKit/ChangeLog</a></li>
<li><a href="#branchessafari612branchSourceWebKitNetworkProcessIndexedDBWebIDBServercpp">branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.cpp</a></li>
<li><a href="#branchessafari612branchSourceWebKitNetworkProcessIndexedDBWebIDBServerh">branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.h</a></li>
<li><a href="#branchessafari612branchSourceWebKitNetworkProcessIndexedDBWebIDBServermessagesin">branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.messages.in</a></li>
<li><a href="#branchessafari612branchSourceWebKitNetworkProcessNetworkConnectionToWebProcesscpp">branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp</a></li>
<li><a href="#branchessafari612branchSourceWebKitNetworkProcessNetworkConnectionToWebProcessh">branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h</a></li>
<li><a href="#branchessafari612branchSourceWebKitNetworkProcessNetworkConnectionToWebProcessmessagesin">branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in</a></li>
<li><a href="#branchessafari612branchSourceWebKitNetworkProcessNetworkProcessPlatformStrategiescpp">branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkProcessPlatformStrategies.cpp</a></li>
<li><a href="#branchessafari612branchSourceWebKitWebProcessFileAPIBlobRegistryProxycpp">branches/safari-612-branch/Source/WebKit/WebProcess/FileAPI/BlobRegistryProxy.cpp</a></li>
<li><a href="#branchessafari612branchSourceWebKitWebProcessFileAPIBlobRegistryProxyh">branches/safari-612-branch/Source/WebKit/WebProcess/FileAPI/BlobRegistryProxy.h</a></li>
<li><a href="#branchessafari612branchSourceWebKitWebProcessNetworkNetworkProcessConnectioncpp">branches/safari-612-branch/Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp</a></li>
<li><a href="#branchessafari612branchSourceWebKitWebProcessNetworkNetworkProcessConnectionh">branches/safari-612-branch/Source/WebKit/WebProcess/Network/NetworkProcessConnection.h</a></li>
<li><a href="#branchessafari612branchSourceWebKitLegacymacChangeLog">branches/safari-612-branch/Source/WebKitLegacy/mac/ChangeLog</a></li>
<li><a href="#branchessafari612branchSourceWebKitLegacymacWebCoreSupportWebPlatformStrategiesmm">branches/safari-612-branch/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm</a></li>
<li><a href="#branchessafari612branchSourceWebKitLegacywinChangeLog">branches/safari-612-branch/Source/WebKitLegacy/win/ChangeLog</a></li>
<li><a href="#branchessafari612branchSourceWebKitLegacywinWebCoreSupportWebPlatformStrategiescpp">branches/safari-612-branch/Source/WebKitLegacy/win/WebCoreSupport/WebPlatformStrategies.cpp</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari612branchSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebCore/ChangeLog (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebCore/ChangeLog      2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebCore/ChangeLog 2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -1,5 +1,92 @@
</span><span class="cx"> 2021-09-22  Alan Coon  <alancoon@apple.com>
</span><span class="cx"> 
</span><ins>+        Cherry-pick r282393. rdar://problem/83429703
+
+    [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+    https://bugs.webkit.org/show_bug.cgi?id=230233
+    <rdar://79562514>
+    
+    Reviewed by Brady Eidson.
+    
+    Source/WebCore:
+    
+    Rename writeBlobsToTemporaryFiles() to writeBlobsToTemporaryFilesForIndexedDB() for clarity
+    since it is currently only used for IndexedDB and we wouldn't want to expand usage to
+    other things.
+    
+    * bindings/js/SerializedScriptValue.cpp:
+    (WebCore::SerializedScriptValue::writeBlobsToDiskForIndexedDB):
+    * platform/network/BlobRegistry.h:
+    * platform/network/BlobRegistryImpl.cpp:
+    (WebCore::BlobRegistryImpl::writeBlobsToTemporaryFilesForIndexedDB):
+    * platform/network/BlobRegistryImpl.h:
+    
+    Source/WebKit:
+    
+    When the SerializedScriptValue contains BlobURLs, IDBTransaction::putOrAddOnServer()
+    calls SerializedScriptValue::writeBlobsToDiskForIndexedDB() before sending the
+    WebIDBServer::PutOrAdd IPC to the network process. writeBlobsToDiskForIndexedDB()
+    sends a NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB IPC to the
+    network process and the network process will write the blobs to temporary files and
+    then return the file paths to those temporary files to the WebProcess. The file paths
+    are then stored inside the IDBValue object that gets sent in the WebIDBServer::PutOrAdd
+    IPC.
+    
+    This patch hardens our IPC by validating in WebIDBServer::PutOrAdd() that the IDBValue's
+    Blob file paths were indeed file paths previously created by the network process on behalf
+    of the WebProcess sending the IPC. If it is not, we ignore the IPC.
+    
+    * NetworkProcess/IndexedDB/WebIDBServer.cpp:
+    (WebKit::WebIDBServer::putOrAdd):
+    (WebKit::WebIDBServer::removeConnection):
+    (WebKit::WebIDBServer::registerTemporaryBlobFilePaths):
+    * NetworkProcess/IndexedDB/WebIDBServer.h:
+    * NetworkProcess/IndexedDB/WebIDBServer.messages.in:
+    * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+    (WebKit::NetworkConnectionToWebProcess::writeBlobsToTemporaryFilesForIndexedDB):
+    * NetworkProcess/NetworkConnectionToWebProcess.h:
+    * NetworkProcess/NetworkConnectionToWebProcess.messages.in:
+    * NetworkProcess/NetworkProcessPlatformStrategies.cpp:
+    (WebKit::NetworkProcessPlatformStrategies::createBlobRegistry):
+    * WebProcess/FileAPI/BlobRegistryProxy.cpp:
+    (WebKit::BlobRegistryProxy::writeBlobsToTemporaryFilesForIndexedDB):
+    * WebProcess/FileAPI/BlobRegistryProxy.h:
+    * WebProcess/Network/NetworkProcessConnection.cpp:
+    (WebKit::NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB):
+    * WebProcess/Network/NetworkProcessConnection.h:
+    
+    Source/WebKitLegacy/mac:
+    
+    * WebCoreSupport/WebPlatformStrategies.mm:
+    
+    Source/WebKitLegacy/win:
+    
+    * WebCoreSupport/WebPlatformStrategies.cpp:
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282393 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-09-14  Chris Dumez  <cdumez@apple.com>
+
+            [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+            https://bugs.webkit.org/show_bug.cgi?id=230233
+            <rdar://79562514>
+
+            Reviewed by Brady Eidson.
+
+            Rename writeBlobsToTemporaryFiles() to writeBlobsToTemporaryFilesForIndexedDB() for clarity
+            since it is currently only used for IndexedDB and we wouldn't want to expand usage to
+            other things.
+
+            * bindings/js/SerializedScriptValue.cpp:
+            (WebCore::SerializedScriptValue::writeBlobsToDiskForIndexedDB):
+            * platform/network/BlobRegistry.h:
+            * platform/network/BlobRegistryImpl.cpp:
+            (WebCore::BlobRegistryImpl::writeBlobsToTemporaryFilesForIndexedDB):
+            * platform/network/BlobRegistryImpl.h:
+
+2021-09-22  Alan Coon  <alancoon@apple.com>
+
</ins><span class="cx">         Cherry-pick r282358. rdar://problem/83429732
</span><span class="cx"> 
</span><span class="cx">     AX: Make PDFs loaded via <embed> accessible
</span></span></pre></div>
<a id="branchessafari612branchSourceWebCorebindingsjsSerializedScriptValuecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebCore/bindings/js/SerializedScriptValue.cpp (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebCore/bindings/js/SerializedScriptValue.cpp  2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebCore/bindings/js/SerializedScriptValue.cpp     2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -4377,7 +4377,7 @@
</span><span class="cx">     ASSERT(isMainThread());
</span><span class="cx">     ASSERT(hasBlobURLs());
</span><span class="cx"> 
</span><del>-    blobRegistry().writeBlobsToTemporaryFiles(blobURLs(), [completionHandler = WTFMove(completionHandler), this, protectedThis = makeRef(*this)] (auto&& blobFilePaths) mutable {
</del><ins>+    blobRegistry().writeBlobsToTemporaryFilesForIndexedDB(blobURLs(), [completionHandler = WTFMove(completionHandler), this, protectedThis = makeRef(*this)] (auto&& blobFilePaths) mutable {
</ins><span class="cx">         ASSERT(isMainThread());
</span><span class="cx"> 
</span><span class="cx">         if (blobFilePaths.isEmpty()) {
</span></span></pre></div>
<a id="branchessafari612branchSourceWebCoreplatformnetworkBlobRegistryh"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistry.h (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistry.h        2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistry.h   2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -71,7 +71,7 @@
</span><span class="cx"> 
</span><span class="cx">     virtual unsigned long long blobSize(const URL&) = 0;
</span><span class="cx"> 
</span><del>-    virtual void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&) = 0;
</del><ins>+    virtual void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&) = 0;
</ins><span class="cx"> 
</span><span class="cx">     virtual BlobRegistryImpl* blobRegistryImpl() { return nullptr; }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari612branchSourceWebCoreplatformnetworkBlobRegistryImplcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistryImpl.cpp (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistryImpl.cpp  2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistryImpl.cpp     2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -311,7 +311,7 @@
</span><span class="cx">     return true;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void BlobRegistryImpl::writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler)
</del><ins>+void BlobRegistryImpl::writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler)
</ins><span class="cx"> {
</span><span class="cx">     Vector<BlobForFileWriting> blobsForWriting;
</span><span class="cx">     if (!populateBlobsForFileWriting(blobURLs, blobsForWriting)) {
</span></span></pre></div>
<a id="branchessafari612branchSourceWebCoreplatformnetworkBlobRegistryImplh"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistryImpl.h (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistryImpl.h    2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebCore/platform/network/BlobRegistryImpl.h       2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -72,7 +72,7 @@
</span><span class="cx"> 
</span><span class="cx">     unsigned long long blobSize(const URL&);
</span><span class="cx"> 
</span><del>-    void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&);
</del><ins>+    void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&);
</ins><span class="cx"> 
</span><span class="cx">     struct BlobForFileWriting {
</span><span class="cx">         String blobURL;
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKit/ChangeLog (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKit/ChangeLog       2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/ChangeLog  2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -1,5 +1,113 @@
</span><span class="cx"> 2021-09-22  Alan Coon  <alancoon@apple.com>
</span><span class="cx"> 
</span><ins>+        Cherry-pick r282393. rdar://problem/83429703
+
+    [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+    https://bugs.webkit.org/show_bug.cgi?id=230233
+    <rdar://79562514>
+    
+    Reviewed by Brady Eidson.
+    
+    Source/WebCore:
+    
+    Rename writeBlobsToTemporaryFiles() to writeBlobsToTemporaryFilesForIndexedDB() for clarity
+    since it is currently only used for IndexedDB and we wouldn't want to expand usage to
+    other things.
+    
+    * bindings/js/SerializedScriptValue.cpp:
+    (WebCore::SerializedScriptValue::writeBlobsToDiskForIndexedDB):
+    * platform/network/BlobRegistry.h:
+    * platform/network/BlobRegistryImpl.cpp:
+    (WebCore::BlobRegistryImpl::writeBlobsToTemporaryFilesForIndexedDB):
+    * platform/network/BlobRegistryImpl.h:
+    
+    Source/WebKit:
+    
+    When the SerializedScriptValue contains BlobURLs, IDBTransaction::putOrAddOnServer()
+    calls SerializedScriptValue::writeBlobsToDiskForIndexedDB() before sending the
+    WebIDBServer::PutOrAdd IPC to the network process. writeBlobsToDiskForIndexedDB()
+    sends a NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB IPC to the
+    network process and the network process will write the blobs to temporary files and
+    then return the file paths to those temporary files to the WebProcess. The file paths
+    are then stored inside the IDBValue object that gets sent in the WebIDBServer::PutOrAdd
+    IPC.
+    
+    This patch hardens our IPC by validating in WebIDBServer::PutOrAdd() that the IDBValue's
+    Blob file paths were indeed file paths previously created by the network process on behalf
+    of the WebProcess sending the IPC. If it is not, we ignore the IPC.
+    
+    * NetworkProcess/IndexedDB/WebIDBServer.cpp:
+    (WebKit::WebIDBServer::putOrAdd):
+    (WebKit::WebIDBServer::removeConnection):
+    (WebKit::WebIDBServer::registerTemporaryBlobFilePaths):
+    * NetworkProcess/IndexedDB/WebIDBServer.h:
+    * NetworkProcess/IndexedDB/WebIDBServer.messages.in:
+    * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+    (WebKit::NetworkConnectionToWebProcess::writeBlobsToTemporaryFilesForIndexedDB):
+    * NetworkProcess/NetworkConnectionToWebProcess.h:
+    * NetworkProcess/NetworkConnectionToWebProcess.messages.in:
+    * NetworkProcess/NetworkProcessPlatformStrategies.cpp:
+    (WebKit::NetworkProcessPlatformStrategies::createBlobRegistry):
+    * WebProcess/FileAPI/BlobRegistryProxy.cpp:
+    (WebKit::BlobRegistryProxy::writeBlobsToTemporaryFilesForIndexedDB):
+    * WebProcess/FileAPI/BlobRegistryProxy.h:
+    * WebProcess/Network/NetworkProcessConnection.cpp:
+    (WebKit::NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB):
+    * WebProcess/Network/NetworkProcessConnection.h:
+    
+    Source/WebKitLegacy/mac:
+    
+    * WebCoreSupport/WebPlatformStrategies.mm:
+    
+    Source/WebKitLegacy/win:
+    
+    * WebCoreSupport/WebPlatformStrategies.cpp:
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282393 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-09-14  Chris Dumez  <cdumez@apple.com>
+
+            [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+            https://bugs.webkit.org/show_bug.cgi?id=230233
+            <rdar://79562514>
+
+            Reviewed by Brady Eidson.
+
+            When the SerializedScriptValue contains BlobURLs, IDBTransaction::putOrAddOnServer()
+            calls SerializedScriptValue::writeBlobsToDiskForIndexedDB() before sending the
+            WebIDBServer::PutOrAdd IPC to the network process. writeBlobsToDiskForIndexedDB()
+            sends a NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB IPC to the
+            network process and the network process will write the blobs to temporary files and
+            then return the file paths to those temporary files to the WebProcess. The file paths
+            are then stored inside the IDBValue object that gets sent in the WebIDBServer::PutOrAdd
+            IPC.
+
+            This patch hardens our IPC by validating in WebIDBServer::PutOrAdd() that the IDBValue's
+            Blob file paths were indeed file paths previously created by the network process on behalf
+            of the WebProcess sending the IPC. If it is not, we ignore the IPC.
+
+            * NetworkProcess/IndexedDB/WebIDBServer.cpp:
+            (WebKit::WebIDBServer::putOrAdd):
+            (WebKit::WebIDBServer::removeConnection):
+            (WebKit::WebIDBServer::registerTemporaryBlobFilePaths):
+            * NetworkProcess/IndexedDB/WebIDBServer.h:
+            * NetworkProcess/IndexedDB/WebIDBServer.messages.in:
+            * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+            (WebKit::NetworkConnectionToWebProcess::writeBlobsToTemporaryFilesForIndexedDB):
+            * NetworkProcess/NetworkConnectionToWebProcess.h:
+            * NetworkProcess/NetworkConnectionToWebProcess.messages.in:
+            * NetworkProcess/NetworkProcessPlatformStrategies.cpp:
+            (WebKit::NetworkProcessPlatformStrategies::createBlobRegistry):
+            * WebProcess/FileAPI/BlobRegistryProxy.cpp:
+            (WebKit::BlobRegistryProxy::writeBlobsToTemporaryFilesForIndexedDB):
+            * WebProcess/FileAPI/BlobRegistryProxy.h:
+            * WebProcess/Network/NetworkProcessConnection.cpp:
+            (WebKit::NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB):
+            * WebProcess/Network/NetworkProcessConnection.h:
+
+2021-09-22  Alan Coon  <alancoon@apple.com>
+
</ins><span class="cx">         Cherry-pick r282365. rdar://problem/83429982
</span><span class="cx"> 
</span><span class="cx">     Crash under WebPage::runJavaScript()
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitNetworkProcessIndexedDBWebIDBServercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.cpp (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.cpp       2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.cpp  2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -255,10 +255,35 @@
</span><span class="cx">     m_server->renameIndex(requestData, objectStoreIdentifier, indexIdentifier, newName);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void WebIDBServer::putOrAdd(const WebCore::IDBRequestData& requestData, const WebCore::IDBKeyData& keyData, const WebCore::IDBValue& value, WebCore::IndexedDB::ObjectStoreOverwriteMode overWriteMode)
</del><ins>+void WebIDBServer::putOrAdd(IPC::Connection& connection, const WebCore::IDBRequestData& requestData, const WebCore::IDBKeyData& keyData, const WebCore::IDBValue& value, WebCore::IndexedDB::ObjectStoreOverwriteMode overWriteMode)
</ins><span class="cx"> {
</span><span class="cx">     ASSERT(!RunLoop::isMain());
</span><span class="cx"> 
</span><ins>+    if (value.blobURLs().size() != value.blobFilePaths().size()) {
+        RELEASE_LOG_FAULT(IndexedDB, "WebIDBServer::putOrAdd: Number of blob URLs doesn't match the number of blob file paths.");
+        ASSERT_NOT_REACHED();
+        return;
+    }
+
+    // Validate temporary blob paths in |value| to make sure they belong to the source process.
+    if (!value.blobFilePaths().isEmpty()) {
+        auto it = m_temporaryBlobPathsPerConnection.find(connection.uniqueID());
+        if (it == m_temporaryBlobPathsPerConnection.end()) {
+            RELEASE_LOG_FAULT(IndexedDB, "WebIDBServer::putOrAdd: IDBValue contains blob paths but none are allowed for this process");
+            ASSERT_NOT_REACHED();
+            return;
+        }
+
+        auto& temporaryBlobPathsForConnection = it->value;
+        for (auto& blobFilePath : value.blobFilePaths()) {
+            if (!temporaryBlobPathsForConnection.remove(blobFilePath)) {
+                RELEASE_LOG_FAULT(IndexedDB, "WebIDBServer::putOrAdd: Blob path was not created for this WebProcess");
+                ASSERT_NOT_REACHED();
+                return;
+            }
+        }
+    }
+
</ins><span class="cx">     Locker locker { m_serverLock };
</span><span class="cx">     m_server->putOrAdd(requestData, keyData, value, overWriteMode);
</span><span class="cx"> }
</span><span class="lines">@@ -397,6 +422,7 @@
</span><span class="cx"> 
</span><span class="cx">     connection.removeWorkQueueMessageReceiver(Messages::WebIDBServer::messageReceiverName());
</span><span class="cx">     postTask([this, protectedThis = makeRef(*this), connectionID = connection.uniqueID()] {
</span><ins>+        m_temporaryBlobPathsPerConnection.remove(connectionID);
</ins><span class="cx">         auto connection = m_connectionMap.take(connectionID);
</span><span class="cx"> 
</span><span class="cx">         ASSERT(connection);
</span><span class="lines">@@ -406,6 +432,19 @@
</span><span class="cx">     });
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void WebIDBServer::registerTemporaryBlobFilePaths(IPC::Connection& connection, const Vector<String>& filePaths)
+{
+    ASSERT(RunLoop::isMain());
+
+    postTask([this, protectedThis = makeRef(*this), connectionID = connection.uniqueID(), filePaths = crossThreadCopy(filePaths)] {
+        if (!m_connectionMap.contains(connectionID))
+            return;
+
+        auto& temporaryBlobPaths = m_temporaryBlobPathsPerConnection.ensure(connectionID, [] { return HashSet<String> { }; }).iterator->value;
+        temporaryBlobPaths.add(filePaths.begin(), filePaths.end());
+    });
+}
+
</ins><span class="cx"> void WebIDBServer::postTask(Function<void()>&& task)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(RunLoop::isMain());
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitNetworkProcessIndexedDBWebIDBServerh"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.h (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.h 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.h    2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -56,6 +56,8 @@
</span><span class="cx">     bool suspend(SuspensionCondition = SuspensionCondition::Always);
</span><span class="cx">     void resume();
</span><span class="cx"> 
</span><ins>+    void registerTemporaryBlobFilePaths(IPC::Connection&, const Vector<String>&);
+
</ins><span class="cx">     // Message handlers.
</span><span class="cx">     void openDatabase(const WebCore::IDBRequestData&);
</span><span class="cx">     void deleteDatabase(const WebCore::IDBRequestData&);
</span><span class="lines">@@ -69,7 +71,7 @@
</span><span class="cx">     void createIndex(const WebCore::IDBRequestData&, const WebCore::IDBIndexInfo&);
</span><span class="cx">     void deleteIndex(const WebCore::IDBRequestData&, uint64_t objectStoreIdentifier, const String& indexName);
</span><span class="cx">     void renameIndex(const WebCore::IDBRequestData&, uint64_t objectStoreIdentifier, uint64_t indexIdentifier, const String& newName);
</span><del>-    void putOrAdd(const WebCore::IDBRequestData&, const WebCore::IDBKeyData&, const WebCore::IDBValue&, WebCore::IndexedDB::ObjectStoreOverwriteMode);
</del><ins>+    void putOrAdd(IPC::Connection&, const WebCore::IDBRequestData&, const WebCore::IDBKeyData&, const WebCore::IDBValue&, WebCore::IndexedDB::ObjectStoreOverwriteMode);
</ins><span class="cx">     void getRecord(const WebCore::IDBRequestData&, const WebCore::IDBGetRecordData&);
</span><span class="cx">     void getAllRecords(const WebCore::IDBRequestData&, const WebCore::IDBGetAllRecordsData&);
</span><span class="cx">     void getCount(const WebCore::IDBRequestData&, const WebCore::IDBKeyRangeData&);
</span><span class="lines">@@ -103,6 +105,7 @@
</span><span class="cx">     std::unique_ptr<WebCore::IDBServer::IDBServer> m_server WTF_GUARDED_BY_LOCK(m_serverLock);
</span><span class="cx">     bool m_isSuspended { false };
</span><span class="cx"> 
</span><ins>+    HashMap<IPC::Connection::UniqueID, HashSet<String>> m_temporaryBlobPathsPerConnection; // Only used on the work queue.
</ins><span class="cx">     HashMap<IPC::Connection::UniqueID, std::unique_ptr<WebIDBConnectionToClient>> m_connectionMap;
</span><span class="cx">     WeakHashSet<IPC::Connection> m_connections; // Only used on the main thread.
</span><span class="cx"> };
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitNetworkProcessIndexedDBWebIDBServermessagesin"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.messages.in (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.messages.in       2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.messages.in  2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -33,7 +33,7 @@
</span><span class="cx">     CreateIndex(WebCore::IDBRequestData requestData, WebCore::IDBIndexInfo info)
</span><span class="cx">     DeleteIndex(WebCore::IDBRequestData requestData, uint64_t objectStoreIdentifier, String indexName)
</span><span class="cx">     RenameIndex(WebCore::IDBRequestData requestData, uint64_t objectStoreIdentifier, uint64_t indexIdentifier, String newName)
</span><del>-    PutOrAdd(WebCore::IDBRequestData requestData, WebCore::IDBKeyData key, WebCore::IDBValue value, WebCore::IndexedDB::ObjectStoreOverwriteMode overwriteMode)
</del><ins>+    PutOrAdd(WebCore::IDBRequestData requestData, WebCore::IDBKeyData key, WebCore::IDBValue value, WebCore::IndexedDB::ObjectStoreOverwriteMode overwriteMode) WantsConnection
</ins><span class="cx">     GetRecord(WebCore::IDBRequestData requestData, struct WebCore::IDBGetRecordData getRecordData)
</span><span class="cx">     GetAllRecords(WebCore::IDBRequestData requestData, struct WebCore::IDBGetAllRecordsData getAllRecordsData)
</span><span class="cx">     GetCount(WebCore::IDBRequestData requestData, struct WebCore::IDBKeyRangeData range)
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitNetworkProcessNetworkConnectionToWebProcesscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp        2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp   2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -890,7 +890,7 @@
</span><span class="cx">     completionHandler(session ? session->blobRegistry().blobSize(url) : 0);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void NetworkConnectionToWebProcess::writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&&)>&& completionHandler)
</del><ins>+void NetworkConnectionToWebProcess::writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&&)>&& completionHandler)
</ins><span class="cx"> {
</span><span class="cx">     auto* session = networkSession();
</span><span class="cx">     if (!session)
</span><span class="lines">@@ -903,10 +903,12 @@
</span><span class="cx">     for (auto& file : fileReferences)
</span><span class="cx">         file->prepareForFileAccess();
</span><span class="cx"> 
</span><del>-    session->blobRegistry().writeBlobsToTemporaryFiles(blobURLs, [fileReferences = WTFMove(fileReferences), completionHandler = WTFMove(completionHandler)](auto&& fileNames) mutable {
</del><ins>+    session->blobRegistry().writeBlobsToTemporaryFilesForIndexedDB(blobURLs, [this, protectedThis = makeRef(*this), fileReferences = WTFMove(fileReferences), completionHandler = WTFMove(completionHandler)](auto&& filePaths) mutable {
</ins><span class="cx">         for (auto& file : fileReferences)
</span><span class="cx">             file->revokeFileAccess();
</span><del>-        completionHandler(WTFMove(fileNames));
</del><ins>+
+        m_networkProcess->webIDBServer(m_sessionID).registerTemporaryBlobFilePaths(m_connection, filePaths);
+        completionHandler(WTFMove(filePaths));
</ins><span class="cx">     });
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitNetworkProcessNetworkConnectionToWebProcessh"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h  2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h     2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -235,7 +235,7 @@
</span><span class="cx">     void registerBlobURLForSlice(const URL&, const URL& srcURL, int64_t start, int64_t end, const String& contentType);
</span><span class="cx">     void blobSize(const URL&, CompletionHandler<void(uint64_t)>&&);
</span><span class="cx">     void unregisterBlobURL(const URL&);
</span><del>-    void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&&)>&&);
</del><ins>+    void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&&)>&&);
</ins><span class="cx"> 
</span><span class="cx">     void registerBlobURLHandle(const URL&);
</span><span class="cx">     void unregisterBlobURLHandle(const URL&);
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitNetworkProcessNetworkConnectionToWebProcessmessagesin"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in        2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in   2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -55,7 +55,7 @@
</span><span class="cx">     RegisterBlobURLForSlice(URL url, URL srcURL, int64_t start, int64_t end, String contentType)
</span><span class="cx">     UnregisterBlobURL(URL url)
</span><span class="cx">     BlobSize(URL url) -> (uint64_t resultSize) Synchronous
</span><del>-    WriteBlobsToTemporaryFiles(Vector<String> blobURLs) -> (Vector<String> fileNames) Async
</del><ins>+    WriteBlobsToTemporaryFilesForIndexedDB(Vector<String> blobURLs) -> (Vector<String> fileNames) Async
</ins><span class="cx">     RegisterBlobURLHandle(URL url);
</span><span class="cx">     UnregisterBlobURLHandle(URL url);
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitNetworkProcessNetworkProcessPlatformStrategiescpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkProcessPlatformStrategies.cpp (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkProcessPlatformStrategies.cpp     2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/NetworkProcess/NetworkProcessPlatformStrategies.cpp        2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -64,7 +64,7 @@
</span><span class="cx">         void registerBlobURLForSlice(const URL&, const URL& srcURL, long long start, long long end, const String& contentType) final { ASSERT_NOT_REACHED(); }
</span><span class="cx">         void unregisterBlobURL(const URL&) final { ASSERT_NOT_REACHED(); }
</span><span class="cx">         unsigned long long blobSize(const URL&) final { ASSERT_NOT_REACHED(); return 0; }
</span><del>-        void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&) final { ASSERT_NOT_REACHED(); }
</del><ins>+        void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&) final { ASSERT_NOT_REACHED(); }
</ins><span class="cx">         void registerBlobURLHandle(const URL&) final { ASSERT_NOT_REACHED(); }
</span><span class="cx">         void unregisterBlobURLHandle(const URL&) final { ASSERT_NOT_REACHED(); }
</span><span class="cx">     };
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitWebProcessFileAPIBlobRegistryProxycpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKit/WebProcess/FileAPI/BlobRegistryProxy.cpp (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKit/WebProcess/FileAPI/BlobRegistryProxy.cpp        2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/WebProcess/FileAPI/BlobRegistryProxy.cpp   2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -95,9 +95,9 @@
</span><span class="cx">     return resultSize;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void BlobRegistryProxy::writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler)
</del><ins>+void BlobRegistryProxy::writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler)
</ins><span class="cx"> {
</span><del>-    WebProcess::singleton().ensureNetworkProcessConnection().writeBlobsToTemporaryFiles(blobURLs, WTFMove(completionHandler));
</del><ins>+    WebProcess::singleton().ensureNetworkProcessConnection().writeBlobsToTemporaryFilesForIndexedDB(blobURLs, WTFMove(completionHandler));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitWebProcessFileAPIBlobRegistryProxyh"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKit/WebProcess/FileAPI/BlobRegistryProxy.h (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKit/WebProcess/FileAPI/BlobRegistryProxy.h  2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/WebProcess/FileAPI/BlobRegistryProxy.h     2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -38,7 +38,7 @@
</span><span class="cx">     void unregisterBlobURL(const URL&) final;
</span><span class="cx">     void registerBlobURLForSlice(const URL&, const URL& srcURL, long long start, long long end, const String& contentType) final;
</span><span class="cx">     unsigned long long blobSize(const URL&) final;
</span><del>-    void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&) final;
</del><ins>+    void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&) final;
</ins><span class="cx">     void registerBlobURLHandle(const URL&) final;
</span><span class="cx">     void unregisterBlobURLHandle(const URL&) final;
</span><span class="cx"> };
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitWebProcessNetworkNetworkProcessConnectioncpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp 2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp    2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -221,9 +221,9 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void NetworkProcessConnection::writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler)
</del><ins>+void NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler)
</ins><span class="cx"> {
</span><del>-    connection().sendWithAsyncReply(Messages::NetworkConnectionToWebProcess::WriteBlobsToTemporaryFiles(blobURLs), WTFMove(completionHandler));
</del><ins>+    connection().sendWithAsyncReply(Messages::NetworkConnectionToWebProcess::WriteBlobsToTemporaryFilesForIndexedDB(blobURLs), WTFMove(completionHandler));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void NetworkProcessConnection::didFinishPingLoad(uint64_t pingLoadIdentifier, ResourceError&& error, ResourceResponse&& response)
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitWebProcessNetworkNetworkProcessConnectionh"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKit/WebProcess/Network/NetworkProcessConnection.h (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKit/WebProcess/Network/NetworkProcessConnection.h   2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKit/WebProcess/Network/NetworkProcessConnection.h      2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -64,7 +64,7 @@
</span><span class="cx"> 
</span><span class="cx">     void didReceiveNetworkProcessConnectionMessage(IPC::Connection&, IPC::Decoder&);
</span><span class="cx"> 
</span><del>-    void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&);
</del><ins>+    void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&&);
</ins><span class="cx"> 
</span><span class="cx">     WebIDBConnectionToServer* existingIDBConnectionToServer() const { return m_webIDBConnection.get(); };
</span><span class="cx">     WebIDBConnectionToServer& idbConnectionToServer();
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitLegacymacChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKitLegacy/mac/ChangeLog (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKitLegacy/mac/ChangeLog     2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKitLegacy/mac/ChangeLog        2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -1,3 +1,81 @@
</span><ins>+2021-09-22  Alan Coon  <alancoon@apple.com>
+
+        Cherry-pick r282393. rdar://problem/83429703
+
+    [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+    https://bugs.webkit.org/show_bug.cgi?id=230233
+    <rdar://79562514>
+    
+    Reviewed by Brady Eidson.
+    
+    Source/WebCore:
+    
+    Rename writeBlobsToTemporaryFiles() to writeBlobsToTemporaryFilesForIndexedDB() for clarity
+    since it is currently only used for IndexedDB and we wouldn't want to expand usage to
+    other things.
+    
+    * bindings/js/SerializedScriptValue.cpp:
+    (WebCore::SerializedScriptValue::writeBlobsToDiskForIndexedDB):
+    * platform/network/BlobRegistry.h:
+    * platform/network/BlobRegistryImpl.cpp:
+    (WebCore::BlobRegistryImpl::writeBlobsToTemporaryFilesForIndexedDB):
+    * platform/network/BlobRegistryImpl.h:
+    
+    Source/WebKit:
+    
+    When the SerializedScriptValue contains BlobURLs, IDBTransaction::putOrAddOnServer()
+    calls SerializedScriptValue::writeBlobsToDiskForIndexedDB() before sending the
+    WebIDBServer::PutOrAdd IPC to the network process. writeBlobsToDiskForIndexedDB()
+    sends a NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB IPC to the
+    network process and the network process will write the blobs to temporary files and
+    then return the file paths to those temporary files to the WebProcess. The file paths
+    are then stored inside the IDBValue object that gets sent in the WebIDBServer::PutOrAdd
+    IPC.
+    
+    This patch hardens our IPC by validating in WebIDBServer::PutOrAdd() that the IDBValue's
+    Blob file paths were indeed file paths previously created by the network process on behalf
+    of the WebProcess sending the IPC. If it is not, we ignore the IPC.
+    
+    * NetworkProcess/IndexedDB/WebIDBServer.cpp:
+    (WebKit::WebIDBServer::putOrAdd):
+    (WebKit::WebIDBServer::removeConnection):
+    (WebKit::WebIDBServer::registerTemporaryBlobFilePaths):
+    * NetworkProcess/IndexedDB/WebIDBServer.h:
+    * NetworkProcess/IndexedDB/WebIDBServer.messages.in:
+    * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+    (WebKit::NetworkConnectionToWebProcess::writeBlobsToTemporaryFilesForIndexedDB):
+    * NetworkProcess/NetworkConnectionToWebProcess.h:
+    * NetworkProcess/NetworkConnectionToWebProcess.messages.in:
+    * NetworkProcess/NetworkProcessPlatformStrategies.cpp:
+    (WebKit::NetworkProcessPlatformStrategies::createBlobRegistry):
+    * WebProcess/FileAPI/BlobRegistryProxy.cpp:
+    (WebKit::BlobRegistryProxy::writeBlobsToTemporaryFilesForIndexedDB):
+    * WebProcess/FileAPI/BlobRegistryProxy.h:
+    * WebProcess/Network/NetworkProcessConnection.cpp:
+    (WebKit::NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB):
+    * WebProcess/Network/NetworkProcessConnection.h:
+    
+    Source/WebKitLegacy/mac:
+    
+    * WebCoreSupport/WebPlatformStrategies.mm:
+    
+    Source/WebKitLegacy/win:
+    
+    * WebCoreSupport/WebPlatformStrategies.cpp:
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282393 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-09-14  Chris Dumez  <cdumez@apple.com>
+
+            [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+            https://bugs.webkit.org/show_bug.cgi?id=230233
+            <rdar://79562514>
+
+            Reviewed by Brady Eidson.
+
+            * WebCoreSupport/WebPlatformStrategies.mm:
+
</ins><span class="cx"> 2021-08-16  David Kilzer  <ddkilzer@apple.com>
</span><span class="cx"> 
</span><span class="cx">         "make analyze" should run clang static analyzer in deep mode
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitLegacymacWebCoreSupportWebPlatformStrategiesmm"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm       2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm  2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -90,7 +90,7 @@
</span><span class="cx">     void registerBlobURLForSlice(const URL& url, const URL& srcURL, long long start, long long end, const String& contentType) final { m_blobRegistry.registerBlobURLForSlice(url, srcURL, start, end, contentType); }
</span><span class="cx">     void unregisterBlobURL(const URL& url) final { m_blobRegistry.unregisterBlobURL(url); }
</span><span class="cx">     unsigned long long blobSize(const URL& url) final { return m_blobRegistry.blobSize(url); }
</span><del>-    void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler) final { m_blobRegistry.writeBlobsToTemporaryFiles(blobURLs, WTFMove(completionHandler)); }
</del><ins>+    void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler) final { m_blobRegistry.writeBlobsToTemporaryFilesForIndexedDB(blobURLs, WTFMove(completionHandler)); }
</ins><span class="cx">     void registerBlobURLHandle(const URL& url) final { m_blobRegistry.registerBlobURLHandle(url); }
</span><span class="cx">     void unregisterBlobURLHandle(const URL& url) final { m_blobRegistry.unregisterBlobURLHandle(url); }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitLegacywinChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKitLegacy/win/ChangeLog (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKitLegacy/win/ChangeLog     2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKitLegacy/win/ChangeLog        2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -1,3 +1,81 @@
</span><ins>+2021-09-22  Alan Coon  <alancoon@apple.com>
+
+        Cherry-pick r282393. rdar://problem/83429703
+
+    [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+    https://bugs.webkit.org/show_bug.cgi?id=230233
+    <rdar://79562514>
+    
+    Reviewed by Brady Eidson.
+    
+    Source/WebCore:
+    
+    Rename writeBlobsToTemporaryFiles() to writeBlobsToTemporaryFilesForIndexedDB() for clarity
+    since it is currently only used for IndexedDB and we wouldn't want to expand usage to
+    other things.
+    
+    * bindings/js/SerializedScriptValue.cpp:
+    (WebCore::SerializedScriptValue::writeBlobsToDiskForIndexedDB):
+    * platform/network/BlobRegistry.h:
+    * platform/network/BlobRegistryImpl.cpp:
+    (WebCore::BlobRegistryImpl::writeBlobsToTemporaryFilesForIndexedDB):
+    * platform/network/BlobRegistryImpl.h:
+    
+    Source/WebKit:
+    
+    When the SerializedScriptValue contains BlobURLs, IDBTransaction::putOrAddOnServer()
+    calls SerializedScriptValue::writeBlobsToDiskForIndexedDB() before sending the
+    WebIDBServer::PutOrAdd IPC to the network process. writeBlobsToDiskForIndexedDB()
+    sends a NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB IPC to the
+    network process and the network process will write the blobs to temporary files and
+    then return the file paths to those temporary files to the WebProcess. The file paths
+    are then stored inside the IDBValue object that gets sent in the WebIDBServer::PutOrAdd
+    IPC.
+    
+    This patch hardens our IPC by validating in WebIDBServer::PutOrAdd() that the IDBValue's
+    Blob file paths were indeed file paths previously created by the network process on behalf
+    of the WebProcess sending the IPC. If it is not, we ignore the IPC.
+    
+    * NetworkProcess/IndexedDB/WebIDBServer.cpp:
+    (WebKit::WebIDBServer::putOrAdd):
+    (WebKit::WebIDBServer::removeConnection):
+    (WebKit::WebIDBServer::registerTemporaryBlobFilePaths):
+    * NetworkProcess/IndexedDB/WebIDBServer.h:
+    * NetworkProcess/IndexedDB/WebIDBServer.messages.in:
+    * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+    (WebKit::NetworkConnectionToWebProcess::writeBlobsToTemporaryFilesForIndexedDB):
+    * NetworkProcess/NetworkConnectionToWebProcess.h:
+    * NetworkProcess/NetworkConnectionToWebProcess.messages.in:
+    * NetworkProcess/NetworkProcessPlatformStrategies.cpp:
+    (WebKit::NetworkProcessPlatformStrategies::createBlobRegistry):
+    * WebProcess/FileAPI/BlobRegistryProxy.cpp:
+    (WebKit::BlobRegistryProxy::writeBlobsToTemporaryFilesForIndexedDB):
+    * WebProcess/FileAPI/BlobRegistryProxy.h:
+    * WebProcess/Network/NetworkProcessConnection.cpp:
+    (WebKit::NetworkProcessConnection::writeBlobsToTemporaryFilesForIndexedDB):
+    * WebProcess/Network/NetworkProcessConnection.h:
+    
+    Source/WebKitLegacy/mac:
+    
+    * WebCoreSupport/WebPlatformStrategies.mm:
+    
+    Source/WebKitLegacy/win:
+    
+    * WebCoreSupport/WebPlatformStrategies.cpp:
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282393 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-09-14  Chris Dumez  <cdumez@apple.com>
+
+            [Hardening] Validate IDBValue's blob paths in WebIDBServer::putOrAdd()
+            https://bugs.webkit.org/show_bug.cgi?id=230233
+            <rdar://79562514>
+
+            Reviewed by Brady Eidson.
+
+            * WebCoreSupport/WebPlatformStrategies.cpp:
+
</ins><span class="cx"> 2021-08-19  Youenn Fablet  <youenn@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Rename MediaPlayer::setVisible to MediaPlayer::setPageIsVisible
</span></span></pre></div>
<a id="branchessafari612branchSourceWebKitLegacywinWebCoreSupportWebPlatformStrategiescpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612-branch/Source/WebKitLegacy/win/WebCoreSupport/WebPlatformStrategies.cpp (282914 => 282915)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612-branch/Source/WebKitLegacy/win/WebCoreSupport/WebPlatformStrategies.cpp      2021-09-23 04:29:25 UTC (rev 282914)
+++ branches/safari-612-branch/Source/WebKitLegacy/win/WebCoreSupport/WebPlatformStrategies.cpp 2021-09-23 04:29:32 UTC (rev 282915)
</span><span class="lines">@@ -86,7 +86,7 @@
</span><span class="cx">     void registerBlobURLForSlice(const URL& url, const URL& srcURL, long long start, long long end, const String& contentType) final { m_blobRegistry.registerBlobURLForSlice(url, srcURL, start, end, contentType); }
</span><span class="cx">     void unregisterBlobURL(const URL& url) final { m_blobRegistry.unregisterBlobURL(url); }
</span><span class="cx">     unsigned long long blobSize(const URL& url) final { return m_blobRegistry.blobSize(url); }
</span><del>-    void writeBlobsToTemporaryFiles(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler) final { m_blobRegistry.writeBlobsToTemporaryFiles(blobURLs, WTFMove(completionHandler)); }
</del><ins>+    void writeBlobsToTemporaryFilesForIndexedDB(const Vector<String>& blobURLs, CompletionHandler<void(Vector<String>&& filePaths)>&& completionHandler) final { m_blobRegistry.writeBlobsToTemporaryFilesForIndexedDB(blobURLs, WTFMove(completionHandler)); }
</ins><span class="cx">     void registerBlobURLHandle(const URL& url) final { m_blobRegistry.registerBlobURLHandle(url); }
</span><span class="cx">     void unregisterBlobURLHandle(const URL& url) final { m_blobRegistry.unregisterBlobURLHandle(url); }
</span><span class="cx"> 
</span></span></pre>
</div>
</div>

</body>
</html>