[Webkit-unassigned] [Bug 207404] New: Ephemeral session data leaks between processes

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Feb 7 13:55:29 PST 2020 

https://bugs.webkit.org/show_bug.cgi?id=207404

            Bug ID: 207404
           Summary: Ephemeral session data leaks between processes
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: macOS 10.15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit2
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: pfeldman at chromium.org

When new network session is created, sessionID is used as an identifierBase:

WebKit/NetworkProcess/mac/RemoteNetworkingContext.mm:
networkProcess.ensureSession(sessionID, parameters.networkSessionParameters.shouldUseTestingNetworkSession, makeString(base, '.', sessionID.toUInt64()), WTFMove(uiProcessCookieStorage));

WebKit/NetworkProcess/NetworkProcess.cpp:
storageSession = adoptCF(createPrivateStorageSession(cfIdentifier.get()));

As a result, when there is more than one instance of the same application, sessions with the same sessionIDs use the same private store. SessionID's ephemeral session id is a simple counter from 0x8000000000000001 and on. So they will always be clashing between the processes.

I can follow up with the fix and am asking for your preference. One way would be to make SessionIDs cryptographically unique:

SessionID SessionID::generateEphemeralSessionID()
{
    ASSERT(isMainThread());
    RELEASE_ASSERT(!generationProtectionEnabled);

    uint64_t sessionId;
    cryptographicallyRandomValues(&sessionId, sizeof(sessionId));
    sessionId = sessionId | SessionConstants::EphemeralSessionMask;
    return SessionID(sessionId);
}

Another way would be blending proccess ID into the identifier base in RemoteNetworkingContext.mm.

I like the random sessionID because it would solve similar clashes once and for all, but I'm looking for your advice.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200207/44a5c552/attachment.htm>

More information about the webkit-unassigned mailing list