[Webkit-unassigned] [Bug 207404] New: Ephemeral session data leaks between processes
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Feb 7 13:55:29 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=207404
Bug ID: 207404
Summary: Ephemeral session data leaks between processes
Product: WebKit
Version: WebKit Nightly Build
Hardware: All
OS: macOS 10.15
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit2
Assignee: webkit-unassigned at lists.webkit.org
Reporter: pfeldman at chromium.org
When new network session is created, sessionID is used as an identifierBase:
WebKit/NetworkProcess/mac/RemoteNetworkingContext.mm:
networkProcess.ensureSession(sessionID, parameters.networkSessionParameters.shouldUseTestingNetworkSession, makeString(base, '.', sessionID.toUInt64()), WTFMove(uiProcessCookieStorage));
WebKit/NetworkProcess/NetworkProcess.cpp:
storageSession = adoptCF(createPrivateStorageSession(cfIdentifier.get()));
As a result, when there is more than one instance of the same application, sessions with the same sessionIDs use the same private store. SessionID's ephemeral session id is a simple counter from 0x8000000000000001 and on. So they will always be clashing between the processes.
I can follow up with the fix and am asking for your preference. One way would be to make SessionIDs cryptographically unique:
SessionID SessionID::generateEphemeralSessionID()
{
ASSERT(isMainThread());
RELEASE_ASSERT(!generationProtectionEnabled);
uint64_t sessionId;
cryptographicallyRandomValues(&sessionId, sizeof(sessionId));
sessionId = sessionId | SessionConstants::EphemeralSessionMask;
return SessionID(sessionId);
}
Another way would be blending proccess ID into the identifier base in RemoteNetworkingContext.mm.
I like the random sessionID because it would solve similar clashes once and for all, but I'm looking for your advice.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200207/44a5c552/attachment.htm>
More information about the webkit-unassigned
mailing list