Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 198d4dbb7907f973cc0f697e50b425ee32506a9b
      
https://github.com/WebKit/WebKit/commit/198d4dbb7907f973cc0f697e50b425ee32506a9b
  Author: Basuke Suzuki <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/ProcessSwapOnNavigation.mm

  Log Message:
  -----------
  Validate EncodedFileData filenames in decidePolicyForNavigationAction
rdar://174662982

Reviewed by Chris Dumez.

A compromised WebContent process can inject arbitrary file paths in
EncodedFileData within the HTTP body of DecidePolicyForNavigationActionAsync,
causing the UIProcess to mint sandbox extension tokens for those paths during
PSON. Add MESSAGE_CHECK_COMPLETION to validate each EncodedFileData filename
against hasGrantedSandboxExtensionForFile().

Register user-selected file paths via addPreviouslyApprovedFileURL() in
didChooseFilesForOpenPanel (3 variants) and performDragOperation (covers
both macOS and iOS drag-and-drop). Use URL::fileURLWithFileSystemPath()
since these parameters are file system paths, not file URLs.

The API test is a regression test verifying that cross-site form submission
with file upload succeeds after the fix — it does not test the negative
(MESSAGE_CHECK failure) path.

Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::performDragOperation):
(WebKit::WebPageProxy::decidePolicyForNavigationAction):
(WebKit::WebPageProxy::didChooseFilesForOpenPanelWithDisplayStringAndIcon):
(WebKit::WebPageProxy::didChooseFilesForOpenPanelWithImageTranscoding):
(WebKit::WebPageProxy::didChooseFilesForOpenPanel):
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::hasGrantedSandboxExtensionForFile const):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:
(-[FileUploadPSONUIDelegate 
webView:runOpenPanelWithParameters:initiatedByFrame:completionHandler:]):
((ProcessSwap, SwapOnFormSubmissionWithFileUpload)):

Originally-landed-as: 305413.699@safari-7624-branch (3dad3d258fe6). 
rdar://180436266
Canonical link: https://commits.webkit.org/316384@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to