Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 826d21ff7df9be21b09789edffd57dba86b3cc5e
https://github.com/WebKit/WebKit/commit/826d21ff7df9be21b09789edffd57dba86b3cc5e
Author: Chris Dumez <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A
LayoutTests/http/tests/ipc/createnewpage-file-body-sandbox-extension-expected.txt
A LayoutTests/http/tests/ipc/createnewpage-file-body-sandbox-extension.html
M LayoutTests/platform/glib/TestExpectations
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
[WebKit Process Model] WebPageProxy::createNewPage missing
hasGrantedSandboxExtensionForFile check on NavigationActionData.request httpBody
https://bugs.webkit.org/show_bug.cgi?id=315167
rdar://177367508
Reviewed by Per Arne Vollan.
A compromised WebContent process can send WebPageProxy::CreateNewPage with
an arbitrary file path in the request body's EncodedFileData. When
the UI
process re-emits that request via loadRequest(), encoding the
LoadParameters runs FormDataReference::sandboxExtensionHandles() in the UI
process, which calls SandboxExtension::createHandle() on the
attacker-supplied path and serializes a live com.apple.app-sandbox.read
token to a WebContent process — a full sandbox escape to arbitrary host
filesystem read.
Add a MESSAGE_CHECK_COMPLETION at the top of createNewPage() that calls
WebProcessProxy::hasGrantedSandboxExtensionForFile() on every
EncodedFileData filename in the request body, rejecting any path the
sending WebContent process was never granted access to. This mirrors the
equivalent check rdar://174662982 added to decidePolicyForNavigationAction().
Test: http/tests/ipc/createnewpage-file-body-sandbox-extension.html
*
LayoutTests/http/tests/ipc/createnewpage-file-body-sandbox-extension-expected.txt:
Added.
* LayoutTests/http/tests/ipc/createnewpage-file-body-sandbox-extension.html:
Added.
*
Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::createNewPage):
Originally-landed-as: 305413.942@safari-7624-branch (77fa86c2ea4d).
rdar://180435897
Canonical link:
https://flagged.apple.com:443/proxy?t2=DI7f5k9ao1&o=aHR0cHM6Ly9jb21taXRzLndlYmtpdC5vcmcvMzE2Mzg4QG1haW4=&emid=abb56b74-4dff-464b-a435-3ecf0f08d7cc&c=11
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications