Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 826d21ff7df9be21b09789edffd57dba86b3cc5e
      
https://github.com/WebKit/WebKit/commit/826d21ff7df9be21b09789edffd57dba86b3cc5e
  Author: Chris Dumez <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A 
LayoutTests/http/tests/ipc/createnewpage-file-body-sandbox-extension-expected.txt
    A LayoutTests/http/tests/ipc/createnewpage-file-body-sandbox-extension.html
    M LayoutTests/platform/glib/TestExpectations
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  [WebKit Process Model] WebPageProxy::createNewPage missing 
hasGrantedSandboxExtensionForFile check on NavigationActionData.request httpBody
https://bugs.webkit.org/show_bug.cgi?id=315167
rdar://177367508

Reviewed by Per Arne Vollan.

A compromised WebContent process can send WebPageProxy::CreateNewPage with
an arbitrary file path in the request body's EncodedFileData. When
the UI
process re-emits that request via loadRequest(), encoding the
LoadParameters runs FormDataReference::sandboxExtensionHandles() in the UI
process, which calls SandboxExtension::createHandle() on the
attacker-supplied path and serializes a live com.apple.app-sandbox.read
token to a WebContent process — a full sandbox escape to arbitrary host
filesystem read.

Add a MESSAGE_CHECK_COMPLETION at the top of createNewPage() that calls
WebProcessProxy::hasGrantedSandboxExtensionForFile() on every
EncodedFileData filename in the request body, rejecting any path the
sending WebContent process was never granted access to. This mirrors the
equivalent check rdar://174662982 added to decidePolicyForNavigationAction().

Test: http/tests/ipc/createnewpage-file-body-sandbox-extension.html

* 
LayoutTests/http/tests/ipc/createnewpage-file-body-sandbox-extension-expected.txt:
 Added.
* LayoutTests/http/tests/ipc/createnewpage-file-body-sandbox-extension.html: 
Added.
*
Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::createNewPage):

Originally-landed-as: 305413.942@safari-7624-branch (77fa86c2ea4d). 
rdar://180435897
Canonical link: 
https://flagged.apple.com:443/proxy?t2=DI7f5k9ao1&o=aHR0cHM6Ly9jb21taXRzLndlYmtpdC5vcmcvMzE2Mzg4QG1haW4=&emid=abb56b74-4dff-464b-a435-3ecf0f08d7cc&c=11



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to