Release assert in InjectedBundle::postSynchronousMessage
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 17 Apr 2018 21:54:43 +0000 (21:54 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 17 Apr 2018 21:54:43 +0000 (21:54 +0000)
https://bugs.webkit.org/show_bug.cgi?id=184683

Reviewed by Wenson Hsieh.

Some injected bundles sends sync message when it's not safe to execute scripts.

Use DoNotProcessIncomingMessagesWhenWaitingForSyncReply option in InjectedBundle::postSynchronousMessage
to avoid processing incoming sync IPC messages so that we don't execute arbitrary scripts in those cases.

* WebProcess/InjectedBundle/InjectedBundle.cpp:
(WebKit::InjectedBundle::postSynchronousMessage):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230729 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/WebProcess/InjectedBundle/InjectedBundle.cpp

index eb70da4..7263217 100644 (file)
@@ -1,3 +1,18 @@
+2018-04-17  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Release assert in InjectedBundle::postSynchronousMessage
+        https://bugs.webkit.org/show_bug.cgi?id=184683
+
+        Reviewed by Wenson Hsieh.
+
+        Some injected bundles sends sync message when it's not safe to execute scripts.
+
+        Use DoNotProcessIncomingMessagesWhenWaitingForSyncReply option in InjectedBundle::postSynchronousMessage
+        to avoid processing incoming sync IPC messages so that we don't execute arbitrary scripts in those cases.
+
+        * WebProcess/InjectedBundle/InjectedBundle.cpp:
+        (WebKit::InjectedBundle::postSynchronousMessage):
+
 2018-04-17  Chris Dumez  <cdumez@apple.com>
 
         REGRESSION (r229831): CMD-clicking an iCloud web app link unexpectedly opens that link in a new tab and the current tab
index 5c4ecd8..0cb7580 100644 (file)
@@ -138,7 +138,8 @@ void InjectedBundle::postSynchronousMessage(const String& messageName, API::Obje
     UserData returnUserData;
 
     auto& webProcess = WebProcess::singleton();
-    if (!webProcess.parentProcessConnection()->sendSync(Messages::WebProcessPool::HandleSynchronousMessage(messageName, UserData(webProcess.transformObjectsToHandles(messageBody))), Messages::WebProcessPool::HandleSynchronousMessage::Reply(returnUserData), 0))
+    if (!webProcess.parentProcessConnection()->sendSync(Messages::WebProcessPool::HandleSynchronousMessage(messageName, UserData(webProcess.transformObjectsToHandles(messageBody))),
+        Messages::WebProcessPool::HandleSynchronousMessage::Reply(returnUserData), 0, Seconds::infinity(), IPC::SendSyncOption::DoNotProcessIncomingMessagesWhenWaitingForSyncReply))
         returnData = nullptr;
     else
         returnData = webProcess.transformHandlesToObjects(returnUserData.object());