Skip to content

Commit

Permalink
WebContent process can create files at arbitrary locations by calling…
Browse files Browse the repository at this point in the history 
… RemoteMediaPlayerManagerProxy::OriginsInMediaCache

https://bugs.webkit.org/show_bug.cgi?id=257875
rdar://107931180

Reviewed by Eric Carlson.

MediaPlayerPrivateAVFoundationObjC implements cache management by creating an AVAssetCache at a
specified path, and AVAssetCache creates an empty directory at this path if one doesn't exist. When
MediaPlayer's installedMediaEngines() are accessed from the WebContent process and the GPU process
is in use, RemoteMediaPlayerManager creates media player factories that proxy cache management calls
to the GPU process via RemoteMediaPlayerManagerProxy IPC messages, passing the media cache directory
specified by the website data store as an argument. If a compromised WebContent process were to send
these messages with a path of its choosing, it could convince the GPU process to create a directory
at an arbitrary location within the GPU process sandbox.

Fixed this by removing the cache management IPC messages (OriginsInMediaCache, ClearMediaCache, and
ClearMediaCacheForOrigins) from RemoteMediaPlayerManagerProxy and calling ASSERT_NOT_REACHED() if
the WebContent process attempts to perform MediaPlayer cache management while the GPU process is in
use. This is OK because the cache management subset of MediaPlayerFactory's interface is exclusively
called from WebsiteDataStore in the UI process where media engines are accessed directly rather than
via RemoteMediaPlayerManagerProxy.

* Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.cpp:
(WebKit::RemoteMediaPlayerManagerProxy::originsInMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManagerProxy::clearMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManagerProxy::clearMediaCacheForOrigins): Deleted.
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.h:
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.messages.in:
* Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.cpp:
(WebKit::RemoteMediaPlayerManager::originsInMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManager::clearMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManager::clearMediaCacheForOrigins): Deleted.
* Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.h:

Originally-landed-as: 259548.815@safari-7615-branch (7b6d483). rdar://107931180
Canonical link: https://commits.webkit.org/266437@main
  • Loading branch information
@aestes @robert-jenner
aestes authored and robert-jenner committed Jul 31, 2023
1 parent 7225cf0 commit 0f8aafd
Show file tree
Hide file tree
Showing 5 changed files with 4 additions and 62 deletions.
33 changes: 0 additions & 33 deletions Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,39 +120,6 @@ void RemoteMediaPlayerManagerProxy::supportsTypeAndCodecs(MediaPlayerEnums::Medi
completionHandler(result);
}

void RemoteMediaPlayerManagerProxy::originsInMediaCache(MediaPlayerEnums::MediaEngineIdentifier engineIdentifier, const String&& path, CompletionHandler<void(HashSet<WebCore::SecurityOriginData>&&)>&& completionHandler)
{
auto engine = MediaPlayer::mediaEngine(engineIdentifier);
if (!engine) {
WTFLogAlways("Failed to find media engine.");
completionHandler({ });
return;
}

completionHandler(engine->originsInMediaCache(path));
}

void RemoteMediaPlayerManagerProxy::clearMediaCache(MediaPlayerEnums::MediaEngineIdentifier engineIdentifier, const String&&path, WallTime modifiedSince)
{
auto engine = MediaPlayer::mediaEngine(engineIdentifier);
if (!engine) {
WTFLogAlways("Failed to find media engine.");
return;
}

engine->clearMediaCache(path, modifiedSince);
}

void RemoteMediaPlayerManagerProxy::clearMediaCacheForOrigins(MediaPlayerEnums::MediaEngineIdentifier engineIdentifier, const String&& path, HashSet<WebCore::SecurityOriginData>&& origins)
{
auto engine = MediaPlayer::mediaEngine(engineIdentifier);
if (!engine) {
WTFLogAlways("Failed to find media engine.");
return;
}
engine->clearMediaCacheForOrigins(path, origins);
}

void RemoteMediaPlayerManagerProxy::supportsKeySystem(MediaPlayerEnums::MediaEngineIdentifier engineIdentifier, const String&& keySystem, const String&& mimeType, CompletionHandler<void(bool)>&& completionHandler)
{
auto engine = MediaPlayer::mediaEngine(engineIdentifier);
Expand Down
3 changes: 0 additions & 3 deletions Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,9 +80,6 @@ class RemoteMediaPlayerManagerProxy
// Media player factory
void getSupportedTypes(WebCore::MediaPlayerEnums::MediaEngineIdentifier, CompletionHandler<void(Vector<String>&&)>&&);
void supportsTypeAndCodecs(WebCore::MediaPlayerEnums::MediaEngineIdentifier, const WebCore::MediaEngineSupportParameters&&, CompletionHandler<void(WebCore::MediaPlayer::SupportsType)>&&);
void originsInMediaCache(WebCore::MediaPlayerEnums::MediaEngineIdentifier, const String&&, CompletionHandler<void(HashSet<WebCore::SecurityOriginData>&&)>&&);
void clearMediaCache(WebCore::MediaPlayerEnums::MediaEngineIdentifier, const String&&, WallTime);
void clearMediaCacheForOrigins(WebCore::MediaPlayerEnums::MediaEngineIdentifier, const String&&, HashSet<WebCore::SecurityOriginData>&&);
void supportsKeySystem(WebCore::MediaPlayerEnums::MediaEngineIdentifier, const String&&, const String&&, CompletionHandler<void(bool)>&&);

HashMap<WebCore::MediaPlayerIdentifier, Ref<RemoteMediaPlayerProxy>> m_proxies;
Expand Down
3 changes: 0 additions & 3 deletions Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.messages.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,6 @@ messages -> RemoteMediaPlayerManagerProxy NotRefCounted {

GetSupportedTypes(enum:uint8_t WebCore::MediaPlayerEnums::MediaEngineIdentifier remoteEngineIdentifier) -> (Vector<String> types) Synchronous
SupportsTypeAndCodecs(enum:uint8_t WebCore::MediaPlayerEnums::MediaEngineIdentifier remoteEngineIdentifier, struct WebCore::MediaEngineSupportParameters type) -> (enum:uint8_t WebCore::MediaPlayerEnums::SupportsType support) Synchronous
OriginsInMediaCache(enum:uint8_t WebCore::MediaPlayerEnums::MediaEngineIdentifier remoteEngineIdentifier, String path) -> (HashSet<WebCore::SecurityOriginData> origins) Synchronous
ClearMediaCache(enum:uint8_t WebCore::MediaPlayerEnums::MediaEngineIdentifier remoteEngineIdentifier, String path, WallTime modifiedSince)
ClearMediaCacheForOrigins(enum:uint8_t WebCore::MediaPlayerEnums::MediaEngineIdentifier remoteEngineIdentifier, String path, HashSet<WebCore::SecurityOriginData> origins)
SupportsKeySystem(enum:uint8_t WebCore::MediaPlayerEnums::MediaEngineIdentifier remoteEngineIdentifier, String keySystem, String mimeType) -> (bool supports) Synchronous
}

Expand Down
24 changes: 4 additions & 20 deletions Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,17 +79,18 @@ class MediaPlayerRemoteFactory final : public MediaPlayerFactory {

HashSet<SecurityOriginData> originsInMediaCache(const String& path) const final
{
return m_manager.originsInMediaCache(m_remoteEngineIdentifier, path);
ASSERT_NOT_REACHED_WITH_MESSAGE("RemoteMediaPlayerManager does not support cache management");
return { };
}

void clearMediaCache(const String& path, WallTime modifiedSince) const final
{
return m_manager.clearMediaCache(m_remoteEngineIdentifier, path, modifiedSince);
ASSERT_NOT_REACHED_WITH_MESSAGE("RemoteMediaPlayerManager does not support cache management");
}

void clearMediaCacheForOrigins(const String& path, const HashSet<SecurityOriginData>& origins) const final
{
return m_manager.clearMediaCacheForOrigins(m_remoteEngineIdentifier, path, origins);
ASSERT_NOT_REACHED_WITH_MESSAGE("RemoteMediaPlayerManager does not support cache management");
}

bool supportsKeySystem(const String& keySystem, const String& mimeType) const final
Expand Down Expand Up @@ -232,23 +233,6 @@ bool RemoteMediaPlayerManager::supportsKeySystem(MediaPlayerEnums::MediaEngineId
return false;
}

HashSet<SecurityOriginData> RemoteMediaPlayerManager::originsInMediaCache(MediaPlayerEnums::MediaEngineIdentifier remoteEngineIdentifier, const String& path)
{
auto sendResult = gpuProcessConnection().connection().sendSync(Messages::RemoteMediaPlayerManagerProxy::OriginsInMediaCache(remoteEngineIdentifier, path), 0);
auto [originData] = sendResult.takeReplyOr(HashSet<SecurityOriginData> { });
return originData;
}

void RemoteMediaPlayerManager::clearMediaCache(MediaPlayerEnums::MediaEngineIdentifier remoteEngineIdentifier, const String& path, WallTime modifiedSince)
{
gpuProcessConnection().connection().send(Messages::RemoteMediaPlayerManagerProxy::ClearMediaCache(remoteEngineIdentifier, path, modifiedSince), 0);
}

void RemoteMediaPlayerManager::clearMediaCacheForOrigins(MediaPlayerEnums::MediaEngineIdentifier remoteEngineIdentifier, const String& path, const HashSet<SecurityOriginData>& origins)
{
gpuProcessConnection().connection().send(Messages::RemoteMediaPlayerManagerProxy::ClearMediaCacheForOrigins(remoteEngineIdentifier, path, origins), 0);
}

void RemoteMediaPlayerManager::didReceivePlayerMessage(IPC::Connection& connection, IPC::Decoder& decoder)
{
if (const auto& player = m_players.get(ObjectIdentifier<MediaPlayerIdentifierType>(decoder.destinationID())))
Expand Down
3 changes: 0 additions & 3 deletions Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,9 +85,6 @@ class RemoteMediaPlayerManager
void getSupportedTypes(WebCore::MediaPlayerEnums::MediaEngineIdentifier, HashSet<String, ASCIICaseInsensitiveHash>&);
WebCore::MediaPlayer::SupportsType supportsTypeAndCodecs(WebCore::MediaPlayerEnums::MediaEngineIdentifier, const WebCore::MediaEngineSupportParameters&);
bool supportsKeySystem(WebCore::MediaPlayerEnums::MediaEngineIdentifier, const String& keySystem, const String& mimeType);
HashSet<WebCore::SecurityOriginData> originsInMediaCache(WebCore::MediaPlayerEnums::MediaEngineIdentifier, const String&);
void clearMediaCache(WebCore::MediaPlayerEnums::MediaEngineIdentifier, const String&, WallTime modifiedSince);
void clearMediaCacheForOrigins(WebCore::MediaPlayerEnums::MediaEngineIdentifier, const String&, const HashSet<WebCore::SecurityOriginData>&);

HashMap<WebCore::MediaPlayerIdentifier, WeakPtr<MediaPlayerPrivateRemote>> m_players;
ThreadSafeWeakPtr<GPUProcessConnection> m_gpuProcessConnection;
Expand Down

0 comments on commit 0f8aafd

Please sign in to comment.