Skip to content

Commit

Permalink
Restrict access to Version.plist in the WebContent process on iOS
Browse files Browse the repository at this point in the history 
https://bugs.webkit.org/show_bug.cgi?id=262699
rdar://116545792

Reviewed by Per Arne Vollan.

Access to this file provides information about the device that should not be
accessible to web content. This patch explicitly prevents access to the file
from the Web content process. In a follow up patch I'm planning on improving
the path validation we use paths provided by javascript.

* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:

Canonical link: https://commits.webkit.org/267815.640@safari-7617-branch
  • Loading branch information
@sysrqb
sysrqb authored and Matthew Finkel committed Dec 18, 2023
1 parent 2d703bb commit 36d57dc
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
View file
Expand Up @@ -37,6 +37,9 @@
(allow process-info-codesignature)
#endif

(deny file-read-metadata
(literal "/private/var/db/MobileIdentityData/Version.plist"))

;;;
;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
Expand Down

0 comments on commit 36d57dc

Please sign in to comment.