Skip to content

Commit

Permalink
Restrict access to Version.plist in the WebContent process on iOS
Browse files Browse the repository at this point in the history 
https://bugs.webkit.org/show_bug.cgi?id=262699
rdar://116545792

Reviewed by Per Arne Vollan.

Access to this file provides information about the device that should not be
accessible to web content. This patch explicitly prevents access to the file
from the Web content process. In a follow up patch I'm planning on improving
the path validation we use paths provided by javascript.

* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:

Originally-landed-as: 267815.640@safari-7617-branch (36d57dc). rdar://121478523
Canonical link: https://commits.webkit.org/273484@main
  • Loading branch information
@sysrqb @robert-jenner
sysrqb authored and robert-jenner committed Jan 25, 2024
1 parent 9c7c233 commit 89314de
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,9 @@
(allow process-info-codesignature)
#endif

(deny file-read-metadata
(literal "/private/var/db/MobileIdentityData/Version.plist"))

;;;
;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
Expand Down

0 comments on commit 89314de

Please sign in to comment.