diff --git a/SOURCES/CVE-2024-44309.patch b/SOURCES/CVE-2024-44309.patch new file mode 100644 index 0000000..10fed57 --- /dev/null +++ b/SOURCES/CVE-2024-44309.patch @@ -0,0 +1,320 @@ +From c52da7c313795d61665253f23c9f298005549c73 Mon Sep 17 00:00:00 2001 +From: Charlie Wolfe +Date: Thu, 14 Nov 2024 13:56:35 -0800 +Subject: [PATCH] Cherry-pick 60c387845715. + +Cherry-pick 2815b4e29829. rdar://139893250 + + Data Isolation bypass via attacker controlled firstPartyForCookies + https://bugs.webkit.org/show_bug.cgi?id=283095 + rdar://139818629 + + Reviewed by Matthew Finkel and Alex Christensen. + + `NetworkProcess::allowsFirstPartyForCookies` unconditionally allows cookie access for about:blank or + empty firstPartyForCookies URLs. We tried to remove this in rdar://105733798 and rdar://107270673, but + we needed to revert both because there were rare and subtle bugs where certain requests would incorrectly + have about:blank set as their firstPartyForCookies, causing us to kill the WCP. + + This patch is a lower risk change that removes the unconditional cookie access for requests that have an + empty firstPartyForCookies, but will not kill the WCP that is incorrectly sending an empty + firstPartyForCookies. + + * Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp: + (WebKit::NetworkConnectionToWebProcess::createSocketChannel): + (WebKit::NetworkConnectionToWebProcess::scheduleResourceLoad): + (WebKit::NetworkConnectionToWebProcess::cookiesForDOM): + (WebKit::NetworkConnectionToWebProcess::setCookiesFromDOM): + (WebKit::NetworkConnectionToWebProcess::cookiesEnabled): + (WebKit::NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue): + (WebKit::NetworkConnectionToWebProcess::getRawCookies): + (WebKit::NetworkConnectionToWebProcess::cookiesForDOMAsync): + (WebKit::NetworkConnectionToWebProcess::setCookieFromDOMAsync): + (WebKit::NetworkConnectionToWebProcess::domCookiesForHost): + (WebKit::NetworkConnectionToWebProcess::establishSWContextConnection): + * Source/WebKit/NetworkProcess/NetworkProcess.cpp: + (WebKit::NetworkProcess::allowsFirstPartyForCookies): + * Source/WebKit/NetworkProcess/NetworkProcess.h: + * Source/WebKit/NetworkProcess/NetworkSession.cpp: + (WebKit::NetworkSession::addAllowedFirstPartyForCookies): + * Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp: + (WebKit::WebSWServerConnection::scheduleJobInServer): + * Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp: + (WebKit::WebSharedWorkerServerConnection::requestSharedWorker): + * Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm: + (EmptyFirstPartyForCookiesCookieRequestHeaderFieldValue)): + + Canonical link: https://commits.webkit.org/283286.477@safari-7620-branch + +Canonical link: https://commits.webkit.org/282416.294@webkitglib/2.46 +--- + .../NetworkConnectionToWebProcess.cpp | 51 ++++++++++++++----- + .../WebKit/NetworkProcess/NetworkProcess.cpp | 37 +++++++------- + Source/WebKit/NetworkProcess/NetworkProcess.h | 5 +- + .../WebKit/NetworkProcess/NetworkSession.cpp | 2 +- + .../ServiceWorker/WebSWServerConnection.cpp | 2 +- + .../WebSharedWorkerServerConnection.cpp | 2 +- + .../Tests/WebKitCocoa/IPCTestingAPI.mm | 33 ++++++++++++ + 7 files changed, 96 insertions(+), 36 deletions(-) + +diff --git a/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp b/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp +index a0ad3c628ec38..c13a96f0e796a 100644 +--- a/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp ++++ b/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp +@@ -502,7 +502,7 @@ void NetworkConnectionToWebProcess::didReceiveInvalidMessage(IPC::Connection&, I + + void NetworkConnectionToWebProcess::createSocketChannel(const ResourceRequest& request, const String& protocol, WebSocketIdentifier identifier, WebPageProxyIdentifier webPageProxyID, std::optional frameID, std::optional pageID, const ClientOrigin& clientOrigin, bool hadMainFrameMainResourcePrivateRelayed, bool allowPrivacyProxy, OptionSet advancedPrivacyProtections, ShouldRelaxThirdPartyCookieBlocking shouldRelaxThirdPartyCookieBlocking, WebCore::StoredCredentialsPolicy storedCredentialsPolicy) + { +- MESSAGE_CHECK(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, request.firstPartyForCookies())); ++ MESSAGE_CHECK(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, request.firstPartyForCookies()) != NetworkProcess::AllowCookieAccess::Terminate); + + ASSERT(!m_networkSocketChannels.contains(identifier)); + if (auto channel = NetworkSocketChannel::create(*this, m_sessionID, request, protocol, identifier, webPageProxyID, frameID, pageID, clientOrigin, hadMainFrameMainResourcePrivateRelayed, allowPrivacyProxy, advancedPrivacyProtections, shouldRelaxThirdPartyCookieBlocking, storedCredentialsPolicy)) +@@ -552,11 +552,11 @@ RefPtr NetworkConnectionToWebProcess::createFetchTask(Ne + + void NetworkConnectionToWebProcess::scheduleResourceLoad(NetworkResourceLoadParameters&& loadParameters, std::optional existingLoaderToResume) + { +- bool hasCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, loadParameters.request.firstPartyForCookies()); +- if (UNLIKELY(!hasCookieAccess)) ++ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, loadParameters.request.firstPartyForCookies()); ++ if (UNLIKELY(allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow)) + RELEASE_LOG_ERROR(Loading, "scheduleResourceLoad: Web process does not have cookie access to url %" SENSITIVE_LOG_STRING " for request %" SENSITIVE_LOG_STRING, loadParameters.request.firstPartyForCookies().string().utf8().data(), loadParameters.request.url().string().utf8().data()); + +- MESSAGE_CHECK(hasCookieAccess); ++ MESSAGE_CHECK(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate); + + CONNECTION_RELEASE_LOG(Loading, "scheduleResourceLoad: (parentPID=%d, pageProxyID=%" PRIu64 ", webPageID=%" PRIu64 ", frameID=%" PRIu64 ", resourceID=%" PRIu64 ", existingLoaderToResume=%" PRIu64 ")", loadParameters.parentPID, loadParameters.webPageProxyID.toUInt64(), loadParameters.webPageID.toUInt64(), loadParameters.webFrameID.object().toUInt64(), loadParameters.identifier.toUInt64(), valueOrDefault(existingLoaderToResume).toUInt64()); + +@@ -785,7 +785,10 @@ void NetworkConnectionToWebProcess::registerURLSchemesAsCORSEnabled(Vector&& completionHandler) + { +- MESSAGE_CHECK_COMPLETION(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty), completionHandler({ }, false)); ++ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty); ++ MESSAGE_CHECK_COMPLETION(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate, completionHandler({ }, false)); ++ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) ++ return completionHandler({ }, false); + + auto* networkStorageSession = storageSession(); + if (!networkStorageSession) +@@ -802,7 +805,10 @@ void NetworkConnectionToWebProcess::cookiesForDOM(const URL& firstParty, const S + + void NetworkConnectionToWebProcess::setCookiesFromDOM(const URL& firstParty, const SameSiteInfo& sameSiteInfo, const URL& url, WebCore::FrameIdentifier frameID, PageIdentifier pageID, ApplyTrackingPrevention applyTrackingPrevention, const String& cookieString, ShouldRelaxThirdPartyCookieBlocking shouldRelaxThirdPartyCookieBlocking) + { +- MESSAGE_CHECK(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty)); ++ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty); ++ MESSAGE_CHECK(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate); ++ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) ++ return; + + auto* networkStorageSession = storageSession(); + if (!networkStorageSession) +@@ -823,7 +829,10 @@ void NetworkConnectionToWebProcess::cookiesEnabledSync(const URL& firstParty, co + + void NetworkConnectionToWebProcess::cookiesEnabled(const URL& firstParty, const URL& url, std::optional frameID, std::optional pageID, ShouldRelaxThirdPartyCookieBlocking shouldRelaxThirdPartyCookieBlocking, CompletionHandler&& completionHandler) + { +- MESSAGE_CHECK_COMPLETION(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty), completionHandler(false)); ++ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty); ++ MESSAGE_CHECK_COMPLETION(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate, completionHandler(false)); ++ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) ++ return completionHandler(false); + + auto* networkStorageSession = storageSession(); + if (!networkStorageSession) { +@@ -837,7 +846,10 @@ void NetworkConnectionToWebProcess::cookiesEnabled(const URL& firstParty, const + + void NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue(const URL& firstParty, const SameSiteInfo& sameSiteInfo, const URL& url, std::optional frameID, std::optional pageID, IncludeSecureCookies includeSecureCookies, ApplyTrackingPrevention applyTrackingPrevention, ShouldRelaxThirdPartyCookieBlocking shouldRelaxThirdPartyCookieBlocking, CompletionHandler&& completionHandler) + { +- MESSAGE_CHECK_COMPLETION(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty), completionHandler({ }, false)); ++ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty); ++ MESSAGE_CHECK_COMPLETION(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate, completionHandler({ }, false)); ++ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) ++ return completionHandler({ }, false); + + auto* networkStorageSession = storageSession(); + if (!networkStorageSession) +@@ -848,7 +860,10 @@ void NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue(const URL& fir + + void NetworkConnectionToWebProcess::getRawCookies(const URL& firstParty, const SameSiteInfo& sameSiteInfo, const URL& url, std::optional frameID, std::optional pageID, ApplyTrackingPrevention applyTrackingPrevention, ShouldRelaxThirdPartyCookieBlocking shouldRelaxThirdPartyCookieBlocking, CompletionHandler&&)>&& completionHandler) + { +- MESSAGE_CHECK_COMPLETION(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty), completionHandler({ })); ++ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty); ++ MESSAGE_CHECK_COMPLETION(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate, completionHandler({ })); ++ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) ++ return completionHandler({ }); + + auto* networkStorageSession = storageSession(); + if (!networkStorageSession) +@@ -877,7 +892,10 @@ void NetworkConnectionToWebProcess::deleteCookie(const URL& url, const String& c + + void NetworkConnectionToWebProcess::cookiesForDOMAsync(const URL& firstParty, const SameSiteInfo& sameSiteInfo, const URL& url, std::optional frameID, std::optional pageID, IncludeSecureCookies includeSecureCookies, ApplyTrackingPrevention applyTrackingPrevention, ShouldRelaxThirdPartyCookieBlocking shouldRelaxThirdPartyCookieBlocking, WebCore::CookieStoreGetOptions&& options, CompletionHandler>&&)>&& completionHandler) + { +- MESSAGE_CHECK_COMPLETION(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty), completionHandler(std::nullopt)); ++ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty); ++ MESSAGE_CHECK_COMPLETION(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate, completionHandler(std::nullopt)); ++ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) ++ return completionHandler(std::nullopt); + + auto* networkStorageSession = storageSession(); + if (!networkStorageSession) +@@ -894,7 +912,10 @@ void NetworkConnectionToWebProcess::cookiesForDOMAsync(const URL& firstParty, co + + void NetworkConnectionToWebProcess::setCookieFromDOMAsync(const URL& firstParty, const SameSiteInfo& sameSiteInfo, const URL& url, std::optional frameID, std::optional pageID, ApplyTrackingPrevention applyTrackingPrevention, WebCore::Cookie&& cookie, ShouldRelaxThirdPartyCookieBlocking shouldRelaxThirdPartyCookieBlocking, CompletionHandler&& completionHandler) + { +- MESSAGE_CHECK(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty)); ++ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty); ++ MESSAGE_CHECK_COMPLETION(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate, completionHandler(false)); ++ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) ++ return completionHandler(false); + + auto* networkStorageSession = storageSession(); + if (!networkStorageSession) +@@ -914,7 +935,10 @@ void NetworkConnectionToWebProcess::domCookiesForHost(const URL& url, Completion + { + auto host = url.host().toString(); + MESSAGE_CHECK_COMPLETION(HashSet::isValidValue(host), completionHandler({ })); +- MESSAGE_CHECK_COMPLETION(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, url), completionHandler({ })); ++ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, url); ++ MESSAGE_CHECK_COMPLETION(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate, completionHandler({ })); ++ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) ++ return completionHandler({ }); + + auto* networkStorageSession = storageSession(); + if (!networkStorageSession) +@@ -1423,7 +1447,8 @@ void NetworkConnectionToWebProcess::establishSWContextConnection(WebPageProxyIde + { + auto* session = networkSession(); + if (auto* swServer = session ? session->swServer() : nullptr) { +- MESSAGE_CHECK(session->networkProcess().allowsFirstPartyForCookies(webProcessIdentifier(), registrableDomain)); ++ auto allowCookieAccess = session->networkProcess().allowsFirstPartyForCookies(webProcessIdentifier(), registrableDomain); ++ MESSAGE_CHECK(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate); + m_swContextConnection = makeUnique(*this, webPageProxyID, WTFMove(registrableDomain), serviceWorkerPageIdentifier, *swServer); + } + completionHandler(); +diff --git a/Source/WebKit/NetworkProcess/NetworkProcess.cpp b/Source/WebKit/NetworkProcess/NetworkProcess.cpp +index db0437d3b70a2..8f637e6c85fd4 100644 +--- a/Source/WebKit/NetworkProcess/NetworkProcess.cpp ++++ b/Source/WebKit/NetworkProcess/NetworkProcess.cpp +@@ -458,48 +458,49 @@ void NetworkProcess::webProcessWillLoadWebArchive(WebCore::ProcessIdentifier pro + }).iterator->value.first = LoadedWebArchive::Yes; + } + +-bool NetworkProcess::allowsFirstPartyForCookies(WebCore::ProcessIdentifier processIdentifier, const URL& firstParty) ++auto NetworkProcess::allowsFirstPartyForCookies(WebCore::ProcessIdentifier processIdentifier, const URL& firstParty) -> AllowCookieAccess + { +- // FIXME: This should probably not be necessary. If about:blank is the first party for cookies, +- // we should set it to be the inherited origin then remove this exception. +- if (firstParty.isAboutBlank()) +- return true; ++ auto allowCookieAccess = allowsFirstPartyForCookies(processIdentifier, RegistrableDomain { firstParty }); ++ if (allowCookieAccess == NetworkProcess::AllowCookieAccess::Terminate) { ++ // FIXME: This should probably not be necessary. If about:blank is the first party for cookies, ++ // we should set it to be the inherited origin then remove this exception. ++ if (firstParty.isAboutBlank()) ++ return AllowCookieAccess::Disallow; + +- if (firstParty.isNull()) +- return true; // FIXME: This shouldn't be allowed. ++ if (firstParty.isNull()) ++ return AllowCookieAccess::Disallow; // FIXME: This shouldn't be allowed. ++ } + +- return allowsFirstPartyForCookies(processIdentifier, RegistrableDomain { firstParty }); ++ return allowCookieAccess; + } + +-bool NetworkProcess::allowsFirstPartyForCookies(WebCore::ProcessIdentifier processIdentifier, const RegistrableDomain& firstPartyDomain) ++auto NetworkProcess::allowsFirstPartyForCookies(WebCore::ProcessIdentifier processIdentifier, const RegistrableDomain& firstPartyDomain) -> AllowCookieAccess + { + // FIXME: This shouldn't be needed but it is hit sometimes at least with PDFs. +- if (firstPartyDomain.isEmpty()) +- return true; +- ++ auto terminateOrDisallow = firstPartyDomain.isEmpty() ? AllowCookieAccess::Disallow : AllowCookieAccess::Terminate; + if (!decltype(m_allowedFirstPartiesForCookies)::isValidKey(processIdentifier)) { + ASSERT_NOT_REACHED(); +- return false; ++ return terminateOrDisallow; + } + + auto iterator = m_allowedFirstPartiesForCookies.find(processIdentifier); + if (iterator == m_allowedFirstPartiesForCookies.end()) { + ASSERT_NOT_REACHED(); +- return false; ++ return terminateOrDisallow; + } + + if (iterator->value.first == LoadedWebArchive::Yes) +- return true; ++ return AllowCookieAccess::Allow; + + auto& set = iterator->value.second; + if (!std::remove_reference_t::isValidValue(firstPartyDomain)) { + ASSERT_NOT_REACHED(); +- return false; ++ return terminateOrDisallow; + } + + auto result = set.contains(firstPartyDomain); +- ASSERT(result); +- return result; ++ ASSERT(result || terminateOrDisallow == AllowCookieAccess::Disallow); ++ return result ? AllowCookieAccess::Allow : terminateOrDisallow; + } + + void NetworkProcess::addStorageSession(PAL::SessionID sessionID, const WebsiteDataStoreParameters& parameters) +diff --git a/Source/WebKit/NetworkProcess/NetworkProcess.h b/Source/WebKit/NetworkProcess/NetworkProcess.h +index 0897537e58476..54f19ab96ce47 100644 +--- a/Source/WebKit/NetworkProcess/NetworkProcess.h ++++ b/Source/WebKit/NetworkProcess/NetworkProcess.h +@@ -417,8 +417,9 @@ class NetworkProcess final : public AuxiliaryProcess, private DownloadManager::C + void deleteWebsiteDataForOrigin(PAL::SessionID, OptionSet, const WebCore::ClientOrigin&, CompletionHandler&&); + void deleteWebsiteDataForOrigins(PAL::SessionID, OptionSet, const Vector& origins, const Vector& cookieHostNames, const Vector& HSTSCacheHostnames, const Vector&, CompletionHandler&&); + +- bool allowsFirstPartyForCookies(WebCore::ProcessIdentifier, const URL&); +- bool allowsFirstPartyForCookies(WebCore::ProcessIdentifier, const RegistrableDomain&); ++ enum class AllowCookieAccess : uint8_t { Disallow, Allow, Terminate }; ++ AllowCookieAccess allowsFirstPartyForCookies(WebCore::ProcessIdentifier, const URL&); ++ AllowCookieAccess allowsFirstPartyForCookies(WebCore::ProcessIdentifier, const RegistrableDomain&); + void addAllowedFirstPartyForCookies(WebCore::ProcessIdentifier, WebCore::RegistrableDomain&&, LoadedWebArchive, CompletionHandler&&); + void webProcessWillLoadWebArchive(WebCore::ProcessIdentifier); + +diff --git a/Source/WebKit/NetworkProcess/NetworkSession.cpp b/Source/WebKit/NetworkProcess/NetworkSession.cpp +index d3e9e8b4b64bc..2c5fb9ad6765e 100644 +--- a/Source/WebKit/NetworkProcess/NetworkSession.cpp ++++ b/Source/WebKit/NetworkProcess/NetworkSession.cpp +@@ -728,7 +728,7 @@ void NetworkSession::appBoundDomains(CompletionHandler requestingProcessIdentifier, WebCore::RegistrableDomain&& firstPartyForCookies) + { +- if (requestingProcessIdentifier && (requestingProcessIdentifier != webProcessIdentifier) && !m_networkProcess->allowsFirstPartyForCookies(requestingProcessIdentifier.value(), firstPartyForCookies)) { ++ if (requestingProcessIdentifier && (requestingProcessIdentifier != webProcessIdentifier) && m_networkProcess->allowsFirstPartyForCookies(requestingProcessIdentifier.value(), firstPartyForCookies) != NetworkProcess::AllowCookieAccess::Allow) { + ASSERT_NOT_REACHED(); + return; + } +diff --git a/Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp b/Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp +index 72d67d9f98a2d..515f4597cf33f 100644 +--- a/Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp ++++ b/Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp +@@ -344,7 +344,7 @@ void WebSWServerConnection::postMessageToServiceWorker(ServiceWorkerIdentifier d + + void WebSWServerConnection::scheduleJobInServer(ServiceWorkerJobData&& jobData) + { +- MESSAGE_CHECK(networkProcess().allowsFirstPartyForCookies(identifier(), WebCore::RegistrableDomain::uncheckedCreateFromHost(jobData.topOrigin.host()))); ++ MESSAGE_CHECK(networkProcess().allowsFirstPartyForCookies(identifier(), WebCore::RegistrableDomain::uncheckedCreateFromHost(jobData.topOrigin.host())) != NetworkProcess::AllowCookieAccess::Terminate); + + ASSERT(!jobData.scopeURL.isNull()); + if (jobData.scopeURL.isNull()) { +diff --git a/Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp b/Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp +index 83affaaded38e..084bbdf8f8c55 100644 +--- a/Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp ++++ b/Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp +@@ -79,7 +79,7 @@ NetworkSession* WebSharedWorkerServerConnection::session() + + void WebSharedWorkerServerConnection::requestSharedWorker(WebCore::SharedWorkerKey&& sharedWorkerKey, WebCore::SharedWorkerObjectIdentifier sharedWorkerObjectIdentifier, WebCore::TransferredMessagePort&& port, WebCore::WorkerOptions&& workerOptions) + { +- MESSAGE_CHECK(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, WebCore::RegistrableDomain::uncheckedCreateFromHost(sharedWorkerKey.origin.topOrigin.host()))); ++ MESSAGE_CHECK(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, WebCore::RegistrableDomain::uncheckedCreateFromHost(sharedWorkerKey.origin.topOrigin.host())) != NetworkProcess::AllowCookieAccess::Terminate); + MESSAGE_CHECK(sharedWorkerObjectIdentifier.processIdentifier() == m_webProcessIdentifier); + MESSAGE_CHECK(sharedWorkerKey.name == workerOptions.name); + CONNECTION_RELEASE_LOG("requestSharedWorker: sharedWorkerObjectIdentifier=%" PUBLIC_LOG_STRING, sharedWorkerObjectIdentifier.toString().utf8().data()); diff --git a/SPECS/webkit2gtk3.spec b/SPECS/webkit2gtk3.spec index 0aeb8c5..a40743d 100644 --- a/SPECS/webkit2gtk3.spec +++ b/SPECS/webkit2gtk3.spec @@ -21,7 +21,7 @@ Name: webkit2gtk3 Version: 2.46.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: GTK Web content engine library License: LGPLv2 @@ -36,6 +36,9 @@ Source2: webkitgtk-keys.gpg # Don't print warning about Evolution's use of WEBKIT_FORCE_SANDBOX Patch: evolution-sandbox-warning.patch +# https://bugs.webkit.org/show_bug.cgi?id=283095 +Patch: CVE-2024-44309.patch + BuildRequires: bison BuildRequires: bubblewrap BuildRequires: cmake @@ -311,6 +314,9 @@ export NINJA_STATUS="[%f/%t][%e] " %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir %changelog +* Mon Nov 25 2024 Michael Catanzaro - 2.46.3-2 +- Add patch for CVE-2024-44309 + * Wed Oct 30 2024 Michael Catanzaro - 2.46.3-1 - Update to 2.46.3