118690 2013-07-15 15:16:01 -0700 PluginProcess deny file-read-data /Library/Application Support/Macromedia/FlashPlayerTrust 2013-07-15 19:35:48 -0700 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 mjs mjs commit-queue eric.carlson glenn jer.noble scooper oldest_to_newest 908530 0 mjs 2013-07-15 15:16:01 -0700 PluginProcess deny file-read-data /Library/Application Support/Macromedia/FlashPlayerTrust 908531 1 206690 mjs 2013-07-15 15:18:33 -0700 Created attachment 206690 Patch 908532 2 mjs 2013-07-15 15:19:36 -0700 <rdar://problem/14255963> 908533 3 206690 ap 2013-07-15 15:22:18 -0700 Comment on attachment 206690 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=206690&action=review > Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb:40 > + (literal "Library/Application Support/Macromedia/FlashPlayerTrust") This is not a proper path, there should be a slash before "Library". I'd block "subpath", not "literal" - we are not interested in further violations inside this path even if Flash goes there. Also, four space indentation please. 908534 4 206690 sam 2013-07-15 15:23:23 -0700 Comment on attachment 206690 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=206690&action=review >> Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb:40 >> +(deny file-read* (with no-log) >> + (literal "Library/Application Support/Macromedia/FlashPlayerTrust") > > This is not a proper path, there should be a slash before "Library". > > I'd block "subpath", not "literal" - we are not interested in further violations inside this path even if Flash goes there. > > Also, four space indentation please. This should go above the (webkit-foo) stuff. 908549 5 scooper 2013-07-15 15:41:30 -0700 As previously noted the proposed change is not good. 908556 6 ap 2013-07-15 16:05:32 -0700 > This should go above the (webkit-foo) stuff. Why? Generally, "deny" rules should be last, to make sure that they take precedence. 908581 7 scooper 2013-07-15 16:43:44 -0700 It doesn't really matter where the rules are -- they can be put above the (webkit-foo) stuff -- along with the other path rules (but at the end of them). The only reason the (webkit-foo) things were stuck at the end was to avoid a merge conflict when I was making multiple changes at once -- they probably ought to moved to the top of the sub-profile anyway. 908620 8 206714 scooper 2013-07-15 18:29:13 -0700 Created attachment 206714 Patch 908634 9 206714 commit-queue 2013-07-15 19:35:45 -0700 Comment on attachment 206714 Patch Clearing flags on attachment: 206714 Committed r152698: <http://trac.webkit.org/changeset/152698> 908635 10 commit-queue 2013-07-15 19:35:48 -0700 All reviewed patches have been landed. Closing bug. 206690 2013-07-15 15:18:33 -0700 2013-07-15 18:29:11 -0700 Patch bug-118690-20130715151750.patch text/plain 1389 mjs SW5kZXg6IFNvdXJjZS9XZWJLaXQyL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi S2l0Mi9DaGFuZ2VMb2cJKHJldmlzaW9uIDE1MjY1NikKKysrIFNvdXJjZS9XZWJLaXQyL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBACisyMDEzLTA3LTE1ICBNYWNpZWog U3RhY2hvd2lhayAgPG1qc0BhcHBsZS5jb20+CisKKyAgICAgICAgUGx1Z2luUHJvY2VzcyBkZW55 IGZpbGUtcmVhZC1kYXRhIC9MaWJyYXJ5L0FwcGxpY2F0aW9uIFN1cHBvcnQvTWFjcm9tZWRpYS9G bGFzaFBsYXllclRydXN0CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVn LmNnaT9pZD0xMTg2OTAKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKyAg ICAgICAgCisgICAgICAgIFNpbGVudCBkZW55IGFjY2VzcyB0byBGbGFzaFBsYXllclRydXN0LiBB dHRlbXB0cyB0byBhY2Nlc3MgdGhpbmdzCisgICAgICAgIGxpc3RlZCBoZXJlIHdpbGwgbm90IGJl IGFsbG93ZWQgYW55d2F5LCBzbyB0aGlzIGlzIHRoZSBiZXN0IHdheSB0bworICAgICAgICBhdm9p ZCBzcGFtbWluZyBsb2dzLgorCisgICAgICAgICogUmVzb3VyY2VzL1BsdWdJblNhbmRib3hQcm9m aWxlcy9jb20ubWFjcm9tZWRpYS5GbGFzaCBQbGF5ZXIucGx1Z2luLnNiOiAKKwogMjAxMy0wNy0x NCAgSm9uIExlZSAgPGpvbmxlZUBhcHBsZS5jb20+CiAKICAgICAgICAgQ2FsbGluZyBOb3RpZmlj YXRpb24ucmVxdWVzdFBlcm1pc3Npb24oKSB3aXRob3V0IGEgY2FsbGJhY2sgY3Jhc2hlcwpJbmRl eDogU291cmNlL1dlYktpdDIvUmVzb3VyY2VzL1BsdWdJblNhbmRib3hQcm9maWxlcy9jb20ubWFj cm9tZWRpYS5GbGFzaCBQbGF5ZXIucGx1Z2luLnNiCj09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJL aXQyL1Jlc291cmNlcy9QbHVnSW5TYW5kYm94UHJvZmlsZXMvY29tLm1hY3JvbWVkaWEuRmxhc2gg UGxheWVyLnBsdWdpbi5zYgkocmV2aXNpb24gMTUyMzIwKQorKysgU291cmNlL1dlYktpdDIvUmVz b3VyY2VzL1BsdWdJblNhbmRib3hQcm9maWxlcy9jb20ubWFjcm9tZWRpYS5GbGFzaCBQbGF5ZXIu cGx1Z2luLnNiCSh3b3JraW5nIGNvcHkpCkBAIC0zNSwzICszNSw2IEBACiAKICh3ZWJraXQtcG93 ZXJib3gpCiAod2Via2l0LXByaW50aW5nKQorCisoZGVueSBmaWxlLXJlYWQqICh3aXRoIG5vLWxv ZykKKyAgICAgIChsaXRlcmFsICJMaWJyYXJ5L0FwcGxpY2F0aW9uIFN1cHBvcnQvTWFjcm9tZWRp YS9GbGFzaFBsYXllclRydXN0IikK 206714 2013-07-15 18:29:13 -0700 2013-07-15 19:35:45 -0700 Patch bug-118690-20130715182836.patch text/plain 1926 scooper U3VidmVyc2lvbiBSZXZpc2lvbjogMTUyNjUxCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0Mi9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViS2l0Mi9DaGFuZ2VMb2cKaW5kZXggMGNlMzNlYjRiMGJmNTg1 MTZkZTA2ODFiODVkODRlNzdlODhlNDU1OC4uNmMxZTlmMGQ5Yzk1MTI1YjFlNjBlNGUzMDI4ZGMy NWU3YzIzNzFlMiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYktpdDIvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJLaXQyL0NoYW5nZUxvZwpAQCAtMSwzICsxLDIxIEBACisyMDEzLTA3LTE1ICBTaW1v biBDb29wZXIgIDxzY29vcGVyQGFwcGxlLmNvbT4KKworICAgICAgICBQbHVnaW5Qcm9jZXNzIGRl bnkgZmlsZS1yZWFkLWRhdGEgL0xpYnJhcnkvQXBwbGljYXRpb24gU3VwcG9ydC9NYWNyb21lZGlh L0ZsYXNoUGxheWVyVHJ1c3QKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19i dWcuY2dpP2lkPTExODY5MAorICAgICAgICA8cmRhcjovL3Byb2JsZW0vMTQyNTU5NjM+CisKKyAg ICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgU2lsZW50bHkgZGVu eSBhY2Nlc3MgdG8gRmxhc2hQbGF5ZXJUcnVzdC4gVGhpcyBsb2NhdGlvbiBjb250YWlucworICAg ICAgICBmaWxlcyBjb250YWluaW5nIGxpc3RzIG9mIHBhdGhzIHRoYXQgRmxhc2ggUGxheWVyIHdp bGwKKyAgICAgICAgImFsbG93IiBhY2Nlc3MgdG8gKHdpdGhvdXQgYXNraW5nIHRoZSB1c2VyKS4g U2luY2UgdGhlIHBsdWdpbgorICAgICAgICBzYW5kYm94IHdvbid0IHBlcm1pdCB0aGUgYWNjZXNz IHRvIHRoZSBsaXN0ZWQgcGF0aHMgaXQgaXMgYmV0dGVyCisgICAgICAgIHRvIHNpbGVudGx5IGJs b2NrIGF0dGVtcHRzIHRvIHJlYWQgdGhlc2UgIndoaXRlbGlzdHMiLiBUaGUKKyAgICAgICAgIndo aXRlbGlzdHMiIGFyZSBjcmVhdGVkIGJ5IG90aGVyIEFkb2JlICJpbnN0YWxsZXIiIGxpa2UKKyAg ICAgICAgYXBwbGljYXRpb25zLgorCisgICAgICAgICogUmVzb3VyY2VzL1BsdWdJblNhbmRib3hQ cm9maWxlcy9jb20ubWFjcm9tZWRpYS5GbGFzaCBQbGF5ZXIucGx1Z2luLnNiOgorCiAyMDEzLTA3 LTE0ICBKb24gTGVlICA8am9ubGVlQGFwcGxlLmNvbT4KIAogICAgICAgICBDYWxsaW5nIE5vdGlm aWNhdGlvbi5yZXF1ZXN0UGVybWlzc2lvbigpIHdpdGhvdXQgYSBjYWxsYmFjayBjcmFzaGVzCmRp ZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0Mi9SZXNvdXJjZXMvUGx1Z0luU2FuZGJveFByb2ZpbGVz L2NvbS5tYWNyb21lZGlhLkZsYXNoIFBsYXllci5wbHVnaW4uc2IgYi9Tb3VyY2UvV2ViS2l0Mi9S ZXNvdXJjZXMvUGx1Z0luU2FuZGJveFByb2ZpbGVzL2NvbS5tYWNyb21lZGlhLkZsYXNoIFBsYXll ci5wbHVnaW4uc2IKaW5kZXggMTdiNWJmYWRkN2IxZTViZmYwOGQ1NDBmYTFjYmM3ZDQyNjc1Mzhj YS4uZjMwNzgzOGVkZTY0MDMwY2NhMDM0MTg0Mjg0NWRmMDI2YWEyN2U2NCAxMDA2NDQKLS0tIGEv U291cmNlL1dlYktpdDIvUmVzb3VyY2VzL1BsdWdJblNhbmRib3hQcm9maWxlcy9jb20ubWFjcm9t ZWRpYS5GbGFzaCBQbGF5ZXIucGx1Z2luLnNiCQorKysgYi9Tb3VyY2UvV2ViS2l0Mi9SZXNvdXJj ZXMvUGx1Z0luU2FuZGJveFByb2ZpbGVzL2NvbS5tYWNyb21lZGlhLkZsYXNoIFBsYXllci5wbHVn aW4uc2IJCkBAIC0yOCw2ICsyOCw5IEBACiAoYWxsb3cgZmlsZS1yZWFkKiBmaWxlLXdyaXRlKgog ICAgIChtb3VudC1yZWxhdGl2ZS1yZWdleCAjIl4vXC5UZW1wb3JhcnlJdGVtcy8iKSkKIAorKGRl bnkgZmlsZS1yZWFkKiAod2l0aCBuby1sb2cpCisgICAgKHN1YnBhdGggIi9MaWJyYXJ5L0FwcGxp Y2F0aW9uIFN1cHBvcnQvTWFjcm9tZWRpYS9GbGFzaFBsYXllclRydXN0IikpCisKIChhbGxvdyBu ZXR3b3JrLWJpbmQgKGxvY2FsIGlwKSkKIAogKHdlYmtpdC1wb3dlcmJveCkK