185489 2018-05-09 14:01:19 -0700 Restrict unarchiving of bundle parameters to a set of known classes 2018-05-09 14:55:30 -0700 1 1 1 Unclassified WebKit WebKit2 WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 bfulgham bfulgham bfulgham ddkilzer rniwa oldest_to_newest 1422465 0 bfulgham 2018-05-09 14:01:19 -0700 To protect WebKit from malicious software, we should restrict the classes we will unarchive when passed a bundle parameter. Currently we allow anything descending from NSObject, which is far to large a set of objects. This is follow-up work to Bug 178484. 1422468 1 bfulgham 2018-05-09 14:07:13 -0700 <rdar://problem/21912401> 1422470 2 340021 bfulgham 2018-05-09 14:10:03 -0700 Created attachment 340021 Patch 1422513 3 bfulgham 2018-05-09 14:55:30 -0700 Committed r231598: <https://trac.webkit.org/changeset/231598> 340021 2018-05-09 14:10:03 -0700 2018-05-09 14:42:28 -0700 Patch bug-185489-20180509141003.patch text/plain 2036 bfulgham U3VidmVyc2lvbiBSZXZpc2lvbjogMjMxNDc1CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IDg0NmQ5YmE4MzAwZWI4ODBj OTg0YzIxNzdmMDc4NTEwMTZjMTYxNWIuLmE2MmU1OGMzZjVkMDJhNjFhYTI3M2ZkMTA2MzJmNzQz NjIyMDNmYmIgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTcgQEAKKzIwMTgtMDUtMDkgIEJyZW50IEZ1 bGdoYW0gIDxiZnVsZ2hhbUBhcHBsZS5jb20+CisKKyAgICAgICAgUmVzdHJpY3QgdW5hcmNoaXZp bmcgb2YgYnVuZGxlIHBhcmFtZXRlcnMgdG8gYSBzZXQgb2Yga25vd24gY2xhc3NlcworICAgICAg ICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTg1NDg5CisgICAgICAg IDxyZGFyOi8vcHJvYmxlbS8yMTkxMjQwMT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkg KE9PUFMhKS4KKworICAgICAgICBTdG9wIGFjY2VwdGluZyBhbnl0aGluZyBkZXJpdmVkIGZyb20g TlNPYmplY3QsIGFuZCBpbnN0ZWFkIG9ubHkgYWdyZWUgdG8gdW5hcmNoaXZlIG9iamVjdHMKKyAg ICAgICAgZnJvbSBhIHNldCBvZiB0aGluZ3Mgd2UgYWN0dWFsbHkgcGFzcyBhcyBJbmplY3RlZEJ1 bmRsZSBwYXJhbWV0ZXJzLgorCisgICAgICAgICogV2ViUHJvY2Vzcy9JbmplY3RlZEJ1bmRsZS9t YWMvSW5qZWN0ZWRCdW5kbGVNYWMubW06CisgICAgICAgIChXZWJLaXQ6OkluamVjdGVkQnVuZGxl OjpzZXRCdW5kbGVQYXJhbWV0ZXIpOgorCiAyMDE4LTA1LTA3ICBBbGV4IENocmlzdGVuc2VuICA8 YWNocmlzdGVuc2VuQHdlYmtpdC5vcmc+CiAKICAgICAgICAgV2ViUmVzb3VyY2VMb2FkU3RhdGlz dGljc1N0b3JlOjpyZXF1ZXN0U3RvcmFnZUFjY2VzcyBzaG91bGQgY2FsbCBpdHMgY29tcGxldGlv biBoYW5kbGVyIG9uIHRoZSBtYWluIHRocmVhZApkaWZmIC0tZ2l0IGEvU291cmNlL1dlYktpdC9X ZWJQcm9jZXNzL0luamVjdGVkQnVuZGxlL21hYy9JbmplY3RlZEJ1bmRsZU1hYy5tbSBiL1NvdXJj ZS9XZWJLaXQvV2ViUHJvY2Vzcy9JbmplY3RlZEJ1bmRsZS9tYWMvSW5qZWN0ZWRCdW5kbGVNYWMu bW0KaW5kZXggNDU2OTA3ZWI3YjJmZmIzZjMzMzcyMmQ4YjZlZGFkMjE4MWJlMmE1MC4uYjlkMjlh N2I4ZTlmZGUxZTg0YzQxYzJjOWE2NTUwZjcxOTk5Njc3MCAxMDA2NDQKLS0tIGEvU291cmNlL1dl YktpdC9XZWJQcm9jZXNzL0luamVjdGVkQnVuZGxlL21hYy9JbmplY3RlZEJ1bmRsZU1hYy5tbQor KysgYi9Tb3VyY2UvV2ViS2l0L1dlYlByb2Nlc3MvSW5qZWN0ZWRCdW5kbGUvbWFjL0luamVjdGVk QnVuZGxlTWFjLm1tCkBAIC0xODEsNyArMTgxLDcgQEAgdm9pZCBJbmplY3RlZEJ1bmRsZTo6c2V0 QnVuZGxlUGFyYW1ldGVyKGNvbnN0IFN0cmluZyYga2V5LCBjb25zdCBJUEM6OkRhdGFSZWZlcmUK IAogICAgIGlkIHBhcmFtZXRlciA9IG5pbDsKICAgICBAdHJ5IHsKLSAgICAgICAgcGFyYW1ldGVy ID0gW3VuYXJjaGl2ZXIgZGVjb2RlT2JqZWN0T2ZDbGFzczpbTlNPYmplY3QgY2xhc3NdIGZvcktl eTpAInBhcmFtZXRlciJdOworICAgICAgICBwYXJhbWV0ZXIgPSBbdW5hcmNoaXZlciBkZWNvZGVP YmplY3RPZkNsYXNzZXM6W05TU2V0IHNldFdpdGhPYmplY3RzOltOU0FycmF5IGNsYXNzXSwgW05T RGF0YSBjbGFzc10sIFtOU0RhdGUgY2xhc3NdLCBbTlNEaWN0aW9uYXJ5IGNsYXNzXSwgW05TTnVs bCBjbGFzc10sIFtOU051bWJlciBjbGFzc10sIFtOU1NldCBjbGFzc10sIFtOU1N0cmluZyBjbGFz c10sIFtOU1RpbWVab25lIGNsYXNzXSwgW05TVVJMIGNsYXNzXSwgW05TVVVJRCBjbGFzc10sIG5p bF0gZm9yS2V5OkAicGFyYW1ldGVyIl07CiAgICAgfSBAY2F0Y2ggKE5TRXhjZXB0aW9uICpleGNl cHRpb24pIHsKICAgICAgICAgTE9HX0VSUk9SKCJGYWlsZWQgdG8gZGVjb2RlIGJ1bmRsZSBwYXJh bWV0ZXI6ICVAIiwgZXhjZXB0aW9uKTsKICAgICAgICAgcmV0dXJuOwo=