214669 2020-07-22 18:07:04 -0700 Web Inspector: developerExtrasEnabled should be respected when opening local Web Inspector (part 2) 2020-07-23 15:48:33 -0700 1 1 1 Unclassified WebKit Web Inspector WebKit Local Build All All RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=214573 InRadar P2 Normal --- 1 bburg bburg bburg hi inspector-bugzilla-changes joepeck webkit-bug-importer oldest_to_newest 1674061 0 bburg 2020-07-22 18:07:04 -0700 . 1674063 1 405004 bburg 2020-07-22 18:14:24 -0700 Created attachment 405004 Patch 1674065 2 bburg 2020-07-22 18:15:13 -0700 <rdar://65885126> 1674080 3 405004 joepeck 2020-07-22 18:43:14 -0700 Comment on attachment 405004 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405004&action=review > Source/WebKit/UIProcess/Inspector/WebInspectorProxy.cpp:671 > + if (!m_inspectedPage->preferences().developerExtrasEnabled()) > + return; How would it be possible to get here? 1674343 4 405004 bburg 2020-07-23 13:43:11 -0700 Comment on attachment 405004 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405004&action=review >> Source/WebKit/UIProcess/Inspector/WebInspectorProxy.cpp:671 >> + return; > > How would it be possible to get here? A compromised WebContent process may try to trick UIProcess into using Inspector functionality even if it's disabled. We don't want that to happen. 1674344 5 405004 joepeck 2020-07-23 13:45:51 -0700 Comment on attachment 405004 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405004&action=review >>> Source/WebKit/UIProcess/Inspector/WebInspectorProxy.cpp:671 >>> + return; >> >> How would it be possible to get here? > > A compromised WebContent process may try to trick UIProcess into using Inspector functionality even if it's disabled. We don't want that to happen. Sounds good. Is this the only command then? It seems `WebInspectorProxy::append` could be concerning as well. 1674346 6 405004 hi 2020-07-23 13:46:39 -0700 Comment on attachment 405004 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405004&action=review >>>> Source/WebKit/UIProcess/Inspector/WebInspectorProxy.cpp:671 >>>> + return; >>> >>> How would it be possible to get here? >> >> A compromised WebContent process may try to trick UIProcess into using Inspector functionality even if it's disabled. We don't want that to happen. > > Sounds good. Is this the only command then? It seems `WebInspectorProxy::append` could be concerning as well. Based on this logic there should probably be a check for `WebInspectorProxy::append` too. 1674347 7 hi 2020-07-23 13:47:11 -0700 ah lol @Joe beat me to it :P r=me as well :) 1674395 8 405004 bburg 2020-07-23 15:07:14 -0700 Comment on attachment 405004 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405004&action=review >>>>> Source/WebKit/UIProcess/Inspector/WebInspectorProxy.cpp:671 >>>>> + return; >>>> >>>> How would it be possible to get here? >>> >>> A compromised WebContent process may try to trick UIProcess into using Inspector functionality even if it's disabled. We don't want that to happen. >> >> Sounds good. Is this the only command then? It seems `WebInspectorProxy::append` could be concerning as well. > > Based on this logic there should probably be a check for `WebInspectorProxy::append` too. I'll address ::append as well. 1674406 9 405082 bburg 2020-07-23 15:15:47 -0700 Created attachment 405082 Patch 1674429 10 ews-feeder 2020-07-23 15:48:33 -0700 Committed r264803: <https://trac.webkit.org/changeset/264803> All reviewed patches have been landed. Closing bug and clearing flags on attachment 405082. 405004 2020-07-22 18:14:24 -0700 2020-07-23 15:15:46 -0700 Patch bug-214669-20200722181423.patch text/plain 1528 bburg U3VidmVyc2lvbiBSZXZpc2lvbjogMjY0NjE5CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IGMxMDM3ZDU5ODliODY2Yjgy NGM2MjQxMWVmZDY5MmE3ODQwYjIxOGUuLmE5YTU5ZDllYTAyZmI5NjA5NTg0N2NkYzlmMjY2OTMz Y2U0MzdmNGYgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTMgQEAKKzIwMjAtMDctMjIgIEJyaWFuIEJ1 cmcgIDxiYnVyZ0BhcHBsZS5jb20+CisKKyAgICAgICAgV2ViIEluc3BlY3RvcjogZGV2ZWxvcGVy RXh0cmFzRW5hYmxlZCBzaG91bGQgYmUgcmVzcGVjdGVkIHdoZW4gb3BlbmluZyBsb2NhbCBXZWIg SW5zcGVjdG9yIChwYXJ0IDIpCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3df YnVnLmNnaT9pZD0yMTQ2NjkKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4K KworICAgICAgICAqIFVJUHJvY2Vzcy9JbnNwZWN0b3IvV2ViSW5zcGVjdG9yUHJveHkuY3BwOgor ICAgICAgICAoV2ViS2l0OjpXZWJJbnNwZWN0b3JQcm94eTo6c2F2ZSk6IEFkZCBtaXNzaW5nIGNo ZWNrIGZvciBkZXZlbG9wZXJFeHRyYXNFbmFibGVkLgorCiAyMDIwLTA3LTIwICBBbGV4IENocmlz dGVuc2VuICA8YWNocmlzdGVuc2VuQHdlYmtpdC5vcmc+CiAKICAgICAgICAgUkVHUkVTU0lPTihy MjYzNTUxKSBNYWluIHRocmVhZCBvZnRlbiBoYW5ncyB3aGlsZSBzYXZpbmcgY29va2llcwpkaWZm IC0tZ2l0IGEvU291cmNlL1dlYktpdC9VSVByb2Nlc3MvSW5zcGVjdG9yL1dlYkluc3BlY3RvclBy b3h5LmNwcCBiL1NvdXJjZS9XZWJLaXQvVUlQcm9jZXNzL0luc3BlY3Rvci9XZWJJbnNwZWN0b3JQ cm94eS5jcHAKaW5kZXggMTllMDk0Nzg2NTNkZjNkYzlhNzJkZjM0NzU2NjNjOWFlMTMyMGNjZC4u Mzk1OTgzMTMyZGZjN2U0N2I3YmFlNTQ5ZGQ2ZmVhN2QyYmIwYmUxMiAxMDA2NDQKLS0tIGEvU291 cmNlL1dlYktpdC9VSVByb2Nlc3MvSW5zcGVjdG9yL1dlYkluc3BlY3RvclByb3h5LmNwcAorKysg Yi9Tb3VyY2UvV2ViS2l0L1VJUHJvY2Vzcy9JbnNwZWN0b3IvV2ViSW5zcGVjdG9yUHJveHkuY3Bw CkBAIC02NjcsNiArNjY3LDkgQEAgdm9pZCBXZWJJbnNwZWN0b3JQcm94eTo6YnJvd3NlckV4dGVu c2lvbnNEaXNhYmxlZChIYXNoU2V0PFN0cmluZz4mJiBleHRlbnNpb25JRHMKIAogdm9pZCBXZWJJ bnNwZWN0b3JQcm94eTo6c2F2ZShjb25zdCBTdHJpbmcmIGZpbGVuYW1lLCBjb25zdCBTdHJpbmcm IGNvbnRlbnQsIGJvb2wgYmFzZTY0RW5jb2RlZCwgYm9vbCBmb3JjZVNhdmVBcykKIHsKKyAgICBp ZiAoIW1faW5zcGVjdGVkUGFnZS0+cHJlZmVyZW5jZXMoKS5kZXZlbG9wZXJFeHRyYXNFbmFibGVk KCkpCisgICAgICAgIHJldHVybjsKKwogICAgIEFTU0VSVCghZmlsZW5hbWUuaXNFbXB0eSgpKTsK ICAgICBpZiAoZmlsZW5hbWUuaXNFbXB0eSgpKQogICAgICAgICByZXR1cm47Cg== 405082 2020-07-23 15:15:47 -0700 2020-07-23 15:48:33 -0700 Patch bug-214669-20200723151547.patch text/plain 1943 bburg U3VidmVyc2lvbiBSZXZpc2lvbjogMjY0NjE5CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IGMxMDM3ZDU5ODliODY2Yjgy NGM2MjQxMWVmZDY5MmE3ODQwYjIxOGUuLjYxYmMwYzM1MDlhM2U4ZTNjNzZlZDE0MDJlYmQ2ZmE5 MTg2ZjQ1MTUgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTQgQEAKKzIwMjAtMDctMjIgIEJyaWFuIEJ1 cmcgIDxiYnVyZ0BhcHBsZS5jb20+CisKKyAgICAgICAgV2ViIEluc3BlY3RvcjogZGV2ZWxvcGVy RXh0cmFzRW5hYmxlZCBzaG91bGQgYmUgcmVzcGVjdGVkIHdoZW4gb3BlbmluZyBsb2NhbCBXZWIg SW5zcGVjdG9yIChwYXJ0IDIpCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3df YnVnLmNnaT9pZD0yMTQ2NjkKKworICAgICAgICBSZXZpZXdlZCBieSBEZXZpbiBSb3Vzc28gYW5k IEpvc2VwaCBQZWNvcmFyby4KKworICAgICAgICAqIFVJUHJvY2Vzcy9JbnNwZWN0b3IvV2ViSW5z cGVjdG9yUHJveHkuY3BwOgorICAgICAgICAoV2ViS2l0OjpXZWJJbnNwZWN0b3JQcm94eTo6c2F2 ZSk6CisgICAgICAgIChXZWJLaXQ6OldlYkluc3BlY3RvclByb3h5OjphcHBlbmQpOiBBZGQgbWlz c2luZyBjaGVjayBmb3IgZGV2ZWxvcGVyRXh0cmFzRW5hYmxlZC4KKwogMjAyMC0wNy0yMCAgQWxl eCBDaHJpc3RlbnNlbiAgPGFjaHJpc3RlbnNlbkB3ZWJraXQub3JnPgogCiAgICAgICAgIFJFR1JF U1NJT04ocjI2MzU1MSkgTWFpbiB0aHJlYWQgb2Z0ZW4gaGFuZ3Mgd2hpbGUgc2F2aW5nIGNvb2tp ZXMKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJLaXQvVUlQcm9jZXNzL0luc3BlY3Rvci9XZWJJbnNw ZWN0b3JQcm94eS5jcHAgYi9Tb3VyY2UvV2ViS2l0L1VJUHJvY2Vzcy9JbnNwZWN0b3IvV2ViSW5z cGVjdG9yUHJveHkuY3BwCmluZGV4IDE5ZTA5NDc4NjUzZGYzZGM5YTcyZGYzNDc1NjYzYzlhZTEz MjBjY2QuLjAxZWE3MjVmNmY1Mzc5NTM3ZjA1NGY4MmIyYWEyM2RjZmVjNTUxM2YgMTAwNjQ0Ci0t LSBhL1NvdXJjZS9XZWJLaXQvVUlQcm9jZXNzL0luc3BlY3Rvci9XZWJJbnNwZWN0b3JQcm94eS5j cHAKKysrIGIvU291cmNlL1dlYktpdC9VSVByb2Nlc3MvSW5zcGVjdG9yL1dlYkluc3BlY3RvclBy b3h5LmNwcApAQCAtNjY3LDYgKzY2Nyw5IEBAIHZvaWQgV2ViSW5zcGVjdG9yUHJveHk6OmJyb3dz ZXJFeHRlbnNpb25zRGlzYWJsZWQoSGFzaFNldDxTdHJpbmc+JiYgZXh0ZW5zaW9uSURzCiAKIHZv aWQgV2ViSW5zcGVjdG9yUHJveHk6OnNhdmUoY29uc3QgU3RyaW5nJiBmaWxlbmFtZSwgY29uc3Qg U3RyaW5nJiBjb250ZW50LCBib29sIGJhc2U2NEVuY29kZWQsIGJvb2wgZm9yY2VTYXZlQXMpCiB7 CisgICAgaWYgKCFtX2luc3BlY3RlZFBhZ2UtPnByZWZlcmVuY2VzKCkuZGV2ZWxvcGVyRXh0cmFz RW5hYmxlZCgpKQorICAgICAgICByZXR1cm47CisKICAgICBBU1NFUlQoIWZpbGVuYW1lLmlzRW1w dHkoKSk7CiAgICAgaWYgKGZpbGVuYW1lLmlzRW1wdHkoKSkKICAgICAgICAgcmV0dXJuOwpAQCAt Njc2LDYgKzY3OSw5IEBAIHZvaWQgV2ViSW5zcGVjdG9yUHJveHk6OnNhdmUoY29uc3QgU3RyaW5n JiBmaWxlbmFtZSwgY29uc3QgU3RyaW5nJiBjb250ZW50LCBib29sCiAKIHZvaWQgV2ViSW5zcGVj dG9yUHJveHk6OmFwcGVuZChjb25zdCBTdHJpbmcmIGZpbGVuYW1lLCBjb25zdCBTdHJpbmcmIGNv bnRlbnQpCiB7CisgICAgaWYgKCFtX2luc3BlY3RlZFBhZ2UtPnByZWZlcmVuY2VzKCkuZGV2ZWxv cGVyRXh0cmFzRW5hYmxlZCgpKQorICAgICAgICByZXR1cm47CisKICAgICBBU1NFUlQoIWZpbGVu YW1lLmlzRW1wdHkoKSk7CiAgICAgaWYgKGZpbGVuYW1lLmlzRW1wdHkoKSkKICAgICAgICAgcmV0 dXJuOwo=