Bug 185489

Summary: Restrict unarchiving of bundle parameters to a set of known classes
Product: WebKit Reporter: Brent Fulgham <bfulgham>
Component: WebKit2Assignee: Brent Fulgham <bfulgham>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, ddkilzer, rniwa
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch rniwa: review+

Description Brent Fulgham 2018-05-09 14:01:19 PDT 
To protect WebKit from malicious software, we should restrict the classes we will unarchive when passed a bundle parameter. Currently we allow anything descending from NSObject, which is far to large a set of objects.

This is follow-up work to Bug 178484.
Comment 1 Brent Fulgham 2018-05-09 14:07:13 PDT 
<rdar://problem/21912401>
Comment 2 Brent Fulgham 2018-05-09 14:10:03 PDT 
Created attachment 340021 [details]
Patch
Comment 3 Brent Fulgham 2018-05-09 14:55:30 PDT 
Committed r231598: <https://trac.webkit.org/changeset/231598>