Bug 237100

Summary: Restrict supported image decoding types when in CaptivePortal mode
Product: WebKit Reporter: Brent Fulgham <bfulgham>
Component: WebKit Misc.Assignee: Brent Fulgham <bfulgham>
Status: RESOLVED INVALID    
Severity: Normal CC: bfulgham, cdumez, darin, sabouhallawa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=237120
Attachments:
Description Flags
Patch
none
Patch darin: review+

Description Brent Fulgham 2022-02-23 11:53:53 PST 
Adopt the CGImageSourceSetAllowableTypes SPI to prevent CoreGraphics from running image decoders for riskier image types.
Comment 1 Radar WebKit Bug Importer 2022-02-23 11:54:15 PST 
<rdar://problem/89369518>
Comment 2 Brent Fulgham 2022-02-23 12:02:30 PST 
Created attachment 453010 [details]
Patch
Comment 3 Brent Fulgham 2022-02-23 13:39:22 PST 
Created attachment 453023 [details]
Patch
Comment 4 Darin Adler 2022-02-23 15:01:29 PST 
Comment on attachment 453023 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=453023&action=review

> Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:248
> +#if HAVE(CGIMAGESOURCE_WITH_SET_ALLOWABLE_TYPES)
> +static NSArray *UTITypes()
> +{
> +    return @[@"public.jpeg",
> +        @"public.png",
> +        @"org.webmproject.webp",
> +        @"com.compuserve.gif",
> +    ];
> +}
> +#endif

Does not seem like we need a separate function for this.

    NSArray *types = @[
        @"public.jpeg",
        @"public.png",
        @"org.webmproject.webp",
        @"com.compuserve.gif",
    ];
    auto status = CGImageSourceSetAllowableTypes(bridge_cast(types));

Could even use auto or constexpr.

> Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:255
> +#if HAVE(CGIMAGESOURCE_WITH_SET_ALLOWABLE_TYPES)

I think we should format the #if differently. Strange to just check the boolean and then do nothing, so maybe we can put more of the function inside the #if, or put the #if at the call site too.
Comment 6 Brent Fulgham 2022-02-23 15:58:13 PST 
See Bug 237120 for the actual issue.
Comment 7 Brent Fulgham 2022-02-23 16:22:18 PST 
After reviewing this with the CoreGraphics/ImageIO team, we don't need to do this, as we have already adopted the necessary entitlements to limit decoders in Captive Portal mode.

The cause of PDF images still appearing is a separate issue, which requires a different fix (see Bug 237120).