RESOLVED FIXED 178484
Adopt new secure coding APIs in WebCore 
https://bugs.webkit.org/show_bug.cgi?id=178484
Summary Adopt new secure coding APIs in WebCore
Brent Fulgham
Reported 2017-10-18 13:36:14 PDT
Switch away from older NSKeyedArchiver/NSKeyedUnarchive methods that supported non-NSSecureCoding serialization.
Attachments
Patch (53.66 KB, patch)
2017-10-18 17:01 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (55.55 KB, patch)
2017-10-19 08:42 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (55.67 KB, patch)
2017-10-19 10:11 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (55.69 KB, patch)
2017-10-19 12:08 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (56.31 KB, patch)
2017-10-19 13:23 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (56.27 KB, patch)
2017-10-19 17:34 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (56.24 KB, patch)
2017-10-19 20:03 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (56.91 KB, patch)
2017-10-19 20:51 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews102 for mac-elcapitan (1002.57 KB, application/zip)
2017-10-19 21:58 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from ews112 for mac-elcapitan (1.89 MB, application/zip)
2017-10-19 21:58 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from ews122 for ios-simulator-wk2 (4.06 MB, application/zip)
2017-10-19 22:30 PDT, Build Bot 		no flags
Details
Patch (54.31 KB, patch)
2017-10-20 08:09 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews104 for mac-elcapitan-wk2 (1.31 MB, application/zip)
2017-10-20 15:48 PDT, Build Bot 		no flags
Details
Patch (55.08 KB, patch)
2017-10-23 11:15 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (53.52 KB, patch)
2017-10-23 13:52 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (48.47 KB, patch)
2017-10-23 17:08 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch for landing (48.30 KB, patch)
2017-10-24 11:43 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch for landing (48.29 KB, patch)
2017-10-24 11:45 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (4.08 KB, patch)
2017-12-18 12:38 PST, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (6.71 KB, patch)
2017-12-20 13:46 PST, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (6.75 KB, patch)
2017-12-20 13:59 PST, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (8.11 KB, patch)
2017-12-20 15:15 PST, Brent Fulgham 		eric.carlson: review+
DetailsFormatted DiffDiff
Show Obsolete (21) View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2017-10-18 16:51:37 PDT
<rdar://problem/34837193>
Brent Fulgham
Comment 2 2017-10-18 17:01:37 PDT
Created attachment 324182 [details] Patch
Brent Fulgham
Comment 3 2017-10-19 08:42:07 PDT
Created attachment 324238 [details] Patch
Brent Fulgham
Comment 4 2017-10-19 10:11:31 PDT
Created attachment 324245 [details] Patch
Brent Fulgham
Comment 5 2017-10-19 12:08:47 PDT
Created attachment 324258 [details] Patch
Brent Fulgham
Comment 6 2017-10-19 13:23:56 PDT
Created attachment 324273 [details] Patch
Brent Fulgham
Comment 7 2017-10-19 17:34:46 PDT
Created attachment 324322 [details] Patch
Brent Fulgham
Comment 8 2017-10-19 20:03:53 PDT
Created attachment 324337 [details] Patch
Brent Fulgham
Comment 9 2017-10-19 20:51:44 PDT
Created attachment 324344 [details] Patch
Build Bot
Comment 10 2017-10-19 21:57:59 PDT
Comment on attachment 324344 [details] Patch Attachment 324344 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/4928409 New failing tests: http/tests/xmlhttprequest/reentrant-cancel-abort.html http/tests/xmlhttprequest/reentrant-cancel.html fast/loader/subresource-load-failed-crash.html
Build Bot
Comment 11 2017-10-19 21:58:00 PDT
Created attachment 324350 [details] Archive of layout-test-results from ews102 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews102 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Build Bot
Comment 12 2017-10-19 21:58:03 PDT
Comment on attachment 324344 [details] Patch Attachment 324344 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/4928236 New failing tests: http/tests/xmlhttprequest/reentrant-cancel-abort.html http/tests/xmlhttprequest/reentrant-cancel.html fast/loader/subresource-load-failed-crash.html
Build Bot
Comment 13 2017-10-19 21:58:04 PDT
Created attachment 324351 [details] Archive of layout-test-results from ews112 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews112 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Build Bot
Comment 14 2017-10-19 22:30:55 PDT
Comment on attachment 324344 [details] Patch Attachment 324344 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/4928452 New failing tests: http/tests/xmlhttprequest/reentrant-cancel-abort.html http/tests/xmlhttprequest/reentrant-cancel.html fast/loader/subresource-load-failed-crash.html
Build Bot
Comment 15 2017-10-19 22:30:57 PDT
Created attachment 324357 [details] Archive of layout-test-results from ews122 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews122 Port: ios-simulator-wk2 Platform: Mac OS X 10.12.6
Ryosuke Niwa
Comment 16 2017-10-19 22:48:11 PDT
Comment on attachment 324344 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=324344&action=review > Source/WebCore/rendering/RenderLayer.cpp:349 > + ASSERT(renderer().document().frame()); I don't think we have to keep checking this condition over and over.
Brent Fulgham
Comment 17 2017-10-20 08:09:18 PDT
Created attachment 324400 [details] Patch
Brent Fulgham
Comment 18 2017-10-20 09:34:57 PDT
(In reply to Ryosuke Niwa from comment #16) > Comment on attachment 324344 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=324344&action=review > > > Source/WebCore/rendering/RenderLayer.cpp:349 > > + ASSERT(renderer().document().frame()); > > I don't think we have to keep checking this condition over and over. Yeah -- that wasn't supposed to be in the patch. It was unrelated debugging code. Please look at the revised patch.
Build Bot
Comment 19 2017-10-20 15:48:51 PDT
Comment on attachment 324400 [details] Patch Attachment 324400 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/4937386 New failing tests: webrtc/video-replace-muted-track.html
Build Bot
Comment 20 2017-10-20 15:48:52 PDT
Created attachment 324454 [details] Archive of layout-test-results from ews104 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews104 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Tim Horton
Comment 21 2017-10-20 17:23:35 PDT
Comment on attachment 324400 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=324400&action=review > Source/WebCore/PAL/pal/spi/cocoa/NSKeyedArchiverSPI.h:28 > +#if USE(APPLE_INTERNAL_SDK) && ((PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101302) || (PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 110200)) How sure are you about MIN_REQUIRED vs. MAX_AVAILABLE and whether the minor part of the version number is actually incremented?
Brent Fulgham
Comment 22 2017-10-20 19:25:15 PDT
Comment on attachment 324400 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=324400&action=review >> Source/WebCore/PAL/pal/spi/cocoa/NSKeyedArchiverSPI.h:28 >> +#if USE(APPLE_INTERNAL_SDK) && ((PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101302) || (PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 110200)) > > How sure are you about MIN_REQUIRED vs. MAX_AVAILABLE and whether the minor part of the version number is actually incremented? I think MIN_REQUIRED is right, because these calls are not available in earlier SDKs so we don’t want to try to use them when building for older OS’s. But maybe a build-type person can weigh in and confirm/deny. I know that we do not update minor version numbers, so we will likely not use this code in production builds until we rev them again. Or, we could downgrade these checks once the updated API is available on our build bots.
Brent Fulgham
Comment 23 2017-10-21 15:57:52 PDT
(In reply to Build Bot from comment #19) > New failing tests: > webrtc/video-replace-muted-track.html This test failure is not related to this patch.
Brent Fulgham
Comment 24 2017-10-21 15:58:53 PDT
I've sent a note to our build team to get confirmation about whether we should use MIN_REQUIRED or MAX_AVAILABLE (or some combo of the two).
Brent Fulgham
Comment 25 2017-10-23 11:15:34 PDT
Created attachment 324569 [details] Patch
Brent Fulgham
Comment 26 2017-10-23 13:52:59 PDT
Created attachment 324583 [details] Patch
Tim Horton
Comment 27 2017-10-23 16:18:12 PDT
Comment on attachment 324583 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=324583&action=review > Source/WebCore/PAL/pal/spi/cocoa/NSKeyedArchiverSPI.h:28 > +#define USE_NEW_ARCHIVER_API ((PLATFORM(MAC) && __MAC_OS_X_VERSION_MAX_ALLOWED >= 101302 && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300) || (PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 110200) || (PLATFORM(WATCHOS) && __WATCH_OS_VERSION_MIN_REQUIRED >= 40200) || (PLATFORM(TVOS) && __TV_OS_VERSION_MIN_REQUIRED >= 110200)) Weird number of spaces before the first ( > Source/WebCore/PAL/pal/spi/cocoa/NSKeyedArchiverSPI.h:89 > +inline NSKeyedArchiver *_Nonnull secureArchiverFromMutableData(NSMutableData *_Nonnull mutableData) This should return a RetainPtr or something so that clients don't have to adopt and so that it's harder to make a mistake. From the name it's totally unclear that this returns a +1 object. > Source/WebCore/PAL/pal/spi/cocoa/NSKeyedArchiverSPI.h:96 > +inline NSKeyedUnarchiver *_Nonnull secureUnarchiverFromData(NSData *_Nonnull data) Ditto. > Source/WebCore/PAL/pal/spi/cocoa/NSKeyedArchiverSPI.h:99 > + NSKeyedUnarchiver *unarchiver = [[NSKeyedUnarchiver alloc] initForReadingFromData:data error:nil]; I think you may also want to set decodingFailurePolicy to NSDecodingFailurePolicyRaiseException (the old behavior), otherwise using the new constructor means you'll be in NSDecodingFailurePolicySetErrorAndReturn mode, and we don't check the error. But I'm not sure :P
Brent Fulgham
Comment 28 2017-10-23 17:03:46 PDT
Comment on attachment 324583 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=324583&action=review >> Source/WebCore/PAL/pal/spi/cocoa/NSKeyedArchiverSPI.h:89 >> +inline NSKeyedArchiver *_Nonnull secureArchiverFromMutableData(NSMutableData *_Nonnull mutableData) > > This should return a RetainPtr or something so that clients don't have to adopt and so that it's harder to make a mistake. From the name it's totally unclear that this returns a +1 object. OK! >> Source/WebCore/PAL/pal/spi/cocoa/NSKeyedArchiverSPI.h:96 >> +inline NSKeyedUnarchiver *_Nonnull secureUnarchiverFromData(NSData *_Nonnull data) > > Ditto. OK! >> Source/WebCore/PAL/pal/spi/cocoa/NSKeyedArchiverSPI.h:99 >> + NSKeyedUnarchiver *unarchiver = [[NSKeyedUnarchiver alloc] initForReadingFromData:data error:nil]; > > I think you may also want to set decodingFailurePolicy to NSDecodingFailurePolicyRaiseException (the old behavior), otherwise using the new constructor means you'll be in NSDecodingFailurePolicySetErrorAndReturn mode, and we don't check the error. But I'm not sure :P OK. It makes the patch smaller, too, since we don't have to add new error handling logic.
Brent Fulgham
Comment 29 2017-10-23 17:08:50 PDT
Created attachment 324616 [details] Patch
WebKit Commit Bot
Comment 30 2017-10-24 09:21:40 PDT
Comment on attachment 324616 [details] Patch Clearing flags on attachment: 324616 Committed r223889: <https://trac.webkit.org/changeset/223889>
WebKit Commit Bot
Comment 31 2017-10-24 09:21:42 PDT
All reviewed patches have been landed. Closing bug.
Matt Lewis
Comment 33 2017-10-24 11:14:08 PDT
Reverted r223889 for reason: This caused multiple crashes on all platforms Committed r223900: <https://trac.webkit.org/changeset/223900>
Brent Fulgham
Comment 34 2017-10-24 11:24:16 PDT
It looks like the Sierra bots are building High Sierra code. This might be a build system configuration issue.
Brent Fulgham
Comment 35 2017-10-24 11:39:57 PDT
There are related to the test dumping code. It looks like toggling "secure coding" on and off doesn't work properly.
Brent Fulgham
Comment 36 2017-10-24 11:43:37 PDT
Created attachment 324691 [details] Patch for landing
Brent Fulgham
Comment 37 2017-10-24 11:45:17 PDT
Created attachment 324692 [details] Patch for landing
WebKit Commit Bot
Comment 38 2017-10-24 12:07:22 PDT
Comment on attachment 324692 [details] Patch for landing Clearing flags on attachment: 324692 Committed r223908: <https://trac.webkit.org/changeset/223908>
WebKit Commit Bot
Comment 39 2017-10-24 12:07:24 PDT
All reviewed patches have been landed. Closing bug.
Ryan Haddad
Comment 40 2017-10-26 10:18:26 PDT
Reverted r223908 for reason: Causes LayoutTest crashes with newer SDKs. Committed r224023: <https://trac.webkit.org/changeset/224023>
Darin Adler
Comment 41 2017-10-28 15:46:59 PDT
Comment on attachment 324692 [details] Patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=324692&action=review > Source/WebCore/PAL/pal/spi/cocoa/NSKeyedArchiverSPI.h:28 > +#define USE_NEW_ARCHIVER_API ((PLATFORM(MAC) && __MAC_OS_X_VERSION_MAX_ALLOWED >= 101302 && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300) || (PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 110200) || (PLATFORM(WATCHOS) && __WATCH_OS_VERSION_MIN_REQUIRED >= 40200) || (PLATFORM(TVOS) && __TV_OS_VERSION_MIN_REQUIRED >= 110200)) Generally we try not to use the term "new" in WebKit code. It’s new now, but later it will be old or at least not new, and the code will still say "NEW". I think this could be fixed by changing this to be USE_LEGACY_ARCHIVER or something like that and reversing its definition and usage.
Brent Fulgham
Comment 42 2017-12-18 12:38:29 PST
Created attachment 329660 [details] Patch
Brent Fulgham
Comment 43 2017-12-18 12:40:35 PST
This patch is now much smaller, as it only touches the WebCore code that uses the archiver in insecure ways.
Brent Fulgham
Comment 44 2017-12-20 13:46:07 PST
Created attachment 329950 [details] Patch
Tim Horton
Comment 45 2017-12-20 13:51:56 PST
Comment on attachment 329950 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=329950&action=review > Source/WebCore/PAL/pal/spi/cocoa/NSKeyedArchiverSPI.h:91 > + // This can be removed when <rdar://problem/31376830> is fixed. Not sure this comment is quite right. > Source/WebCore/PAL/pal/spi/cocoa/NSKeyedArchiverSPI.h:93 > + return [NSKeyedUnarchiver unarchiveObjectWithData:data]; Crazy that securelyUnarchiveObjectOfClassFromData sometimes does an insecure unarchive. Can this assert that it’s not NSAttributedString and put the branches at call sites? Or maybe not. I don’t know.
Brent Fulgham
Comment 46 2017-12-20 13:55:00 PST
(In reply to Tim Horton from comment #45) > > Crazy that securelyUnarchiveObjectOfClassFromData sometimes does an insecure > unarchive. Can this assert that it’s not NSAttributedString and put the > branches at call sites? Or maybe not. I don’t know. We'd have to add that check and branch in at least three call sites, so I kind of hate that idea. I could change the name to something like, "securelyUnarchiveObjectOfClassFromDataIfPossible" or something?
Brent Fulgham
Comment 47 2017-12-20 13:56:10 PST
(In reply to Tim Horton from comment #45) > Comment on attachment 329950 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=329950&action=review > > > Source/WebCore/PAL/pal/spi/cocoa/NSKeyedArchiverSPI.h:91 > > + // This can be removed when <rdar://problem/31376830> is fixed. > > Not sure this comment is quite right. I'll rephrase that. Basically, I'm just trying to say "we can remove this ugly hack code when the fix from rdar 31376830 is deployed everywhere we target."
Brent Fulgham
Comment 48 2017-12-20 13:59:03 PST
Created attachment 329951 [details] Patch
Tim Horton
Comment 49 2017-12-20 14:48:37 PST
How about dropping “securely” from the secure-most-of-the-time one, making it sound more default, and just make the always-insecure one have the explicitly-“insecure” name?
Brent Fulgham
Comment 50 2017-12-20 14:52:45 PST
(In reply to Tim Horton from comment #49) > How about dropping “securely” from the secure-most-of-the-time one, making > it sound more default, and just make the always-insecure one have the > explicitly-“insecure” name? Fine with me.
Brent Fulgham
Comment 51 2017-12-20 15:15:48 PST
Created attachment 329957 [details] Patch
Eric Carlson
Comment 52 2017-12-21 08:32:47 PST
Comment on attachment 329957 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=329957&action=review > Source/WebCore/ChangeLog:10 > + Switch to new NSKeyed[Un]Archiver methods that active and use > + NSSecureCoding by default. Nit: I don't understand what "... methods that *active* and use ..." means. > Source/WebCore/PAL/ChangeLog:15 > + Rename 'insecurelyUnarchiveObjectOfClassFromData' to match NSKeyedArchiver naming > + (i.e., 'UnarchivedData' rather than 'UnarchiveData'), and move it earlier in the > + file so it can be reused by 'unarchiveObjectOfClassFromData'. Nit: this wording made me think you had renamed securelyUnarchiveObjectOfClassFromData, not change from securelyUnarchiveObjectOfClassFromData to insecurelyUnarchiveObjectOfClassFromData. Also, I don't understand the new name because the NSKeyedUnarchiver selector is "unarchiveObjectWithData", not "unarchivedObjectWithData" (no "d").
Brent Fulgham
Comment 53 2017-12-21 08:44:56 PST
Comment on attachment 329957 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=329957&action=review >> Source/WebCore/ChangeLog:10 >> + NSSecureCoding by default. > > Nit: I don't understand what "... methods that *active* and use ..." means. Wow! English fail. It should just say "Switch to new NSKeyed[Un]Archiver methods that use NSSecureCoding by default. >> Source/WebCore/PAL/ChangeLog:15 >> + file so it can be reused by 'unarchiveObjectOfClassFromData'. > > Nit: this wording made me think you had renamed securelyUnarchiveObjectOfClassFromData, not change from securelyUnarchiveObjectOfClassFromData to insecurelyUnarchiveObjectOfClassFromData. > > Also, I don't understand the new name because the NSKeyedUnarchiver selector is "unarchiveObjectWithData", not "unarchivedObjectWithData" (no "d"). Ugh. You are right. The new API says "unarchivedObjectOfClass:...", while the old API was "unarchiveObjectWIthData". I'll change the name to match the old API, and since we don't give it a class name I'll remove that from the method name: "insecurelyUnarchiveObjectFromData" I'll clarify in the ChangeLog.
Brent Fulgham
Comment 54 2017-12-21 09:18:33 PST
Committed r226224: <https://trac.webkit.org/changeset/226224>
Brent Fulgham
Comment 55 2017-12-21 15:58:57 PST
Follow-up fix landed in r226248. Committed r226248: <https://trac.webkit.org/changeset/226248>
Note You need to log in before you can comment on or make changes to this bug.