185489 – Restrict unarchiving of bundle parameters to a set of known classes

RESOLVED FIXED 185489

Restrict unarchiving of bundle parameters to a set of known classes

https://bugs.webkit.org/show_bug.cgi?id=185489

Summary Restrict unarchiving of bundle parameters to a set of known classes

Brent Fulgham

Reported 2018-05-09 14:01:19 PDT

To protect WebKit from malicious software, we should restrict the classes we will unarchive when passed a bundle parameter. Currently we allow anything descending from NSObject, which is far to large a set of objects. This is follow-up work to Bug 178484.

Attachments
Patch (1.99 KB, patch) 2018-05-09 14:10 PDT, Brent Fulgham	rniwa: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Brent Fulgham

Comment 1 2018-05-09 14:07:13 PDT

<rdar://problem/21912401>

Brent Fulgham

Comment 2 2018-05-09 14:10:03 PDT

Created attachment 340021 [details] Patch

Brent Fulgham

Comment 3 2018-05-09 14:55:30 PDT

Committed r231598: <https://trac.webkit.org/changeset/231598>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKit2

Assignee

Brent Fulgham

Reported

2018-05-09 14:01 PDT

Modified

2018-05-09 14:55 PDT History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks