Bug 237717 - [macOS] Image decoders should be restricted for Mail
Summary: [macOS] Image decoders should be restricted for Mail
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Per Arne Vollan
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-03-10 08:55 PST by Per Arne Vollan
Modified: 2022-03-28 15:36 PDT (History)
5 users (show)

See Also:


Attachments
Patch (5.21 KB, patch)
2022-03-10 09:01 PST, Per Arne Vollan
no flags Details | Formatted Diff | Diff
Patch (17.09 KB, patch)
2022-03-10 13:48 PST, Per Arne Vollan
no flags Details | Formatted Diff | Diff
Patch (10.41 KB, patch)
2022-03-10 14:10 PST, Per Arne Vollan
no flags Details | Formatted Diff | Diff
Patch (2.28 KB, patch)
2022-03-11 14:58 PST, Per Arne Vollan
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Per Arne Vollan 2022-03-10 08:55:27 PST
We already restrict image decoders for Mail on iOS. We should do so on macOS too.
Comment 1 Per Arne Vollan 2022-03-10 08:57:19 PST
<rdar://89827733>
Comment 2 Per Arne Vollan 2022-03-10 09:01:21 PST
Created attachment 454367 [details]
Patch
Comment 3 Per Arne Vollan 2022-03-10 13:48:17 PST
Created attachment 454396 [details]
Patch
Comment 4 Per Arne Vollan 2022-03-10 14:10:45 PST
Created attachment 454398 [details]
Patch
Comment 5 Geoffrey Garen 2022-03-10 14:57:27 PST
Comment on attachment 454398 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=454398&action=review

r=me

> Source/WebCore/platform/graphics/cg/ImageDecoderCG.h:78
> +    static bool m_enableRestrictedDecoding;

For static variables, we use the "s_" prefix. "m_" for "member", "s_" for "static".

> Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm:450
> +        if (auto trustdExtensionHandle = SandboxExtension::createHandleForMachLookup("com.apple.trustd.agent"_s, std::nullopt))
> +            parameters.trustdExtensionHandle = WTFMove(*trustdExtensionHandle);

In a follow-up, it would be nice to disconnect Mail from trustd.
Comment 6 Per Arne Vollan 2022-03-10 15:32:26 PST
(In reply to Geoffrey Garen from comment #5)
> Comment on attachment 454398 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=454398&action=review
> 
> r=me
> 
> > Source/WebCore/platform/graphics/cg/ImageDecoderCG.h:78
> > +    static bool m_enableRestrictedDecoding;
> 
> For static variables, we use the "s_" prefix. "m_" for "member", "s_" for
> "static".
> 

Will fix!

> > Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm:450
> > +        if (auto trustdExtensionHandle = SandboxExtension::createHandleForMachLookup("com.apple.trustd.agent"_s, std::nullopt))
> > +            parameters.trustdExtensionHandle = WTFMove(*trustdExtensionHandle);
> 
> In a follow-up, it would be nice to disconnect Mail from trustd.

That is a good point, I will follow up on this.

Thanks for reviewing!
Comment 7 EWS 2022-03-11 14:14:45 PST
Committed r291190 (248346@main): <https://commits.webkit.org/248346@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 454398 [details].
Comment 8 Per Arne Vollan 2022-03-11 14:58:29 PST
Reopening to attach new patch.
Comment 9 Per Arne Vollan 2022-03-11 14:58:30 PST
Created attachment 454514 [details]
Patch
Comment 10 EWS 2022-03-11 19:17:07 PST
Committed r291204 (248359@main): <https://commits.webkit.org/248359@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 454514 [details].
Comment 11 Tim Horton 2022-03-28 13:38:37 PDT
Comment on attachment 454398 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=454398&action=review

> Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:295
> +#if USE(APPLE_INTERNAL_SDK)

I know this was preexisting, but it's generally wrong for code to be guarded by USE(APPLE_INTERNAL_SDK); you should use SPI headers (which can be guarded by USE(APPLE_INTERNAL_SDK)) to run the same code in non-internal-SDK builds... is there a reason this code doesn't behave like the rest?
Comment 12 Per Arne Vollan 2022-03-28 15:36:34 PDT
(In reply to Tim Horton from comment #11)
> Comment on attachment 454398 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=454398&action=review
> 
> > Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:295
> > +#if USE(APPLE_INTERNAL_SDK)
> 
> I know this was preexisting, but it's generally wrong for code to be guarded
> by USE(APPLE_INTERNAL_SDK); you should use SPI headers (which can be guarded
> by USE(APPLE_INTERNAL_SDK)) to run the same code in non-internal-SDK
> builds... is there a reason this code doesn't behave like the rest?

That is a good point. This should behave like the rest. I have filed a bug report to address this.

Thanks for reviewing!