From e7058173dfa7760daa745f5d0700743cfbe41749 Mon Sep 17 00:00:00 2001 From: Jacob Wang Date: Fri, 10 Jan 2025 10:15:41 +0800 Subject: [PATCH 1/4] [CVE]update to webkit2gtk3-2.46.5-1.src.rpm to #IBGWR0 update to webkit2gtk3-2.46.5-1.src.rpm for CVE-2024-54479 CVE-2024-54502 CVE-2024-54505 CVE-2024-54508 Project: TC2024080204 Signed-off-by: Jacob Wang --- CVE-2024-44309.patch | 320 ------------------------------- download | 4 +- webkit2gtk3.spec | 39 +--- webkitgtk-2.40.5-sw.patch | 26 --- websocket-connection-spans.patch | 25 --- 5 files changed, 10 insertions(+), 404 deletions(-) delete mode 100644 CVE-2024-44309.patch delete mode 100644 webkitgtk-2.40.5-sw.patch delete mode 100644 websocket-connection-spans.patch diff --git a/CVE-2024-44309.patch b/CVE-2024-44309.patch deleted file mode 100644 index 10fed57..0000000 --- a/CVE-2024-44309.patch +++ /dev/null @@ -1,320 +0,0 @@ -From c52da7c313795d61665253f23c9f298005549c73 Mon Sep 17 00:00:00 2001 -From: Charlie Wolfe -Date: Thu, 14 Nov 2024 13:56:35 -0800 -Subject: [PATCH] Cherry-pick 60c387845715. - -Cherry-pick 2815b4e29829. rdar://139893250 - - Data Isolation bypass via attacker controlled firstPartyForCookies - https://bugs.webkit.org/show_bug.cgi?id=283095 - rdar://139818629 - - Reviewed by Matthew Finkel and Alex Christensen. - - `NetworkProcess::allowsFirstPartyForCookies` unconditionally allows cookie access for about:blank or - empty firstPartyForCookies URLs. We tried to remove this in rdar://105733798 and rdar://107270673, but - we needed to revert both because there were rare and subtle bugs where certain requests would incorrectly - have about:blank set as their firstPartyForCookies, causing us to kill the WCP. - - This patch is a lower risk change that removes the unconditional cookie access for requests that have an - empty firstPartyForCookies, but will not kill the WCP that is incorrectly sending an empty - firstPartyForCookies. - - * Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp: - (WebKit::NetworkConnectionToWebProcess::createSocketChannel): - (WebKit::NetworkConnectionToWebProcess::scheduleResourceLoad): - (WebKit::NetworkConnectionToWebProcess::cookiesForDOM): - (WebKit::NetworkConnectionToWebProcess::setCookiesFromDOM): - (WebKit::NetworkConnectionToWebProcess::cookiesEnabled): - (WebKit::NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue): - (WebKit::NetworkConnectionToWebProcess::getRawCookies): - (WebKit::NetworkConnectionToWebProcess::cookiesForDOMAsync): - (WebKit::NetworkConnectionToWebProcess::setCookieFromDOMAsync): - (WebKit::NetworkConnectionToWebProcess::domCookiesForHost): - (WebKit::NetworkConnectionToWebProcess::establishSWContextConnection): - * Source/WebKit/NetworkProcess/NetworkProcess.cpp: - (WebKit::NetworkProcess::allowsFirstPartyForCookies): - * Source/WebKit/NetworkProcess/NetworkProcess.h: - * Source/WebKit/NetworkProcess/NetworkSession.cpp: - (WebKit::NetworkSession::addAllowedFirstPartyForCookies): - * Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp: - (WebKit::WebSWServerConnection::scheduleJobInServer): - * Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp: - (WebKit::WebSharedWorkerServerConnection::requestSharedWorker): - * Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm: - (EmptyFirstPartyForCookiesCookieRequestHeaderFieldValue)): - - Canonical link: https://commits.webkit.org/283286.477@safari-7620-branch - -Canonical link: https://commits.webkit.org/282416.294@webkitglib/2.46 ---- - .../NetworkConnectionToWebProcess.cpp | 51 ++++++++++++++----- - .../WebKit/NetworkProcess/NetworkProcess.cpp | 37 +++++++------- - Source/WebKit/NetworkProcess/NetworkProcess.h | 5 +- - .../WebKit/NetworkProcess/NetworkSession.cpp | 2 +- - .../ServiceWorker/WebSWServerConnection.cpp | 2 +- - .../WebSharedWorkerServerConnection.cpp | 2 +- - .../Tests/WebKitCocoa/IPCTestingAPI.mm | 33 ++++++++++++ - 7 files changed, 96 insertions(+), 36 deletions(-) - -diff --git a/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp b/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp -index a0ad3c628ec38..c13a96f0e796a 100644 ---- a/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp -+++ b/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp -@@ -502,7 +502,7 @@ void NetworkConnectionToWebProcess::didReceiveInvalidMessage(IPC::Connection&, I - - void NetworkConnectionToWebProcess::createSocketChannel(const ResourceRequest& request, const String& protocol, WebSocketIdentifier identifier, WebPageProxyIdentifier webPageProxyID, std::optional frameID, std::optional pageID, const ClientOrigin& clientOrigin, bool hadMainFrameMainResourcePrivateRelayed, bool allowPrivacyProxy, OptionSet advancedPrivacyProtections, ShouldRelaxThirdPartyCookieBlocking shouldRelaxThirdPartyCookieBlocking, WebCore::StoredCredentialsPolicy storedCredentialsPolicy) - { -- MESSAGE_CHECK(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, request.firstPartyForCookies())); -+ MESSAGE_CHECK(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, request.firstPartyForCookies()) != NetworkProcess::AllowCookieAccess::Terminate); - - ASSERT(!m_networkSocketChannels.contains(identifier)); - if (auto channel = NetworkSocketChannel::create(*this, m_sessionID, request, protocol, identifier, webPageProxyID, frameID, pageID, clientOrigin, hadMainFrameMainResourcePrivateRelayed, allowPrivacyProxy, advancedPrivacyProtections, shouldRelaxThirdPartyCookieBlocking, storedCredentialsPolicy)) -@@ -552,11 +552,11 @@ RefPtr NetworkConnectionToWebProcess::createFetchTask(Ne - - void NetworkConnectionToWebProcess::scheduleResourceLoad(NetworkResourceLoadParameters&& loadParameters, std::optional existingLoaderToResume) - { -- bool hasCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, loadParameters.request.firstPartyForCookies()); -- if (UNLIKELY(!hasCookieAccess)) -+ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, loadParameters.request.firstPartyForCookies()); -+ if (UNLIKELY(allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow)) - RELEASE_LOG_ERROR(Loading, "scheduleResourceLoad: Web process does not have cookie access to url %" SENSITIVE_LOG_STRING " for request %" SENSITIVE_LOG_STRING, loadParameters.request.firstPartyForCookies().string().utf8().data(), loadParameters.request.url().string().utf8().data()); - -- MESSAGE_CHECK(hasCookieAccess); -+ MESSAGE_CHECK(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate); - - CONNECTION_RELEASE_LOG(Loading, "scheduleResourceLoad: (parentPID=%d, pageProxyID=%" PRIu64 ", webPageID=%" PRIu64 ", frameID=%" PRIu64 ", resourceID=%" PRIu64 ", existingLoaderToResume=%" PRIu64 ")", loadParameters.parentPID, loadParameters.webPageProxyID.toUInt64(), loadParameters.webPageID.toUInt64(), loadParameters.webFrameID.object().toUInt64(), loadParameters.identifier.toUInt64(), valueOrDefault(existingLoaderToResume).toUInt64()); - -@@ -785,7 +785,10 @@ void NetworkConnectionToWebProcess::registerURLSchemesAsCORSEnabled(Vector&& completionHandler) - { -- MESSAGE_CHECK_COMPLETION(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty), completionHandler({ }, false)); -+ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty); -+ MESSAGE_CHECK_COMPLETION(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate, completionHandler({ }, false)); -+ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) -+ return completionHandler({ }, false); - - auto* networkStorageSession = storageSession(); - if (!networkStorageSession) -@@ -802,7 +805,10 @@ void NetworkConnectionToWebProcess::cookiesForDOM(const URL& firstParty, const S - - void NetworkConnectionToWebProcess::setCookiesFromDOM(const URL& firstParty, const SameSiteInfo& sameSiteInfo, const URL& url, WebCore::FrameIdentifier frameID, PageIdentifier pageID, ApplyTrackingPrevention applyTrackingPrevention, const String& cookieString, ShouldRelaxThirdPartyCookieBlocking shouldRelaxThirdPartyCookieBlocking) - { -- MESSAGE_CHECK(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty)); -+ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty); -+ MESSAGE_CHECK(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate); -+ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) -+ return; - - auto* networkStorageSession = storageSession(); - if (!networkStorageSession) -@@ -823,7 +829,10 @@ void NetworkConnectionToWebProcess::cookiesEnabledSync(const URL& firstParty, co - - void NetworkConnectionToWebProcess::cookiesEnabled(const URL& firstParty, const URL& url, std::optional frameID, std::optional pageID, ShouldRelaxThirdPartyCookieBlocking shouldRelaxThirdPartyCookieBlocking, CompletionHandler&& completionHandler) - { -- MESSAGE_CHECK_COMPLETION(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty), completionHandler(false)); -+ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty); -+ MESSAGE_CHECK_COMPLETION(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate, completionHandler(false)); -+ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) -+ return completionHandler(false); - - auto* networkStorageSession = storageSession(); - if (!networkStorageSession) { -@@ -837,7 +846,10 @@ void NetworkConnectionToWebProcess::cookiesEnabled(const URL& firstParty, const - - void NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue(const URL& firstParty, const SameSiteInfo& sameSiteInfo, const URL& url, std::optional frameID, std::optional pageID, IncludeSecureCookies includeSecureCookies, ApplyTrackingPrevention applyTrackingPrevention, ShouldRelaxThirdPartyCookieBlocking shouldRelaxThirdPartyCookieBlocking, CompletionHandler&& completionHandler) - { -- MESSAGE_CHECK_COMPLETION(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty), completionHandler({ }, false)); -+ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty); -+ MESSAGE_CHECK_COMPLETION(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate, completionHandler({ }, false)); -+ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) -+ return completionHandler({ }, false); - - auto* networkStorageSession = storageSession(); - if (!networkStorageSession) -@@ -848,7 +860,10 @@ void NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue(const URL& fir - - void NetworkConnectionToWebProcess::getRawCookies(const URL& firstParty, const SameSiteInfo& sameSiteInfo, const URL& url, std::optional frameID, std::optional pageID, ApplyTrackingPrevention applyTrackingPrevention, ShouldRelaxThirdPartyCookieBlocking shouldRelaxThirdPartyCookieBlocking, CompletionHandler&&)>&& completionHandler) - { -- MESSAGE_CHECK_COMPLETION(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty), completionHandler({ })); -+ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty); -+ MESSAGE_CHECK_COMPLETION(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate, completionHandler({ })); -+ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) -+ return completionHandler({ }); - - auto* networkStorageSession = storageSession(); - if (!networkStorageSession) -@@ -877,7 +892,10 @@ void NetworkConnectionToWebProcess::deleteCookie(const URL& url, const String& c - - void NetworkConnectionToWebProcess::cookiesForDOMAsync(const URL& firstParty, const SameSiteInfo& sameSiteInfo, const URL& url, std::optional frameID, std::optional pageID, IncludeSecureCookies includeSecureCookies, ApplyTrackingPrevention applyTrackingPrevention, ShouldRelaxThirdPartyCookieBlocking shouldRelaxThirdPartyCookieBlocking, WebCore::CookieStoreGetOptions&& options, CompletionHandler>&&)>&& completionHandler) - { -- MESSAGE_CHECK_COMPLETION(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty), completionHandler(std::nullopt)); -+ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty); -+ MESSAGE_CHECK_COMPLETION(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate, completionHandler(std::nullopt)); -+ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) -+ return completionHandler(std::nullopt); - - auto* networkStorageSession = storageSession(); - if (!networkStorageSession) -@@ -894,7 +912,10 @@ void NetworkConnectionToWebProcess::cookiesForDOMAsync(const URL& firstParty, co - - void NetworkConnectionToWebProcess::setCookieFromDOMAsync(const URL& firstParty, const SameSiteInfo& sameSiteInfo, const URL& url, std::optional frameID, std::optional pageID, ApplyTrackingPrevention applyTrackingPrevention, WebCore::Cookie&& cookie, ShouldRelaxThirdPartyCookieBlocking shouldRelaxThirdPartyCookieBlocking, CompletionHandler&& completionHandler) - { -- MESSAGE_CHECK(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty)); -+ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, firstParty); -+ MESSAGE_CHECK_COMPLETION(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate, completionHandler(false)); -+ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) -+ return completionHandler(false); - - auto* networkStorageSession = storageSession(); - if (!networkStorageSession) -@@ -914,7 +935,10 @@ void NetworkConnectionToWebProcess::domCookiesForHost(const URL& url, Completion - { - auto host = url.host().toString(); - MESSAGE_CHECK_COMPLETION(HashSet::isValidValue(host), completionHandler({ })); -- MESSAGE_CHECK_COMPLETION(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, url), completionHandler({ })); -+ auto allowCookieAccess = m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, url); -+ MESSAGE_CHECK_COMPLETION(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate, completionHandler({ })); -+ if (allowCookieAccess != NetworkProcess::AllowCookieAccess::Allow) -+ return completionHandler({ }); - - auto* networkStorageSession = storageSession(); - if (!networkStorageSession) -@@ -1423,7 +1447,8 @@ void NetworkConnectionToWebProcess::establishSWContextConnection(WebPageProxyIde - { - auto* session = networkSession(); - if (auto* swServer = session ? session->swServer() : nullptr) { -- MESSAGE_CHECK(session->networkProcess().allowsFirstPartyForCookies(webProcessIdentifier(), registrableDomain)); -+ auto allowCookieAccess = session->networkProcess().allowsFirstPartyForCookies(webProcessIdentifier(), registrableDomain); -+ MESSAGE_CHECK(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate); - m_swContextConnection = makeUnique(*this, webPageProxyID, WTFMove(registrableDomain), serviceWorkerPageIdentifier, *swServer); - } - completionHandler(); -diff --git a/Source/WebKit/NetworkProcess/NetworkProcess.cpp b/Source/WebKit/NetworkProcess/NetworkProcess.cpp -index db0437d3b70a2..8f637e6c85fd4 100644 ---- a/Source/WebKit/NetworkProcess/NetworkProcess.cpp -+++ b/Source/WebKit/NetworkProcess/NetworkProcess.cpp -@@ -458,48 +458,49 @@ void NetworkProcess::webProcessWillLoadWebArchive(WebCore::ProcessIdentifier pro - }).iterator->value.first = LoadedWebArchive::Yes; - } - --bool NetworkProcess::allowsFirstPartyForCookies(WebCore::ProcessIdentifier processIdentifier, const URL& firstParty) -+auto NetworkProcess::allowsFirstPartyForCookies(WebCore::ProcessIdentifier processIdentifier, const URL& firstParty) -> AllowCookieAccess - { -- // FIXME: This should probably not be necessary. If about:blank is the first party for cookies, -- // we should set it to be the inherited origin then remove this exception. -- if (firstParty.isAboutBlank()) -- return true; -+ auto allowCookieAccess = allowsFirstPartyForCookies(processIdentifier, RegistrableDomain { firstParty }); -+ if (allowCookieAccess == NetworkProcess::AllowCookieAccess::Terminate) { -+ // FIXME: This should probably not be necessary. If about:blank is the first party for cookies, -+ // we should set it to be the inherited origin then remove this exception. -+ if (firstParty.isAboutBlank()) -+ return AllowCookieAccess::Disallow; - -- if (firstParty.isNull()) -- return true; // FIXME: This shouldn't be allowed. -+ if (firstParty.isNull()) -+ return AllowCookieAccess::Disallow; // FIXME: This shouldn't be allowed. -+ } - -- return allowsFirstPartyForCookies(processIdentifier, RegistrableDomain { firstParty }); -+ return allowCookieAccess; - } - --bool NetworkProcess::allowsFirstPartyForCookies(WebCore::ProcessIdentifier processIdentifier, const RegistrableDomain& firstPartyDomain) -+auto NetworkProcess::allowsFirstPartyForCookies(WebCore::ProcessIdentifier processIdentifier, const RegistrableDomain& firstPartyDomain) -> AllowCookieAccess - { - // FIXME: This shouldn't be needed but it is hit sometimes at least with PDFs. -- if (firstPartyDomain.isEmpty()) -- return true; -- -+ auto terminateOrDisallow = firstPartyDomain.isEmpty() ? AllowCookieAccess::Disallow : AllowCookieAccess::Terminate; - if (!decltype(m_allowedFirstPartiesForCookies)::isValidKey(processIdentifier)) { - ASSERT_NOT_REACHED(); -- return false; -+ return terminateOrDisallow; - } - - auto iterator = m_allowedFirstPartiesForCookies.find(processIdentifier); - if (iterator == m_allowedFirstPartiesForCookies.end()) { - ASSERT_NOT_REACHED(); -- return false; -+ return terminateOrDisallow; - } - - if (iterator->value.first == LoadedWebArchive::Yes) -- return true; -+ return AllowCookieAccess::Allow; - - auto& set = iterator->value.second; - if (!std::remove_reference_t::isValidValue(firstPartyDomain)) { - ASSERT_NOT_REACHED(); -- return false; -+ return terminateOrDisallow; - } - - auto result = set.contains(firstPartyDomain); -- ASSERT(result); -- return result; -+ ASSERT(result || terminateOrDisallow == AllowCookieAccess::Disallow); -+ return result ? AllowCookieAccess::Allow : terminateOrDisallow; - } - - void NetworkProcess::addStorageSession(PAL::SessionID sessionID, const WebsiteDataStoreParameters& parameters) -diff --git a/Source/WebKit/NetworkProcess/NetworkProcess.h b/Source/WebKit/NetworkProcess/NetworkProcess.h -index 0897537e58476..54f19ab96ce47 100644 ---- a/Source/WebKit/NetworkProcess/NetworkProcess.h -+++ b/Source/WebKit/NetworkProcess/NetworkProcess.h -@@ -417,8 +417,9 @@ class NetworkProcess final : public AuxiliaryProcess, private DownloadManager::C - void deleteWebsiteDataForOrigin(PAL::SessionID, OptionSet, const WebCore::ClientOrigin&, CompletionHandler&&); - void deleteWebsiteDataForOrigins(PAL::SessionID, OptionSet, const Vector& origins, const Vector& cookieHostNames, const Vector& HSTSCacheHostnames, const Vector&, CompletionHandler&&); - -- bool allowsFirstPartyForCookies(WebCore::ProcessIdentifier, const URL&); -- bool allowsFirstPartyForCookies(WebCore::ProcessIdentifier, const RegistrableDomain&); -+ enum class AllowCookieAccess : uint8_t { Disallow, Allow, Terminate }; -+ AllowCookieAccess allowsFirstPartyForCookies(WebCore::ProcessIdentifier, const URL&); -+ AllowCookieAccess allowsFirstPartyForCookies(WebCore::ProcessIdentifier, const RegistrableDomain&); - void addAllowedFirstPartyForCookies(WebCore::ProcessIdentifier, WebCore::RegistrableDomain&&, LoadedWebArchive, CompletionHandler&&); - void webProcessWillLoadWebArchive(WebCore::ProcessIdentifier); - -diff --git a/Source/WebKit/NetworkProcess/NetworkSession.cpp b/Source/WebKit/NetworkProcess/NetworkSession.cpp -index d3e9e8b4b64bc..2c5fb9ad6765e 100644 ---- a/Source/WebKit/NetworkProcess/NetworkSession.cpp -+++ b/Source/WebKit/NetworkProcess/NetworkSession.cpp -@@ -728,7 +728,7 @@ void NetworkSession::appBoundDomains(CompletionHandler requestingProcessIdentifier, WebCore::RegistrableDomain&& firstPartyForCookies) - { -- if (requestingProcessIdentifier && (requestingProcessIdentifier != webProcessIdentifier) && !m_networkProcess->allowsFirstPartyForCookies(requestingProcessIdentifier.value(), firstPartyForCookies)) { -+ if (requestingProcessIdentifier && (requestingProcessIdentifier != webProcessIdentifier) && m_networkProcess->allowsFirstPartyForCookies(requestingProcessIdentifier.value(), firstPartyForCookies) != NetworkProcess::AllowCookieAccess::Allow) { - ASSERT_NOT_REACHED(); - return; - } -diff --git a/Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp b/Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp -index 72d67d9f98a2d..515f4597cf33f 100644 ---- a/Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp -+++ b/Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp -@@ -344,7 +344,7 @@ void WebSWServerConnection::postMessageToServiceWorker(ServiceWorkerIdentifier d - - void WebSWServerConnection::scheduleJobInServer(ServiceWorkerJobData&& jobData) - { -- MESSAGE_CHECK(networkProcess().allowsFirstPartyForCookies(identifier(), WebCore::RegistrableDomain::uncheckedCreateFromHost(jobData.topOrigin.host()))); -+ MESSAGE_CHECK(networkProcess().allowsFirstPartyForCookies(identifier(), WebCore::RegistrableDomain::uncheckedCreateFromHost(jobData.topOrigin.host())) != NetworkProcess::AllowCookieAccess::Terminate); - - ASSERT(!jobData.scopeURL.isNull()); - if (jobData.scopeURL.isNull()) { -diff --git a/Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp b/Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp -index 83affaaded38e..084bbdf8f8c55 100644 ---- a/Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp -+++ b/Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp -@@ -79,7 +79,7 @@ NetworkSession* WebSharedWorkerServerConnection::session() - - void WebSharedWorkerServerConnection::requestSharedWorker(WebCore::SharedWorkerKey&& sharedWorkerKey, WebCore::SharedWorkerObjectIdentifier sharedWorkerObjectIdentifier, WebCore::TransferredMessagePort&& port, WebCore::WorkerOptions&& workerOptions) - { -- MESSAGE_CHECK(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, WebCore::RegistrableDomain::uncheckedCreateFromHost(sharedWorkerKey.origin.topOrigin.host()))); -+ MESSAGE_CHECK(m_networkProcess->allowsFirstPartyForCookies(m_webProcessIdentifier, WebCore::RegistrableDomain::uncheckedCreateFromHost(sharedWorkerKey.origin.topOrigin.host())) != NetworkProcess::AllowCookieAccess::Terminate); - MESSAGE_CHECK(sharedWorkerObjectIdentifier.processIdentifier() == m_webProcessIdentifier); - MESSAGE_CHECK(sharedWorkerKey.name == workerOptions.name); - CONNECTION_RELEASE_LOG("requestSharedWorker: sharedWorkerObjectIdentifier=%" PUBLIC_LOG_STRING, sharedWorkerObjectIdentifier.toString().utf8().data()); diff --git a/download b/download index c0fe0ea..299db9d 100644 --- a/download +++ b/download @@ -1,2 +1,2 @@ -17418066047237be6dd6df128acb231c webkitgtk-2.46.3.tar.xz -2367711cce6526c4f6b8f803441bf8d1 webkitgtk-2.46.3.tar.xz.asc +095d7f72acb300839c9879a4f95bf941 webkitgtk-2.46.5.tar.xz +9018f63a130365d831a5f78ea6b85a17 webkitgtk-2.46.5.tar.xz.asc diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index 2dcd872..b096a0e 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 ## NOTE: Lots of files in various subdirectories have the same name (such as ## "LICENSE") so this short macro allows us to distinguish them by using their ## directory names (from the source tree) as prefixes for the files. @@ -10,14 +9,13 @@ # $ rhpkg build --target rhel-8.10.0-z-webkitgtk-stack-gate Name: webkit2gtk3 -Version: 2.46.3 -Release: 2%{anolis_release}%{?dist} +Version: 2.46.5 +Release: 1%{?dist} Summary: GTK Web content engine library License: LGPLv2 URL: https://www.webkitgtk.org/ Source0: https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz -ExcludeArch: loongarch64 Source1: https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc # Use the keys from https://webkitgtk.org/verifying.html # $ gpg --import aperez.key carlosgc.key @@ -28,7 +26,7 @@ Source2: webkitgtk-keys.gpg ## Patches to support older build toolchain ## -#Patch100: compiler-flags.patch +Patch100: compiler-flags.patch Patch101: s390x-build.patch ## @@ -37,7 +35,7 @@ Patch101: s390x-build.patch Patch200: cairo-1.15.patch Patch201: glib-2.56.patch -#Patch202: gstreamer-1.16.patch +Patch202: gstreamer-1.16.patch Patch203: harfbuzz-1.7.5.patch Patch204: icu60.patch @@ -48,24 +46,11 @@ Patch204: icu60.patch Patch300: evolution-shared-secondary-process.patch Patch301: evolution-sandbox-warning.patch -## -## Patches that need to be upstreamed -## - -# https://bugs.webkit.org/show_bug.cgi?id=282645 -Patch400: websocket-connection-spans.patch -# https://bugs.webkit.org/show_bug.cgi?id=283095 -Patch401: CVE-2024-44309.patch - -Patch1001: webkitgtk-2.40.5-sw.patch - BuildRequires: bison BuildRequires: cmake BuildRequires: flex BuildRequires: gcc-c++ -%ifnarch sw_64 -BuildRequires: gcc-toolset-13 -%endif +BuildRequires: gcc-toolset-14 BuildRequires: gettext BuildRequires: git BuildRequires: gnupg2 @@ -235,13 +220,7 @@ rm -rf Source/ThirdParty/qunit/ # But we aren't using it in RHEL 9 because it's broken there: https://issues.redhat.com/browse/RHEL-59586 # In RHEL 8, I haven't yet figured out whether we can use LLVM Toolset to build. # So for now we'll use GCC instead. -#%enable_devtoolset14 -%ifnarch sw_64 -# The system GCC is too old to build WebKit, so use a GCC Toolset instead. -# This prints warnings complaining that it should not be used except in -# SCL scriplets, but I can't figure out any other way to make it work. -source scl_source enable gcc-toolset-13 -%endif +%enable_devtoolset14 # -DUSE_SYSTEM_MALLOC=ON is really bad for security, but libpas requires # __atomic_compare_exchange_16 which is not available in RHEL 8. @@ -336,10 +315,8 @@ export NINJA_STATUS="[%f/%t][%e] " %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir %changelog -* Mon Jan 06 2025 Bo Ren 2.46.3-2.0.1 -- Exclude loongarch64 -- cherry-pick `add sw arch #ef8be098b07c4d8a9f809d32a607700f4a420676`. (nijie@wxiat.com) -- Remove patches for cmake and gstreamer (wb-zh951434@alibaba-inc.com) +* Wed Dec 18 2024 Michael Catanzaro - 2.46.5-1 +- Update to 2.46.5 * Mon Nov 25 2024 Michael Catanzaro - 2.46.3-2 - Add patch for CVE-2024-44309 diff --git a/webkitgtk-2.40.5-sw.patch b/webkitgtk-2.40.5-sw.patch deleted file mode 100644 index f827028..0000000 --- a/webkitgtk-2.40.5-sw.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 175ccbf0aa167628af0f22cbec72689a6e75e2b8 Mon Sep 17 00:00:00 2001 -From: wxiat -Date: Mon, 1 Apr 2024 11:31:04 +0800 -Subject: [PATCH] add sw arch. - -Signed-off-by: wxiat ---- - Source/WTF/wtf/dtoa/utils.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Source/WTF/wtf/dtoa/utils.h b/Source/WTF/wtf/dtoa/utils.h -index aa0786de..b7d66339 100644 ---- a/Source/WTF/wtf/dtoa/utils.h -+++ b/Source/WTF/wtf/dtoa/utils.h -@@ -87,7 +87,7 @@ int main(int argc, char** argv) { - defined(__powerpc__) || defined(__ppc__) || defined(__ppc64__) || \ - defined(_POWER) || defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \ - defined(__sparc__) || defined(__sparc) || defined(__s390__) || \ -- defined(__SH4__) || defined(__alpha__) || \ -+ defined(__SH4__) || defined(__alpha__) || defined(__sw_64__)|| \ - defined(_MIPS_ARCH_MIPS32R2) || \ - defined(__AARCH64EL__) || defined(__aarch64__) || defined(__AARCH64EB__) || \ - defined(__riscv) || \ --- -2.31.1 - diff --git a/websocket-connection-spans.patch b/websocket-connection-spans.patch deleted file mode 100644 index e1c89c0..0000000 --- a/websocket-connection-spans.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff --git a/Source/WebKit/NetworkProcess/soup/WebSocketTaskSoup.cpp b/Source/WebKit/NetworkProcess/soup/WebSocketTaskSoup.cpp -index 1a0cd1de5078..8c4e0e378f11 100644 ---- a/Source/WebKit/NetworkProcess/soup/WebSocketTaskSoup.cpp -+++ b/Source/WebKit/NetworkProcess/soup/WebSocketTaskSoup.cpp -@@ -246,7 +246,7 @@ void WebSocketTask::sendString(std::span utf8, CompletionHandler< - GRefPtr bytes = adoptGRef(g_bytes_new_static(utf8.data(), utf8.size())); - soup_websocket_connection_send_message(m_connection.get(), SOUP_WEBSOCKET_DATA_TEXT, bytes.get()); - #else -- soup_websocket_connection_send_text(m_connection.get(), CString(reinterpret_cast(utf8.data()), utf8.size()).data()); -+ soup_websocket_connection_send_text(m_connection.get(), CString(utf8).data()); - #endif - } - callback(); -diff --git a/Source/WebKit/UIProcess/Inspector/glib/RemoteInspectorHTTPServer.cpp b/Source/WebKit/UIProcess/Inspector/glib/RemoteInspectorHTTPServer.cpp -index 89382a72d9c1..60f5fdedf0e0 100644 ---- a/Source/WebKit/UIProcess/Inspector/glib/RemoteInspectorHTTPServer.cpp -+++ b/Source/WebKit/UIProcess/Inspector/glib/RemoteInspectorHTTPServer.cpp -@@ -156,7 +156,7 @@ void RemoteInspectorHTTPServer::sendMessageToFrontend(uint64_t connectionID, uin - GRefPtr bytes = adoptGRef(g_bytes_new_static(utf8.data(), utf8.length())); - soup_websocket_connection_send_message(webSocketConnection, SOUP_WEBSOCKET_DATA_TEXT, bytes.get()); - #else -- soup_websocket_connection_send_text(webSocketConnection, CString(reinterpret_cast(utf8.data()), utf8.length()).data()); -+ soup_websocket_connection_send_text(webSocketConnection, CString(utf8).data()); - #endif - } -- Gitee From dda83b61a9666a464c0aae9a5cc47c94d4017169 Mon Sep 17 00:00:00 2001 From: Renbo Date: Tue, 16 Jan 2024 17:10:45 +0800 Subject: [PATCH 2/4] Exclude loongarch64 Signed-off-by: Renbo --- webkit2gtk3.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index b096a0e..c6d0d95 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 ## NOTE: Lots of files in various subdirectories have the same name (such as ## "LICENSE") so this short macro allows us to distinguish them by using their ## directory names (from the source tree) as prefixes for the files. @@ -10,12 +11,13 @@ Name: webkit2gtk3 Version: 2.46.5 -Release: 1%{?dist} +Release: 1%{anolis_release}%{?dist} Summary: GTK Web content engine library License: LGPLv2 URL: https://www.webkitgtk.org/ Source0: https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz +ExcludeArch: loongarch64 Source1: https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc # Use the keys from https://webkitgtk.org/verifying.html # $ gpg --import aperez.key carlosgc.key @@ -315,6 +317,9 @@ export NINJA_STATUS="[%f/%t][%e] " %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir %changelog +* Fri Jan 10 2025 Bo Ren 2.46.5-1.0.1 +- Exclude loongarch64 + * Wed Dec 18 2024 Michael Catanzaro - 2.46.5-1 - Update to 2.46.5 -- Gitee From 227046cefd32a4a7e91cc7b1cfa8594c3d964551 Mon Sep 17 00:00:00 2001 From: wxiat Date: Tue, 1 Aug 2023 09:51:12 +0800 Subject: [PATCH 3/4] cherry-pick `add sw arch #ef8be098b07c4d8a9f809d32a607700f4a420676`. Signed-off-by: Weisson --- webkit2gtk3.spec | 14 ++++++++++++-- webkitgtk-2.40.5-sw.patch | 26 ++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 webkitgtk-2.40.5-sw.patch diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index c6d0d95..f4cef75 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -48,11 +48,14 @@ Patch204: icu60.patch Patch300: evolution-shared-secondary-process.patch Patch301: evolution-sandbox-warning.patch +Patch1001: webkitgtk-2.40.5-sw.patch BuildRequires: bison BuildRequires: cmake BuildRequires: flex BuildRequires: gcc-c++ -BuildRequires: gcc-toolset-14 +%ifnarch sw_64 +BuildRequires: gcc-toolset-13 +%endif BuildRequires: gettext BuildRequires: git BuildRequires: gnupg2 @@ -222,7 +225,13 @@ rm -rf Source/ThirdParty/qunit/ # But we aren't using it in RHEL 9 because it's broken there: https://issues.redhat.com/browse/RHEL-59586 # In RHEL 8, I haven't yet figured out whether we can use LLVM Toolset to build. # So for now we'll use GCC instead. -%enable_devtoolset14 +#%enable_devtoolset14 +%ifnarch sw_64 +# The system GCC is too old to build WebKit, so use a GCC Toolset instead. +# This prints warnings complaining that it should not be used except in +# SCL scriplets, but I can't figure out any other way to make it work. +source scl_source enable gcc-toolset-13 +%endif # -DUSE_SYSTEM_MALLOC=ON is really bad for security, but libpas requires # __atomic_compare_exchange_16 which is not available in RHEL 8. @@ -319,6 +328,7 @@ export NINJA_STATUS="[%f/%t][%e] " %changelog * Fri Jan 10 2025 Bo Ren 2.46.5-1.0.1 - Exclude loongarch64 +- cherry-pick `add sw arch #ef8be098b07c4d8a9f809d32a607700f4a420676`. (nijie@wxiat.com) * Wed Dec 18 2024 Michael Catanzaro - 2.46.5-1 - Update to 2.46.5 diff --git a/webkitgtk-2.40.5-sw.patch b/webkitgtk-2.40.5-sw.patch new file mode 100644 index 0000000..f827028 --- /dev/null +++ b/webkitgtk-2.40.5-sw.patch @@ -0,0 +1,26 @@ +From 175ccbf0aa167628af0f22cbec72689a6e75e2b8 Mon Sep 17 00:00:00 2001 +From: wxiat +Date: Mon, 1 Apr 2024 11:31:04 +0800 +Subject: [PATCH] add sw arch. + +Signed-off-by: wxiat +--- + Source/WTF/wtf/dtoa/utils.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Source/WTF/wtf/dtoa/utils.h b/Source/WTF/wtf/dtoa/utils.h +index aa0786de..b7d66339 100644 +--- a/Source/WTF/wtf/dtoa/utils.h ++++ b/Source/WTF/wtf/dtoa/utils.h +@@ -87,7 +87,7 @@ int main(int argc, char** argv) { + defined(__powerpc__) || defined(__ppc__) || defined(__ppc64__) || \ + defined(_POWER) || defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \ + defined(__sparc__) || defined(__sparc) || defined(__s390__) || \ +- defined(__SH4__) || defined(__alpha__) || \ ++ defined(__SH4__) || defined(__alpha__) || defined(__sw_64__)|| \ + defined(_MIPS_ARCH_MIPS32R2) || \ + defined(__AARCH64EL__) || defined(__aarch64__) || defined(__AARCH64EB__) || \ + defined(__riscv) || \ +-- +2.31.1 + -- Gitee From ffc4b42ba7b12a123fd37e68f5ddcba1ed861007 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Thu, 2 Jan 2025 15:28:33 +0800 Subject: [PATCH 4/4] spec: remove patches for cmake and gstreamer Signed-off-by: Zhao Hang --- webkit2gtk3.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index f4cef75..34adbb0 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -28,7 +28,7 @@ Source2: webkitgtk-keys.gpg ## Patches to support older build toolchain ## -Patch100: compiler-flags.patch +#Patch100: compiler-flags.patch Patch101: s390x-build.patch ## @@ -37,7 +37,7 @@ Patch101: s390x-build.patch Patch200: cairo-1.15.patch Patch201: glib-2.56.patch -Patch202: gstreamer-1.16.patch +#Patch202: gstreamer-1.16.patch Patch203: harfbuzz-1.7.5.patch Patch204: icu60.patch @@ -329,6 +329,7 @@ export NINJA_STATUS="[%f/%t][%e] " * Fri Jan 10 2025 Bo Ren 2.46.5-1.0.1 - Exclude loongarch64 - cherry-pick `add sw arch #ef8be098b07c4d8a9f809d32a607700f4a420676`. (nijie@wxiat.com) +- Remove patches for cmake and gstreamer (wb-zh951434@alibaba-inc.com) * Wed Dec 18 2024 Michael Catanzaro - 2.46.5-1 - Update to 2.46.5 -- Gitee