Summary:

I have found a path traversal issue in Safari, present in iOS 14.0. When saving a web page as PDF into Files, Safari uses the page’s <title> tag as a file name, without sanitising it first, leading to path traversal.

Steps to reproduce:

  1. Set up a webserver hosting this HTML file:
<title>/../../Library/Preferences/</title>
<h1>Hello world!</h1>
  1. Open the page in Safari
  2. Tap Share
  3. Tap Options -> Set Send As to PDF -> Tap the back arrow
  4. Tap Save to Files
  5. An extension-less file named pdf was created at /private/var/mobile/Containers/Data/Application/[safari's UUID]/Library/Preferences/pdf

This file was created by the MobileSafari process.

Extras / limitations:

  • If the <title> tag ends with a /, a file named pdf will be created.
  • If the <title> tag doesn’t end with a /, .pdf is always appended at the end of the file.
  • If the file to create already exists, a -1 or -2 (incremental number) will be added to the filename, before the first dot. (example: if /Library/Preferences/com.apple.mobilesafari.plist.pdf already exists, pressing Save to Files will create /Library/Preferences/com-1.apple.mobilesafari.plist.pdf)
  • If a file path outside the app folder is provided, a warning in the Console from the kernel process will show. e.g.: Sandbox: MobileSafari(1756) deny(1) file-write-create /private/var/pdf.

A malicious attack could may use this vulnerability to permanently crash Safari by creating a file which Safari is unable to parse.

As far as I know Safari can’t be deleted/reinstalled, so I’m not sure how to remove these test/malicious files from Safari’s filesystem.

Thank you,
David

This issue was fixed in iOS/iPadOS 14.5 and in watchOS 7.4.