diff options
author | Chris Bookholt <bookholt@chromium.org> | 2022-01-11 00:33:53 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-02-18 01:11:57 +0000 |
commit | 2ac6ece03918c6df6c93fb2a7d842e872cc85bc3 (patch) | |
tree | 2b59aa1e6ea604d11a4b30ba3e9fbcb8b6c3bd7d | |
parent | 82487dd93d3f3c9dc2c8bfacf48feab5d6e413d6 (diff) | |
download | qtwebengine-chromium-2ac6ece03918c6df6c93fb2a7d842e872cc85bc3.tar.gz |
[Backport] CVE-2022-0305: Inappropriate implementation in Service Worker API
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3379268:
ServiceWorkerContainerHost::EnsureFileAccess: abort request processing if the requesting process lacks file access
Bug: 1282354
Change-Id: Ia37ef5b97eedb0d2ad25ffe2869844a40e5be862
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Chris Bookholt <bookholt@chromium.org>
Cr-Commit-Position: refs/heads/main@{#957344}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/content/browser/service_worker/service_worker_container_host.cc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/chromium/content/browser/service_worker/service_worker_container_host.cc b/chromium/content/browser/service_worker/service_worker_container_host.cc index 9a2193ac5a4..74abd00dc0f 100644 --- a/chromium/content/browser/service_worker/service_worker_container_host.cc +++ b/chromium/content/browser/service_worker/service_worker_container_host.cc @@ -349,10 +349,12 @@ void ServiceWorkerContainerHost::EnsureFileAccess( ChildProcessSecurityPolicyImpl* policy = ChildProcessSecurityPolicyImpl::GetInstance(); for (const auto& file : file_paths) { - if (!policy->CanReadFile(process_id_, file)) + if (!policy->CanReadFile(process_id_, file)) { mojo::ReportBadMessage( "The renderer doesn't have access to the file " "but it tried to grant access to the controller."); + return; + } if (!policy->CanReadFile(controller_process_id, file)) policy->GrantReadFile(controller_process_id, file); |