diff options
author | Danil Somsikov <dsv@chromium.org> | 2022-04-25 12:18:01 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-07-25 14:22:58 +0000 |
commit | 4910f9068c2a8c0ba2f83401f542d637c1bfc04a (patch) | |
tree | 5d5d2aac7f78551606e57290641b4d3f7acd3d09 | |
parent | b9f4853e8fe92ac7681bde21d016f6c63926a3ba (diff) | |
download | qtwebengine-chromium-4910f9068c2a8c0ba2f83401f542d637c1bfc04a.tar.gz |
[Backport] CVE-2022-2160: Insufficient policy enforcement in DevTools
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3599349:
Only allow capturing screenshots from surface for chrome extensions.
Bug: 1116450
Change-Id: Ia4e081dbd44e0d3e2f85248b9e4ec9306e3ceb72
Reviewed-by: Andrey Kosyakov <caseq@chromium.org>
Auto-Submit: Danil Somsikov <dsv@chromium.org>
Commit-Queue: Danil Somsikov <dsv@chromium.org>
Cr-Commit-Position: refs/heads/main@{#995663}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
3 files changed, 14 insertions, 3 deletions
diff --git a/chromium/content/browser/devtools/protocol/page_handler.cc b/chromium/content/browser/devtools/protocol/page_handler.cc index 14f57516ddc..5e7f35b875c 100644 --- a/chromium/content/browser/devtools/protocol/page_handler.cc +++ b/chromium/content/browser/devtools/protocol/page_handler.cc @@ -195,9 +195,12 @@ bool CanExecuteGlobalCommands( PageHandler::PageHandler(EmulationHandler* emulation_handler, BrowserHandler* browser_handler, - bool allow_unsafe_operations) + bool allow_unsafe_operations, + bool may_capture_screenshots_not_from_surface) : DevToolsDomainHandler(Page::Metainfo::domainName), allow_unsafe_operations_(allow_unsafe_operations), + may_capture_screenshots_not_from_surface_( + may_capture_screenshots_not_from_surface), enabled_(false), screencast_enabled_(false), screencast_quality_(kDefaultScreenshotQuality), @@ -747,6 +750,11 @@ void PageHandler::CaptureScreenshot( // We don't support clip/emulation when capturing from window, bail out. if (!from_surface.fromMaybe(true)) { + if (!may_capture_screenshots_not_from_surface_) { + callback->sendFailure( + Response::ServerError("Only screenshots from surface are allowed.")); + return; + } widget_host->GetSnapshotFromBrowser( base::BindOnce(&PageHandler::ScreenshotCaptured, weak_factory_.GetWeakPtr(), std::move(callback), diff --git a/chromium/content/browser/devtools/protocol/page_handler.h b/chromium/content/browser/devtools/protocol/page_handler.h index 4c86f681345..d4c3e68c4cc 100644 --- a/chromium/content/browser/devtools/protocol/page_handler.h +++ b/chromium/content/browser/devtools/protocol/page_handler.h @@ -65,7 +65,8 @@ class PageHandler : public DevToolsDomainHandler, public: PageHandler(EmulationHandler* emulation_handler, BrowserHandler* browser_handler, - bool allow_unsafe_operations); + bool allow_unsafe_operations, + bool may_capture_screenshots_not_from_surface); ~PageHandler() override; static std::vector<PageHandler*> EnabledForWebContents( @@ -222,6 +223,7 @@ class PageHandler : public DevToolsDomainHandler, void OnDownloadDestroyed(download::DownloadItem* item) override; const bool allow_unsafe_operations_; + const bool may_capture_screenshots_not_from_surface_; bool enabled_; bool bypass_csp_ = false; diff --git a/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc b/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc index 4489712bab0..3f06b47fed5 100644 --- a/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc +++ b/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc @@ -344,7 +344,8 @@ bool RenderFrameDevToolsAgentHost::AttachSession(DevToolsSession* session, GetId(), auto_attacher_.get(), session->GetRootSession())); session->AddHandler(std::make_unique<protocol::PageHandler>( emulation_handler_ptr, browser_handler_ptr, - session->GetClient()->AllowUnsafeOperations())); + session->GetClient()->AllowUnsafeOperations(), + session->GetClient()->MayAttachToBrowser())); session->AddHandler(std::make_unique<protocol::SecurityHandler>()); if (!frame_tree_node_ || !frame_tree_node_->parent()) { session->AddHandler( |