[Backport] CVE-2022-2618: Insufficient validation of untrusted input in Internals

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3688608:
Sanitize default file name in windows select file dialog

On windows, '%' is a special character and can be used for environment
variables. So if the default file name is '%DATADIR%', it can actually
refer to another directory and thus causing weird behaviors.
And '%' cannot be escaped when used in the file dialog. Both "^%" and
"%%" don't work. This CL mitigates the issue by replacing '%' with '_'.
This only affects the default file name when showing the dialog. Power
users can still change the file name by adding '%' if needed.

BUG=1308422

Change-Id: Ibb275f5c3c2c9458c20d1e97ad527f7c95184eaa
Reviewed-by: Robert Liao <robliao@chromium.org>
Commit-Queue: Min Qin <qinmin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1014602}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

2 files changed, 35 insertions, 1 deletions

diff --git a/chromium/ui/shell_dialogs/execute_select_file_win.cc b/chromium/ui/shell_dialogs/execute_select_file_win.cc
index 063d4c7c96c..162dbc3aeb4 100644
--- a/chromium/ui/shell_dialogs/execute_select_file_win.cc
+++ b/chromium/ui/shell_dialogs/execute_select_file_win.cc
@@ -10,6 +10,7 @@
 #include "base/callback.h"
 #include "base/files/file.h"
 #include "base/files/file_util.h"
+#include "base/strings/string_tokenizer.h"
 #include "base/strings/string_util.h"
 #include "base/win/com_init_util.h"
 #include "base/win/registry.h"
@@ -50,7 +51,7 @@ bool SetDefaultPath(IFileDialog* file_dialog,
     default_folder = default_path;
   } else {
     default_folder = default_path.DirName();
-    default_file_name = default_path.BaseName();
+    default_file_name = GetSanitizedFileName(default_path.BaseName());
   }
 
   // Do not fail the file dialog operation if the specified folder is invalid.
@@ -371,6 +372,33 @@ std::wstring AppendExtensionIfNeeded(const std::wstring& filename,
   return return_value;
 }
 
+base::FilePath GetSanitizedFileName(const base::FilePath& file_name) {
+  base::StringTokenizerT<std::wstring, std::wstring::const_iterator> t(
+      file_name.value(), L"%");
+  t.set_options(base::StringTokenizer::RETURN_EMPTY_TOKENS);
+  std::wstring result;
+  bool token_valid = t.GetNext();
+  while (token_valid) {
+    // Append substring before the first "%".
+    result.append(t.token());
+    // Done if we are reaching the end delimiter,
+    if (!t.GetNext()) {
+      break;
+    }
+    std::wstring string_after_first_percent = t.token();
+    token_valid = t.GetNext();
+    // If there are no other "%", append the string after
+    // the first "%". Otherwise, remove the string between
+    // the "%" and continue handing the remaining string.
+    if (!token_valid) {
+      result.append(L"%");
+      result.append(string_after_first_percent);
+      break;
+    }
+  }
+  return base::FilePath(result);
+}
+
 void ExecuteSelectFile(
     SelectFileDialog::Type type,
     const std::u16string& title,
diff --git a/chromium/ui/shell_dialogs/execute_select_file_win.h b/chromium/ui/shell_dialogs/execute_select_file_win.h
index dc808af3953..8fa96906c02 100644
--- a/chromium/ui/shell_dialogs/execute_select_file_win.h
+++ b/chromium/ui/shell_dialogs/execute_select_file_win.h
@@ -26,6 +26,12 @@ SHELL_DIALOGS_EXPORT std::wstring AppendExtensionIfNeeded(
     const std::wstring& filter_selected,
     const std::wstring& suggested_ext);
 
+// Given a file name, return the sanitized version by removing substrings that
+// are embedded in double '%' characters as those are reserved for environment
+// variables. Implementation detail exported for unit tests.
+SHELL_DIALOGS_EXPORT base::FilePath GetSanitizedFileName(
+    const base::FilePath& file_name);
+
 // Describes a filter for a file dialog.
 struct FileFilterSpec {
   // A human readable description of this filter. E.g. "HTML Files."