diff options
author | Min Qin <qinmin@chromium.org> | 2022-06-15 20:04:48 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-08-08 15:24:54 +0000 |
commit | 577388738e0025c415606b97e82a88ff3f090357 (patch) | |
tree | a7795f79818864d27496ac1280c8b07ca967581c | |
parent | 2e3686e72481396fa8b75187c87d386cf6151be4 (diff) | |
download | qtwebengine-chromium-577388738e0025c415606b97e82a88ff3f090357.tar.gz |
[Backport] CVE-2022-2618: Insufficient validation of untrusted input in Internals
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3688608:
Sanitize default file name in windows select file dialog
On windows, '%' is a special character and can be used for environment
variables. So if the default file name is '%DATADIR%', it can actually
refer to another directory and thus causing weird behaviors.
And '%' cannot be escaped when used in the file dialog. Both "^%" and
"%%" don't work. This CL mitigates the issue by replacing '%' with '_'.
This only affects the default file name when showing the dialog. Power
users can still change the file name by adding '%' if needed.
BUG=1308422
Change-Id: Ibb275f5c3c2c9458c20d1e97ad527f7c95184eaa
Reviewed-by: Robert Liao <robliao@chromium.org>
Commit-Queue: Min Qin <qinmin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1014602}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/ui/shell_dialogs/execute_select_file_win.cc | 30 | ||||
-rw-r--r-- | chromium/ui/shell_dialogs/execute_select_file_win.h | 6 |
2 files changed, 35 insertions, 1 deletions
diff --git a/chromium/ui/shell_dialogs/execute_select_file_win.cc b/chromium/ui/shell_dialogs/execute_select_file_win.cc index 063d4c7c96c..162dbc3aeb4 100644 --- a/chromium/ui/shell_dialogs/execute_select_file_win.cc +++ b/chromium/ui/shell_dialogs/execute_select_file_win.cc @@ -10,6 +10,7 @@ #include "base/callback.h" #include "base/files/file.h" #include "base/files/file_util.h" +#include "base/strings/string_tokenizer.h" #include "base/strings/string_util.h" #include "base/win/com_init_util.h" #include "base/win/registry.h" @@ -50,7 +51,7 @@ bool SetDefaultPath(IFileDialog* file_dialog, default_folder = default_path; } else { default_folder = default_path.DirName(); - default_file_name = default_path.BaseName(); + default_file_name = GetSanitizedFileName(default_path.BaseName()); } // Do not fail the file dialog operation if the specified folder is invalid. @@ -371,6 +372,33 @@ std::wstring AppendExtensionIfNeeded(const std::wstring& filename, return return_value; } +base::FilePath GetSanitizedFileName(const base::FilePath& file_name) { + base::StringTokenizerT<std::wstring, std::wstring::const_iterator> t( + file_name.value(), L"%"); + t.set_options(base::StringTokenizer::RETURN_EMPTY_TOKENS); + std::wstring result; + bool token_valid = t.GetNext(); + while (token_valid) { + // Append substring before the first "%". + result.append(t.token()); + // Done if we are reaching the end delimiter, + if (!t.GetNext()) { + break; + } + std::wstring string_after_first_percent = t.token(); + token_valid = t.GetNext(); + // If there are no other "%", append the string after + // the first "%". Otherwise, remove the string between + // the "%" and continue handing the remaining string. + if (!token_valid) { + result.append(L"%"); + result.append(string_after_first_percent); + break; + } + } + return base::FilePath(result); +} + void ExecuteSelectFile( SelectFileDialog::Type type, const std::u16string& title, diff --git a/chromium/ui/shell_dialogs/execute_select_file_win.h b/chromium/ui/shell_dialogs/execute_select_file_win.h index dc808af3953..8fa96906c02 100644 --- a/chromium/ui/shell_dialogs/execute_select_file_win.h +++ b/chromium/ui/shell_dialogs/execute_select_file_win.h @@ -26,6 +26,12 @@ SHELL_DIALOGS_EXPORT std::wstring AppendExtensionIfNeeded( const std::wstring& filter_selected, const std::wstring& suggested_ext); +// Given a file name, return the sanitized version by removing substrings that +// are embedded in double '%' characters as those are reserved for environment +// variables. Implementation detail exported for unit tests. +SHELL_DIALOGS_EXPORT base::FilePath GetSanitizedFileName( + const base::FilePath& file_name); + // Describes a filter for a file dialog. struct FileFilterSpec { // A human readable description of this filter. E.g. "HTML Files." |