[Backport] CVE-2020-6399 - Insufficient policy enforcement in AppCache

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/1999300 https://chromium-review.googlesource.com/c/chromium/src/+/2007520: AppCache: Remove nonstandard "isPattern" support Chrome's AppCache implementation supported specifying namespaces as regular expressions that match URLs. This extension was invoked by adding the `isPattern` keyword after the namespace in the manifest. Histograms indicate that there is no usage of this feature. Start the removal process by removing parser support and having tests ensure the parser treats such entries normally. Subsequent CLs will delete the plumbing entirely. (cherry picked from commit 034b02983e7b849eab657fcdb246106a37dbf3f3) Bug: 1039869 Change-Id: I17d3a1a5417a6cb3c261d388760a65127c38de4a Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io> Reviewed-by: Michael Brüning <michael.bruning@qt.io>
author: Joshua Bell <jsbell@chromium.org> 2020-01-17 22:28:41 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2020-03-24 13:51:05 +0000
commit: f616cecf23cfcc4a0b861f09edff12c72908e4ad (patch)
tree: 0e0b0bf3690ef49673677dac0afcad32dfa9cc3e
parent: 479882836f3e2235aacce1a392119d24a8a183b0 (diff)
download: qtwebengine-chromium-f616cecf23cfcc4a0b861f09edff12c72908e4ad.tar.gz
1 files changed, 12 insertions, 26 deletions
diff --git a/chromium/content/browser/appcache/appcache_manifest_parser.cc b/chromium/content/browser/appcache/appcache_manifest_parser.cc
index 88ab907592f..8c1de6f4d75 100644
--- a/chromium/content/browser/appcache/appcache_manifest_parser.cc
+++ b/chromium/content/browser/appcache/appcache_manifest_parser.cc
@@ -45,19 +45,6 @@ namespace content {
 
 namespace {
 
-// Helper function used to identify 'isPattern' annotations.
-bool HasPatternMatchingAnnotation(const wchar_t* line_p,
-                                  const wchar_t* line_end) {
-  // Skip whitespace separating the resource url from the annotation.
-  // Note: trailing whitespace has already been trimmed from the line.
-  while (line_p < line_end && (*line_p == '\t' || *line_p == ' '))
-    ++line_p;
-  if (line_p == line_end)
-    return false;
-  std::wstring annotation(line_p, line_end - line_p);
-  return annotation == L"isPattern";
-}
-
 bool ScopeMatches(const GURL& manifest_url, const GURL& namespace_url) {
   return base::StartsWith(namespace_url.spec(),
                           manifest_url.GetWithoutFilename().spec(),
@@ -222,10 +209,9 @@ bool ParseManifest(const GURL& manifest_url, const char* data, int length,
       if (mode == EXPLICIT) {
         manifest.explicit_urls.insert(url.spec());
       } else {
-        bool is_pattern = HasPatternMatchingAnnotation(line_p, line_end);
-        manifest.online_whitelist_namespaces.push_back(
+        manifest.online_whitelist_namespaces.emplace_back(
             AppCacheNamespace(APPCACHE_NETWORK_NAMESPACE, url, GURL(),
-                is_pattern));
+                              /*is_pattern=*/false));
       }
     } else if (mode == INTERCEPT) {
       if (parse_mode != PARSE_MANIFEST_ALLOWING_DANGEROUS_FEATURES) {
@@ -300,9 +286,10 @@ bool ParseManifest(const GURL& manifest_url, const char* data, int length,
       if (manifest_url.GetOrigin() != target_url.GetOrigin())
         continue;
 
-      bool is_pattern = HasPatternMatchingAnnotation(line_p, line_end);
-      manifest.intercept_namespaces.push_back(AppCacheNamespace(
-          APPCACHE_INTERCEPT_NAMESPACE, namespace_url, target_url, is_pattern));
+      manifest.intercept_namespaces.emplace_back(APPCACHE_INTERCEPT_NAMESPACE,
+                                                 namespace_url, target_url,
+                                                 /*is_pattern=*/false);
+      continue;
     } else if (mode == FALLBACK) {
       const wchar_t* line_p = line.c_str();
       const wchar_t* line_end = line_p + line.length();
@@ -367,13 +354,12 @@ bool ParseManifest(const GURL& manifest_url, const char* data, int length,
         continue;
       }
 
-      bool is_pattern = HasPatternMatchingAnnotation(line_p, line_end);
-
-      // Store regardless of duplicate namespace URL. Only first match
-      // will ever be used.
-      manifest.fallback_namespaces.push_back(
-          AppCacheNamespace(APPCACHE_FALLBACK_NAMESPACE, namespace_url,
-                    fallback_url, is_pattern));
+      // Store regardless of duplicate namespace URL. Only the first match will
+      // ever be used.
+      manifest.fallback_namespaces.emplace_back(APPCACHE_FALLBACK_NAMESPACE,
+                                                namespace_url, fallback_url,
+                                                /*is_pattern=*/false);
+      continue;
     } else {
       NOTREACHED();
     }
author	Joshua Bell <jsbell@chromium.org>	2020-01-17 22:28:41 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2020-03-24 13:51:05 +0000
commit	f616cecf23cfcc4a0b861f09edff12c72908e4ad (patch)
tree	0e0b0bf3690ef49673677dac0afcad32dfa9cc3e
parent	479882836f3e2235aacce1a392119d24a8a183b0 (diff)
download	qtwebengine-chromium-f616cecf23cfcc4a0b861f09edff12c72908e4ad.tar.gz