diff options
author | Joshua Bell <jsbell@chromium.org> | 2020-01-17 22:28:41 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-24 13:51:05 +0000 |
commit | f616cecf23cfcc4a0b861f09edff12c72908e4ad (patch) | |
tree | 0e0b0bf3690ef49673677dac0afcad32dfa9cc3e | |
parent | 479882836f3e2235aacce1a392119d24a8a183b0 (diff) | |
download | qtwebengine-chromium-f616cecf23cfcc4a0b861f09edff12c72908e4ad.tar.gz |
[Backport] CVE-2020-6399 - Insufficient policy enforcement in AppCache
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1999300
https://chromium-review.googlesource.com/c/chromium/src/+/2007520:
AppCache: Remove nonstandard "isPattern" support
Chrome's AppCache implementation supported specifying namespaces as
regular expressions that match URLs. This extension was invoked by
adding the `isPattern` keyword after the namespace in the manifest.
Histograms indicate that there is no usage of this feature. Start the
removal process by removing parser support and having tests ensure
the parser treats such entries normally. Subsequent CLs will delete
the plumbing entirely.
(cherry picked from commit 034b02983e7b849eab657fcdb246106a37dbf3f3)
Bug: 1039869
Change-Id: I17d3a1a5417a6cb3c261d388760a65127c38de4a
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
-rw-r--r-- | chromium/content/browser/appcache/appcache_manifest_parser.cc | 38 |
1 files changed, 12 insertions, 26 deletions
diff --git a/chromium/content/browser/appcache/appcache_manifest_parser.cc b/chromium/content/browser/appcache/appcache_manifest_parser.cc index 88ab907592f..8c1de6f4d75 100644 --- a/chromium/content/browser/appcache/appcache_manifest_parser.cc +++ b/chromium/content/browser/appcache/appcache_manifest_parser.cc @@ -45,19 +45,6 @@ namespace content { namespace { -// Helper function used to identify 'isPattern' annotations. -bool HasPatternMatchingAnnotation(const wchar_t* line_p, - const wchar_t* line_end) { - // Skip whitespace separating the resource url from the annotation. - // Note: trailing whitespace has already been trimmed from the line. - while (line_p < line_end && (*line_p == '\t' || *line_p == ' ')) - ++line_p; - if (line_p == line_end) - return false; - std::wstring annotation(line_p, line_end - line_p); - return annotation == L"isPattern"; -} - bool ScopeMatches(const GURL& manifest_url, const GURL& namespace_url) { return base::StartsWith(namespace_url.spec(), manifest_url.GetWithoutFilename().spec(), @@ -222,10 +209,9 @@ bool ParseManifest(const GURL& manifest_url, const char* data, int length, if (mode == EXPLICIT) { manifest.explicit_urls.insert(url.spec()); } else { - bool is_pattern = HasPatternMatchingAnnotation(line_p, line_end); - manifest.online_whitelist_namespaces.push_back( + manifest.online_whitelist_namespaces.emplace_back( AppCacheNamespace(APPCACHE_NETWORK_NAMESPACE, url, GURL(), - is_pattern)); + /*is_pattern=*/false)); } } else if (mode == INTERCEPT) { if (parse_mode != PARSE_MANIFEST_ALLOWING_DANGEROUS_FEATURES) { @@ -300,9 +286,10 @@ bool ParseManifest(const GURL& manifest_url, const char* data, int length, if (manifest_url.GetOrigin() != target_url.GetOrigin()) continue; - bool is_pattern = HasPatternMatchingAnnotation(line_p, line_end); - manifest.intercept_namespaces.push_back(AppCacheNamespace( - APPCACHE_INTERCEPT_NAMESPACE, namespace_url, target_url, is_pattern)); + manifest.intercept_namespaces.emplace_back(APPCACHE_INTERCEPT_NAMESPACE, + namespace_url, target_url, + /*is_pattern=*/false); + continue; } else if (mode == FALLBACK) { const wchar_t* line_p = line.c_str(); const wchar_t* line_end = line_p + line.length(); @@ -367,13 +354,12 @@ bool ParseManifest(const GURL& manifest_url, const char* data, int length, continue; } - bool is_pattern = HasPatternMatchingAnnotation(line_p, line_end); - - // Store regardless of duplicate namespace URL. Only first match - // will ever be used. - manifest.fallback_namespaces.push_back( - AppCacheNamespace(APPCACHE_FALLBACK_NAMESPACE, namespace_url, - fallback_url, is_pattern)); + // Store regardless of duplicate namespace URL. Only the first match will + // ever be used. + manifest.fallback_namespaces.emplace_back(APPCACHE_FALLBACK_NAMESPACE, + namespace_url, fallback_url, + /*is_pattern=*/false); + continue; } else { NOTREACHED(); } |