diff options
| author | Xiaocheng Hu <xiaochengh@chromium.org> | 2020-03-25 20:25:49 +0000 |
|---|---|---|
| committer | Michal Klocek <michal.klocek@qt.io> | 2020-04-22 18:11:47 +0000 |
| commit | 2cd39da1f70b87e2b7a225bd8bfde73c2f672dc4 (patch) | |
| tree | 270c94c9b631080ed08b5bec9d9ac004f615b7cb | |
| parent | c44739c246c37eca66045028c9d8607b164ebf42 (diff) | |
| download | qtwebengine-chromium-2cd39da1f70b87e2b7a225bd8bfde73c2f672dc4.tar.gz | |
[Backport] CVE-2020-6456
Disallow pasting SVG use elements data URI
SVG use elements with data URI may carry arbitrary content. Hence, we
also sanitize it before pasting it into document.
Bug: 1040755
Change-Id: I7e50b51fc71a1953a4329bd0c33b0ad2677f5c58
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc b/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc index f6a318053fd..7cdeef8af6c 100644 --- a/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc +++ b/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc @@ -66,6 +66,7 @@ #include "third_party/blink/renderer/core/loader/empty_clients.h" #include "third_party/blink/renderer/core/page/page.h" #include "third_party/blink/renderer/core/svg/svg_style_element.h" +#include "third_party/blink/renderer/core/svg/svg_use_element.h" #include "third_party/blink/renderer/platform/bindings/exception_state.h" #include "third_party/blink/renderer/platform/bindings/runtime_call_stats.h" #include "third_party/blink/renderer/platform/bindings/v8_per_isolate_data.h" @@ -799,6 +800,25 @@ static bool ContainsStyleElements(const DocumentFragment& fragment) { return false; } +// Returns true if any svg <use> element is removed. +static bool StripSVGUseDataURLs(Node& node) { + if (IsA<SVGUseElement>(node)) { + SVGUseElement& use = To<SVGUseElement>(node); + SVGURLReferenceResolver resolver(use.HrefString(), use.GetDocument()); + if (resolver.AbsoluteUrl().ProtocolIsData()) + node.remove(); + return true; + } + bool stripped = false; + for (Node* child = node.firstChild(); child;) { + Node* next = child->nextSibling(); + if (StripSVGUseDataURLs(*child)) + stripped = true; + child = next; + } + return stripped; +} + DocumentFragment* CreateSanitizedFragmentFromMarkupWithContext( Document& document, const String& raw_markup, @@ -819,7 +839,13 @@ DocumentFragment* CreateSanitizedFragmentFromMarkupWithContext( return nullptr; } - if (!ContainsStyleElements(*fragment)) { + bool needs_sanitization = false; + if (ContainsStyleElements(*fragment)) + needs_sanitization = true; + if (StripSVGUseDataURLs(*fragment)) + needs_sanitization = true; + + if (!needs_sanitization) { staging_document->GetPage()->WillBeDestroyed(); return CreateFragmentFromMarkupWithContext( document, raw_markup, fragment_start, fragment_end, base_url, |