diff options
author | Austin Sullivan <asully@chromium.org> | 2022-10-11 20:53:22 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-12-16 16:49:01 +0000 |
commit | 1abe1ada518f72d695087e195f16e6a4b9c38faa (patch) | |
tree | c61a65a584e5c2cdaa5f7179a832df36d25ac1b4 | |
parent | 00cc936bbfcadff5f1e5ed1895caa0876106e34a (diff) | |
download | qtwebengine-chromium-1abe1ada518f72d695087e195f16e6a4b9c38faa.tar.gz |
[Backport] CVE-2022-4193: Insufficient policy enforcement in File System API
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3945587:
FSA: Block .url files in getFileHandle and getEntries
Fixed: 1354518
Change-Id: I663d4481ccc2047c49d7466bbfe9751e8c140edf
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3945587
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Auto-Submit: Austin Sullivan <asully@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1057675}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/447107
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/content/browser/file_system_access/file_system_access_directory_handle_impl.cc | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/chromium/content/browser/file_system_access/file_system_access_directory_handle_impl.cc b/chromium/content/browser/file_system_access/file_system_access_directory_handle_impl.cc index 4d3b2d1edcf..eea0a957903 100644 --- a/chromium/content/browser/file_system_access/file_system_access_directory_handle_impl.cc +++ b/chromium/content/browser/file_system_access/file_system_access_directory_handle_impl.cc @@ -440,9 +440,12 @@ bool IsShellIntegratedExtension(const base::FilePath::StringType& extension) { // .lnk and .scf files may be used to execute arbitrary code (see // https://nvd.nist.gov/vuln/detail/CVE-2010-2568 and - // https://crbug.com/1227995, respectively). + // https://crbug.com/1227995, respectively). '.url' files can be used to read + // arbitrary files (see https://crbug.com/1307930 and + // https://crbug.com/1354518). if (extension_lower == FILE_PATH_LITERAL("lnk") || - extension_lower == FILE_PATH_LITERAL("scf")) { + extension_lower == FILE_PATH_LITERAL("scf") || + extension_lower == FILE_PATH_LITERAL("url")) { return true; } |