[Backport] CVE-2022-4193: Insufficient policy enforcement in File System API

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3945587:
FSA: Block .url files in getFileHandle and getEntries

Fixed: 1354518
Change-Id: I663d4481ccc2047c49d7466bbfe9751e8c140edf
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3945587
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Auto-Submit: Austin Sullivan <asully@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1057675}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/447107
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 5 insertions, 2 deletions

diff --git a/chromium/content/browser/file_system_access/file_system_access_directory_handle_impl.cc b/chromium/content/browser/file_system_access/file_system_access_directory_handle_impl.cc
index 4d3b2d1edcf..eea0a957903 100644
--- a/chromium/content/browser/file_system_access/file_system_access_directory_handle_impl.cc
+++ b/chromium/content/browser/file_system_access/file_system_access_directory_handle_impl.cc
@@ -440,9 +440,12 @@ bool IsShellIntegratedExtension(const base::FilePath::StringType& extension) {
 
   // .lnk and .scf files may be used to execute arbitrary code (see
   // https://nvd.nist.gov/vuln/detail/CVE-2010-2568 and
-  // https://crbug.com/1227995, respectively).
+  // https://crbug.com/1227995, respectively). '.url' files can be used to read
+  // arbitrary files (see https://crbug.com/1307930 and
+  // https://crbug.com/1354518).
   if (extension_lower == FILE_PATH_LITERAL("lnk") ||
-      extension_lower == FILE_PATH_LITERAL("scf")) {
+      extension_lower == FILE_PATH_LITERAL("scf") ||
+      extension_lower == FILE_PATH_LITERAL("url")) {
     return true;
   }