diff options
author | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-12-02 16:26:15 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-12-02 18:31:26 +0000 |
commit | 4c5d12c41150ac34adae6095322f305fa65273eb (patch) | |
tree | d2cabcff8cef73e14fe714a58d44928a8c09c638 | |
parent | c112c079a5d7364bdf0f2686616df7024a8dad82 (diff) | |
download | qtwebengine-chromium-4c5d12c41150ac34adae6095322f305fa65273eb.tar.gz |
[Backport] CVE-2019-5832
Manual backport of:
Use response tainting to calculate CORS-exposed header-name list
XHR uses the same-originness of the request origin and the destination
URL to calculate the CORS-exposed header-name list, which leads to
wrong results with redirects. Use response tainting as specced.
Bug: 959390
Change-Id: I0531847b73ced5155a898e4c4607a5dbb4825f82
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp | 16 | ||||
-rw-r--r-- | chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.h | 1 |
2 files changed, 9 insertions, 8 deletions
diff --git a/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp b/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp index f3994e4e895..2add6bb5280 100644 --- a/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp +++ b/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp @@ -244,7 +244,6 @@ XMLHttpRequest::XMLHttpRequest( m_error(false), m_uploadEventsAllowed(true), m_uploadComplete(false), - m_sameOriginRequest(true), m_downloadingToFile(false), m_responseTextOverflow(false), m_sendFlag(false) {} @@ -948,7 +947,7 @@ void XMLHttpRequest::createRequest(PassRefPtr<EncodedFormData> httpBody, } } - m_sameOriginRequest = getSecurityOrigin()->canRequestNoSuborigin(m_url); + const bool sameOriginRequest = getSecurityOrigin()->canRequestNoSuborigin(m_url); // Per https://w3c.github.io/webappsec-suborigins/#security-model-opt-outs, // credentials are forced when credentials mode is "same-origin", the @@ -962,14 +961,14 @@ void XMLHttpRequest::createRequest(PassRefPtr<EncodedFormData> httpBody, SecurityOrigin::create(m_url)->isSameSchemeHostPort( getSecurityOrigin())); - if (!m_sameOriginRequest && includeCredentials) + if (!sameOriginRequest && includeCredentials) UseCounter::count(&executionContext, UseCounter::XMLHttpRequestCrossOriginWithCredentials); // We also remember whether upload events should be allowed for this request // in case the upload listeners are added after the request is started. m_uploadEventsAllowed = - m_sameOriginRequest || uploadEvents || + sameOriginRequest || uploadEvents || !FetchUtils::isSimpleRequest(m_method, m_requestHeaders); ResourceRequest request(m_url); @@ -1010,7 +1009,7 @@ void XMLHttpRequest::createRequest(PassRefPtr<EncodedFormData> httpBody, ResourceLoaderOptions resourceLoaderOptions; resourceLoaderOptions.allowCredentials = - (m_sameOriginRequest || includeCredentials) ? AllowStoredCredentials + (sameOriginRequest || includeCredentials) ? AllowStoredCredentials : DoNotAllowStoredCredentials; resourceLoaderOptions.credentialsRequested = includeCredentials ? ClientRequestedCredentials @@ -1370,7 +1369,8 @@ String XMLHttpRequest::getAllResponseHeaders() const { !getSecurityOrigin()->canLoadLocalResources()) continue; - if (!m_sameOriginRequest && + if (m_response.serviceWorkerResponseType() == + WebServiceWorkerResponseType::WebServiceWorkerResponseTypeCORS && !isOnAccessControlResponseHeaderWhitelist(it->key) && !accessControlExposeHeaderSet.contains(it->key)) continue; @@ -1402,7 +1402,9 @@ const AtomicString& XMLHttpRequest::getResponseHeader( HTTPHeaderSet accessControlExposeHeaderSet; extractCorsExposedHeaderNamesList(m_response, accessControlExposeHeaderSet); - if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(name) && + if (m_response.serviceWorkerResponseType() == + WebServiceWorkerResponseType::WebServiceWorkerResponseTypeCORS && + !isOnAccessControlResponseHeaderWhitelist(name) && !accessControlExposeHeaderSet.contains(name)) { logConsoleError(getExecutionContext(), "Refused to get unsafe header \"" + name + "\""); diff --git a/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.h b/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.h index 5fb689cef0e..93dde08206d 100644 --- a/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.h +++ b/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.h @@ -338,7 +338,6 @@ class XMLHttpRequest final : public XMLHttpRequestEventTarget, bool m_error; bool m_uploadEventsAllowed; bool m_uploadComplete; - bool m_sameOriginRequest; // True iff the ongoing resource loading is using the downloadToFile // option. bool m_downloadingToFile; |