diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-14 14:30:18 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-28 13:43:53 +0000 |
commit | da37c1e0c517506ab6c3c49f8e432da95464e13d (patch) | |
tree | e550ddaff12a847511ad2b08e24590e7d4665c7d | |
parent | 843d70ac87de7482c1c1195aa73899bc05efc8f3 (diff) | |
download | qtwebengine-chromium-da37c1e0c517506ab6c3c49f8e432da95464e13d.tar.gz |
[Backport] CVE-2019-13662
Prevent redirection to `javascript:...` during downloads.
Bug: 967780
Change-Id: I2703998615fea0f0a99cb7963f8440842ba3d92a
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#678183}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
-rw-r--r-- | chromium/content/browser/download/download_manager_impl.cc | 8 | ||||
-rw-r--r-- | chromium/content/browser/download/download_resource_handler.cc | 25 |
2 files changed, 19 insertions, 14 deletions
diff --git a/chromium/content/browser/download/download_manager_impl.cc b/chromium/content/browser/download/download_manager_impl.cc index 4991e15ee68..5f14c3c27c8 100644 --- a/chromium/content/browser/download/download_manager_impl.cc +++ b/chromium/content/browser/download/download_manager_impl.cc @@ -519,9 +519,11 @@ bool DownloadManagerImpl::InterceptDownload( if (info.is_new_download && info.result == download::DOWNLOAD_INTERRUPT_REASON_SERVER_CROSS_ORIGIN_REDIRECT) { - if (web_contents) { - std::vector<GURL> url_chain(info.url_chain); - GURL url = url_chain.back(); + std::vector<GURL> url_chain(info.url_chain); + GURL url = url_chain.back(); + if ((url.SchemeIsHTTPOrHTTPS() || + GetContentClient()->browser()->IsHandledURL(url)) && + web_contents) { url_chain.pop_back(); NavigationController::LoadURLParams params(url); params.has_user_gesture = info.has_user_gesture; diff --git a/chromium/content/browser/download/download_resource_handler.cc b/chromium/content/browser/download/download_resource_handler.cc index 7863fc30a69..54323eebcda 100644 --- a/chromium/content/browser/download/download_resource_handler.cc +++ b/chromium/content/browser/download/download_resource_handler.cc @@ -205,17 +205,20 @@ void DownloadResourceHandler::OnRequestRedirected( url::Origin new_origin(url::Origin::Create(redirect_info.new_url)); if (!follow_cross_origin_redirects_ && !first_origin_.IsSameOriginWith(new_origin)) { - base::PostTaskWithTraits( - FROM_HERE, {BrowserThread::UI}, - base::BindOnce( - &NavigateOnUIThread, redirect_info.new_url, request()->url_chain(), - Referrer(GURL(redirect_info.new_referrer), - Referrer::NetReferrerPolicyToBlinkReferrerPolicy( - redirect_info.new_referrer_policy)), - GetRequestInfo()->HasUserGesture(), - true /* from_download_cross_origin_redirect */, - GetRequestInfo()->GetWebContentsGetterForRequest(), - GetRequestInfo()->frame_tree_node_id())); + if (redirect_info.new_url.SchemeIsHTTPOrHTTPS() || + GetContentClient()->browser()->IsHandledURL(redirect_info.new_url)) { + base::PostTaskWithTraits( + FROM_HERE, {BrowserThread::UI}, + base::BindOnce( + &NavigateOnUIThread, redirect_info.new_url, request()->url_chain(), + Referrer(GURL(redirect_info.new_referrer), + Referrer::NetReferrerPolicyToBlinkReferrerPolicy( + redirect_info.new_referrer_policy)), + GetRequestInfo()->HasUserGesture(), + true /* from_download_cross_origin_redirect */, + GetRequestInfo()->GetWebContentsGetterForRequest(), + GetRequestInfo()->frame_tree_node_id())); + } controller->Cancel(); return; } |