[Backport] CVE-2019-13662

Prevent redirection to `javascript:...` during downloads.

Bug: 967780
Change-Id: I2703998615fea0f0a99cb7963f8440842ba3d92a
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#678183}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>

2 files changed, 19 insertions, 14 deletions

diff --git a/chromium/content/browser/download/download_manager_impl.cc b/chromium/content/browser/download/download_manager_impl.cc
index 4991e15ee68..5f14c3c27c8 100644
--- a/chromium/content/browser/download/download_manager_impl.cc
+++ b/chromium/content/browser/download/download_manager_impl.cc
@@ -519,9 +519,11 @@ bool DownloadManagerImpl::InterceptDownload(
   if (info.is_new_download &&
       info.result ==
           download::DOWNLOAD_INTERRUPT_REASON_SERVER_CROSS_ORIGIN_REDIRECT) {
-    if (web_contents) {
-      std::vector<GURL> url_chain(info.url_chain);
-      GURL url = url_chain.back();
+    std::vector<GURL> url_chain(info.url_chain);
+    GURL url = url_chain.back();
+    if ((url.SchemeIsHTTPOrHTTPS() ||
+         GetContentClient()->browser()->IsHandledURL(url)) &&
+        web_contents) {
       url_chain.pop_back();
       NavigationController::LoadURLParams params(url);
       params.has_user_gesture = info.has_user_gesture;
diff --git a/chromium/content/browser/download/download_resource_handler.cc b/chromium/content/browser/download/download_resource_handler.cc
index 7863fc30a69..54323eebcda 100644
--- a/chromium/content/browser/download/download_resource_handler.cc
+++ b/chromium/content/browser/download/download_resource_handler.cc
@@ -205,17 +205,20 @@ void DownloadResourceHandler::OnRequestRedirected(
   url::Origin new_origin(url::Origin::Create(redirect_info.new_url));
   if (!follow_cross_origin_redirects_ &&
       !first_origin_.IsSameOriginWith(new_origin)) {
-    base::PostTaskWithTraits(
-        FROM_HERE, {BrowserThread::UI},
-        base::BindOnce(
-            &NavigateOnUIThread, redirect_info.new_url, request()->url_chain(),
-            Referrer(GURL(redirect_info.new_referrer),
-                     Referrer::NetReferrerPolicyToBlinkReferrerPolicy(
-                         redirect_info.new_referrer_policy)),
-            GetRequestInfo()->HasUserGesture(),
-            true /* from_download_cross_origin_redirect */,
-            GetRequestInfo()->GetWebContentsGetterForRequest(),
-            GetRequestInfo()->frame_tree_node_id()));
+    if (redirect_info.new_url.SchemeIsHTTPOrHTTPS() ||
+        GetContentClient()->browser()->IsHandledURL(redirect_info.new_url)) {
+      base::PostTaskWithTraits(
+          FROM_HERE, {BrowserThread::UI},
+          base::BindOnce(
+              &NavigateOnUIThread, redirect_info.new_url, request()->url_chain(),
+              Referrer(GURL(redirect_info.new_referrer),
+                      Referrer::NetReferrerPolicyToBlinkReferrerPolicy(
+                          redirect_info.new_referrer_policy)),
+              GetRequestInfo()->HasUserGesture(),
+              true /* from_download_cross_origin_redirect */,
+              GetRequestInfo()->GetWebContentsGetterForRequest(),
+              GetRequestInfo()->frame_tree_node_id()));
+    }
     controller->Cancel();
     return;
   }