[Backport] CVE-2020-6410 - Insufficient policy enforcement in navigation

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1907071:
[net] Fix spoof attack on file:// URLs on POSIX systems

For file:// URLs on POSIX, we currently discard the host portion of the
URL, and treat all file:// URLs as local. On Windows, we use the host
portion as the SAMBA share, so this bug is inapplicable to Windows.

This allows us to have URLs like:
file://accounts.google.com/home/tommycli/Downloads/evil.html

This is a low severity bug, since it's quite hard to exploit, but we
should fix it anyways.

RFC 8089 doesn't actually prohibit our previous behavior, but it does
frown on it.

This CL *could* break file:// links that relied on the old behavior,
but those file:// links should probably be rightfully-broken, since
they didn't work on Windows anyways.

Bug: 881675
Change-Id: Iae7e2d8e67c619fbfed4bba9e722be77ed54d792
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>

2 files changed, 15 insertions, 7 deletions

diff --git a/chromium/net/base/filename_util.cc b/chromium/net/base/filename_util.cc
index a3135f1ed85..eec7c218e4f 100644
--- a/chromium/net/base/filename_util.cc
+++ b/chromium/net/base/filename_util.cc
@@ -17,6 +17,7 @@
 #include "net/base/escape.h"
 #include "net/base/filename_util_internal.h"
 #include "net/base/net_string_util.h"
+#include "net/base/url_util.h"
 #include "net/http/http_content_disposition.h"
 #include "url/gurl.h"
 
@@ -69,6 +70,10 @@ bool FileURLToFilePath(const GURL& url, base::FilePath* file_path) {
   if (!url.is_valid())
     return false;
 
+  // We may want to change this to a CHECK in the future.
+  if (!url.SchemeIsFile())
+    return false;
+
 #if defined(OS_WIN)
   std::string path;
   std::string host = url.host();
@@ -89,10 +94,13 @@ bool FileURLToFilePath(const GURL& url, base::FilePath* file_path) {
   }
   std::replace(path.begin(), path.end(), '/', '\\');
 #else  // defined(OS_WIN)
-  // Firefox seems to ignore the "host" of a file url if there is one. That is,
-  // file://foo/bar.txt maps to /bar.txt.
-  // TODO(dhg): This should probably take into account UNCs which could
-  // include a hostname other than localhost or blank
+  // On POSIX, there's no obvious interpretation of file:// URLs with a host.
+  // Usually, remote mounts are still mounted onto the local filesystem.
+  // Therefore, we discard all URLs that are not obviously local to prevent
+  // spoofing attacks using file:// URLs. See crbug.com/881675.
+  if (!url.host().empty() && !net::IsLocalhost(url)) {
+    return false;
+  }
   std::string path = url.path();
 #endif  // !defined(OS_WIN)
 
diff --git a/chromium/net/base/filename_util.h b/chromium/net/base/filename_util.h
index 5956827fcd2..d6b33cc9976 100644
--- a/chromium/net/base/filename_util.h
+++ b/chromium/net/base/filename_util.h
@@ -29,9 +29,9 @@ NET_EXPORT GURL FilePathToFileURL(const base::FilePath& path);
 // invalid or the file path cannot be extracted from |url|.
 // On failure, *file_path will be empty.
 //
-// It is not a requirement that |url| have a file scheme as other URLs may
-// still convert to a file path. One example is on the Windows platform where
-// https://hostname/path/to/file.txt will return \\hostname\path\to\file.txt.
+// Do not call this with a |url| that doesn't have a file:// scheme.
+// The implementation is specific to the platform filesystem, and not
+// applicable to other schemes.
 NET_EXPORT bool FileURLToFilePath(const GURL& url, base::FilePath* file_path);
 
 // Generates a filename using the first successful method from the following (in