summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorXiaocheng Hu <xiaochengh@chromium.org>2019-11-27 22:14:31 +0000
committerMichael Brüning <michael.bruning@qt.io>2020-03-06 16:05:24 +0000
commit3f6e9bf1fb04dcd353aaf2c3a8c17d40eea6a154 (patch)
treec6b20bb54832fb178760871a34ceb4532b1f3140
parente7980ade9ab1ec70db29623ff658e38497c7385d (diff)
downloadqtwebengine-chromium-3f6e9bf1fb04dcd353aaf2c3a8c17d40eea6a154.tar.gz
[Backport] CVE-2020-6391 - Insufficient validation of untrusted input in Blink (3/3)
Manual backport of patch originally reviewed on Disable CSS @import rules in clipboard markup sanitization While clipboard markup is allowed to carry style sheets to style the elements to be pasted (e.g., when copying from Excel), @import rules should be disabled for security reasons. This patch disables @import rules when sanitizing the markup in a dummy document to make sure we don't initiate any stylesheet loading during the process. Bug: 1017871: Change-Id: Ibf997611a0879dd9bb789619044a416e139b0e3c Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Diffstat
-rw-r--r--chromium/third_party/blink/renderer/core/css/parser/css_parser_context.cc4
-rw-r--r--chromium/third_party/blink/renderer/core/css/parser/css_parser_context.h2
-rw-r--r--chromium/third_party/blink/renderer/core/css/parser/css_parser_impl.cc11
-rw-r--r--chromium/third_party/blink/renderer/core/dom/document.h9
-rw-r--r--chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc2
5 files changed, 24 insertions, 4 deletions
diff --git a/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.cc b/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.cc
index 7740ac294b9..2659382232b 100644
--- a/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.cc
+++ b/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.cc
@@ -254,6 +254,10 @@ bool CSSParserContext::CustomElementsV0Enabled() const {
return RuntimeEnabledFeatures::CustomElementsV0Enabled(document_);
}
+bool CSSParserContext::IsForMarkupSanitization() const {
+ return document_ && document_->IsForMarkupSanitization();
+}
+
void CSSParserContext::Trace(blink::Visitor* visitor) {
visitor->Trace(document_);
}
diff --git a/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.h b/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.h
index c7435d8330f..1ff90457c38 100644
--- a/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.h
+++ b/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.h
@@ -126,6 +126,8 @@ class CORE_EXPORT CSSParserContext
// TODO(yoichio): Remove when CustomElementsV0 is removed. crrev.com/660759.
bool CustomElementsV0Enabled() const;
+ bool IsForMarkupSanitization() const;
+
void Trace(blink::Visitor*);
private:
diff --git a/chromium/third_party/blink/renderer/core/css/parser/css_parser_impl.cc b/chromium/third_party/blink/renderer/core/css/parser/css_parser_impl.cc
index dd681c46f74..7eabb762d87 100644
--- a/chromium/third_party/blink/renderer/core/css/parser/css_parser_impl.cc
+++ b/chromium/third_party/blink/renderer/core/css/parser/css_parser_impl.cc
@@ -265,12 +265,15 @@ ParseSheetResult CSSParserImpl::ParseStyleSheet(
ParseSheetResult result = ParseSheetResult::kSucceeded;
bool first_rule_valid = parser.ConsumeRuleList(
stream, kTopLevelRuleList,
- [&style_sheet, &result, allow_import_rules](StyleRuleBase* rule) {
+ [&style_sheet, &result, allow_import_rules,
+ context](StyleRuleBase* rule) {
if (rule->IsCharsetRule())
return;
- if (rule->IsImportRule() && !allow_import_rules) {
- result = ParseSheetResult::kHasUnallowedImportRule;
- return;
+ if (rule->IsImportRule()) {
+ if (!allow_import_rules || context->IsForMarkupSanitization()) {
+ result = ParseSheetResult::kHasUnallowedImportRule;
+ return;
+ }
}
style_sheet->ParserAppendRule(rule);
});
diff --git a/chromium/third_party/blink/renderer/core/dom/document.h b/chromium/third_party/blink/renderer/core/dom/document.h
index 312715d83f2..4f07178eaeb 100644
--- a/chromium/third_party/blink/renderer/core/dom/document.h
+++ b/chromium/third_party/blink/renderer/core/dom/document.h
@@ -1583,6 +1583,13 @@ class CORE_EXPORT Document : public ContainerNode,
// applied to this document.
void BindContentSecurityPolicy();
+ // We setup a dummy document to sanitize clipboard markup before pasting.
+ // Sets and indicates whether this is the dummy document.
+ void SetIsForMarkupSanitization(bool is_for_sanitization) {
+ is_for_markup_sanitization_ = is_for_sanitization;
+ }
+ bool IsForMarkupSanitization() const { return is_for_markup_sanitization_; }
+
bool HasPendingJavaScriptUrlsForTest() {
return !pending_javascript_urls_.IsEmpty();
}
@@ -2101,6 +2108,8 @@ class CORE_EXPORT Document : public ContainerNode,
// TODO(altimin): We should be able to remove it after we complete
// frame:document lifetime refactoring.
std::unique_ptr<FrameOrWorkerScheduler> detached_scheduler_;
+
+ bool is_for_markup_sanitization_ = false;
};
extern template class CORE_EXTERN_TEMPLATE_EXPORT Supplement<Document>;
diff --git a/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc b/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc
index 4d3a1075398..633ad1b4247 100644
--- a/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc
+++ b/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc
@@ -786,6 +786,8 @@ static Document* CreateStagingDocumentForMarkupSanitization() {
DCHECK(document->IsHTMLDocument());
DCHECK(document->body());
+ document->SetIsForMarkupSanitization(true);
+
return document;
}
View Lorry Controller Status