summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDominic Battre <battre@chromium.org>2020-01-03 20:01:10 +0000
committerMichael Brüning <michael.bruning@qt.io>2020-03-06 12:03:11 +0000
commit80029e447371aa473ac524177cc0667742e93ee2 (patch)
tree1811410fb4a5e38a689dc1e78e82d27ee99fab7d
parentada63371bafd041317141b7bf15674b5366df3fc (diff)
downloadqtwebengine-chromium-80029e447371aa473ac524177cc0667742e93ee2.tar.gz
[Backport] CVE-2020-6393 - Insufficient policy enforcement in Blink
Manual backport of patch originally reviewed https://chromium-review.googlesource.com/c/chromium/src/+/1972849 https://chromium-review.googlesource.com/c/chromium/src/+/1986791: Override scroll{Width,Height} in suggest state We have added input::-internal-input-suggested, textarea::-internal-input-suggested { font: -webkit-small-control !important; } to html.css to prevent that the scrollWidth/scrollHeight attributes of an input element disclose information about autofill content that is in suggest (preview) state. This CL mocks out the scrollWidth/scrollHeight values in preview state and may allow us to disable the font overriding again. TBR=kojii@chromium.org (cherry picked from commit 39f06061af8da287363cba093071ec348ef642c2) Bug: 1035058 Change-Id: Ib7b56127f780a19672beb61e4b760a13e3f260cd Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Diffstat
-rw-r--r--chromium/third_party/blink/renderer/core/html/resources/html.css5
-rw-r--r--chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.cc16
-rw-r--r--chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.h3
-rw-r--r--chromium/third_party/blink/renderer/core/layout/layout_text_control_single_line.cc10
4 files changed, 34 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/core/html/resources/html.css b/chromium/third_party/blink/renderer/core/html/resources/html.css
index 5c5b6501fe4..00d87abffa1 100644
--- a/chromium/third_party/blink/renderer/core/html/resources/html.css
+++ b/chromium/third_party/blink/renderer/core/html/resources/html.css
@@ -533,6 +533,11 @@ input::-internal-input-suggested {
input::-internal-input-suggested,
textarea::-internal-input-suggested {
font: -webkit-small-control !important;
+ /* Prevent that overflow affects the scrollable area. Without this,
+ LayoutBox::*Scroll{Height,Width}() may determine the scroll width/height
+ from the scrollable area instead of from the overrides in
+ LayoutTextControl{Single,Multi}Line::Scroll{Height,Width}(). */
+ overflow: hidden !important;
}
input[type="password" i] {
diff --git a/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.cc b/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.cc
index ef3a634471d..33ec87c2d86 100644
--- a/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.cc
+++ b/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.cc
@@ -108,4 +108,20 @@ LayoutObject* LayoutTextControlMultiLine::LayoutSpecialExcludedChild(
return placeholder_layout_object;
}
+LayoutUnit LayoutTextControlMultiLine::ScrollWidth() const {
+ // If in preview state, fake the scroll width to prevent that any information
+ // about the suggested content can be derived from the size.
+ if (!GetTextControlElement()->SuggestedValue().IsEmpty())
+ return ClientWidth();
+ return LayoutTextControl::ScrollWidth();
+}
+
+LayoutUnit LayoutTextControlMultiLine::ScrollHeight() const {
+ // If in preview state, fake the scroll height to prevent that any information
+ // about the suggested content can be derived from the size.
+ if (!GetTextControlElement()->SuggestedValue().IsEmpty())
+ return ClientHeight();
+ return LayoutTextControl::ScrollHeight();
+}
+
} // namespace blink
diff --git a/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.h b/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.h
index 67401f83c24..dd9325d1250 100644
--- a/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.h
+++ b/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.h
@@ -62,6 +62,9 @@ class LayoutTextControlMultiLine final : public LayoutTextControl {
LayoutObject* LayoutSpecialExcludedChild(bool relayout_children,
SubtreeLayoutScope&) override;
+
+ LayoutUnit ScrollWidth() const override;
+ LayoutUnit ScrollHeight() const override;
};
DEFINE_LAYOUT_OBJECT_TYPE_CASTS(LayoutTextControlMultiLine, IsTextArea());
diff --git a/chromium/third_party/blink/renderer/core/layout/layout_text_control_single_line.cc b/chromium/third_party/blink/renderer/core/layout/layout_text_control_single_line.cc
index 135c0ce4703..2e5726c3993 100644
--- a/chromium/third_party/blink/renderer/core/layout/layout_text_control_single_line.cc
+++ b/chromium/third_party/blink/renderer/core/layout/layout_text_control_single_line.cc
@@ -276,6 +276,11 @@ void LayoutTextControlSingleLine::Autoscroll(const PhysicalOffset& position) {
}
LayoutUnit LayoutTextControlSingleLine::ScrollWidth() const {
+ // If in preview state, fake the scroll width to prevent that any information
+ // about the suggested content can be derived from the size.
+ if (!GetTextControlElement()->SuggestedValue().IsEmpty())
+ return ClientWidth();
+
if (LayoutBox* inner = InnerEditorElement()
? InnerEditorElement()->GetLayoutBox()
: nullptr) {
@@ -288,6 +293,11 @@ LayoutUnit LayoutTextControlSingleLine::ScrollWidth() const {
}
LayoutUnit LayoutTextControlSingleLine::ScrollHeight() const {
+ // If in preview state, fake the scroll height to prevent that any information
+ // about the suggested content can be derived from the size.
+ if (!GetTextControlElement()->SuggestedValue().IsEmpty())
+ return ClientHeight();
+
if (LayoutBox* inner = InnerEditorElement()
? InnerEditorElement()->GetLayoutBox()
: nullptr) {
View Lorry Controller Status