diff options
| author | Mason Freed <masonfreed@chromium.org> | 2019-11-30 07:48:15 +0000 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-10 15:48:20 +0000 |
| commit | 98f5d9e5b14b590b6c948fa8b2728f3e47958a7d (patch) | |
| tree | c614de66b67616154980bba7a2606d9705deaefd | |
| parent | f938fe1765e30dea5789ddb9113d218abe2ec532 (diff) | |
| download | qtwebengine-chromium-98f5d9e5b14b590b6c948fa8b2728f3e47958a7d.tar.gz | |
[Backport] CVE-2020-6413 - Inappropriate implementation in Blink
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1940722:
Fix parser mXSS sanitizer bypass for <p> and <br> within foreign context
Prior to this CL, the following code:
<svg></p></svg>
parsed to this innerHTML: <svg><p></p></svg>
This is in contrast to this code:
<svg><p></svg>
which parses to <svg></svg><p></p>
The fact that the </p> is left inside the <svg> allowed sanitizer
bypasses as detailed in [1]. Please also see [2] for the spec
discussion.
With this CL, </p> and </br> within a foreign context now cause
the closing of the foreign context.
[1] https://research.securitum.com/dompurify-bypass-using-mxss/
[2] https://github.com/whatwg/html/issues/5113
Bug: 1005713
Change-Id: Iecaced38ed06c74296731c0bdcc10d2bbb462ff8
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/html/parser/html_tree_builder.cc | 7 | ||||
| -rw-r--r-- | chromium/third_party/blink/renderer/core/html/parser/html_tree_builder_simulator.cc | 8 |
2 files changed, 14 insertions, 1 deletions
diff --git a/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder.cc b/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder.cc index e27ad677177..2bcc67d216f 100644 --- a/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder.cc +++ b/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder.cc @@ -2693,6 +2693,13 @@ void HTMLTreeBuilder::ProcessTokenInForeignContent(AtomicHTMLToken* token) { tree_.OpenElements()->Pop(); return; } + if (token->GetName() == html_names::kBrTag || + token->GetName() == html_names::kPTag) { + ParseError(token); + tree_.OpenElements()->PopUntilForeignContentScopeMarker(); + ProcessEndTag(token); + return; + } if (!tree_.CurrentStackItem()->IsInHTMLNamespace()) { // FIXME: This code just wants an Element* iterator, instead of an // ElementRecord* diff --git a/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder_simulator.cc b/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder_simulator.cc index ed65f066854..65135aee48b 100644 --- a/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder_simulator.cc +++ b/chromium/third_party/blink/renderer/core/html/parser/html_tree_builder_simulator.cc @@ -211,7 +211,13 @@ HTMLTreeBuilderSimulator::SimulatedToken HTMLTreeBuilderSimulator::Simulate( } } } - + if (token.GetType() == HTMLToken::kEndTag && InForeignContent()) { + const String& tag_name = token.Data(); + if (ThreadSafeMatch(tag_name, html_names::kPTag) || + ThreadSafeMatch(tag_name, html_names::kBrTag)) { + namespace_stack_.pop_back(); + } + } if (token.GetType() == HTMLToken::kEndTag || (token.GetType() == HTMLToken::kStartTag && token.SelfClosing() && InForeignContent())) { |