diff options
author | Clark DuVall <cduvall@chromium.org> | 2020-01-15 13:41:02 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-01-16 13:09:36 +0000 |
commit | 9df23a4c06e64a0f35fe5541e5542ccec9dad170 (patch) | |
tree | 74d99475c15d8b8ba6170e5e2f5c7cb64ffa8c5a | |
parent | 11f1bad3655132011ad5d74e5c92f1b03466ea48 (diff) | |
download | qtwebengine-chromium-9df23a4c06e64a0f35fe5541e5542ccec9dad170.tar.gz |
[Backport] CVE-2019-13754: Insufficient policy enforcement in extensions. (3/3)
Manual backport of patch:
Change WebRequest proxy redirect logic to match NavigationURLLoaderImpl
The safe redirect checking logic in NavigationURLLoaderImpl was changed
in http://crrev.com/c/1779310 to remove the check for web accessible
extensions resources. There was similar logic in the WebRequest proxy
that should be removed to match.
This was causing the network_service_web_request_proxy_browser_tests to
fail on the Mojo Linux bot. These tests run with a WebRequest proxy
forced on to test the logic:
https://ci.chromium.org/p/chromium/builders/ci/Mojo%20Linux/40022
Bug: 442579
Change-Id: Ifb90d3e5478faec1956877f7fe683e306f7664d3
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc | 10 | ||||
-rw-r--r-- | chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.h | 4 |
2 files changed, 10 insertions, 4 deletions
diff --git a/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc b/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc index dc342974f9c..efe0bf7cd33 100644 --- a/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc +++ b/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc @@ -278,7 +278,8 @@ void WebRequestProxyingURLLoaderFactory::InProgressRequest::OnReceiveRedirect( const net::RedirectInfo& redirect_info, const network::ResourceResponseHead& head) { if (redirect_url_ != redirect_info.new_url && - !IsRedirectSafe(request_.url, redirect_info.new_url)) { + !IsRedirectSafe(request_.url, redirect_info.new_url, + info_->is_navigation_request)) { OnRequestError( network::URLLoaderCompletionStatus(net::ERR_UNSAFE_REDIRECT)); return; @@ -829,8 +830,11 @@ void WebRequestProxyingURLLoaderFactory::InProgressRequest::OnRequestError( // Determines whether it is safe to redirect from |from_url| to |to_url|. bool WebRequestProxyingURLLoaderFactory::InProgressRequest::IsRedirectSafe( const GURL& from_url, - const GURL& to_url) { - if (to_url.SchemeIs(extensions::kExtensionScheme)) { + const GURL& to_url, + bool is_navigation_request) { + // For navigations, non-web accessible resources will be blocked by + // ExtensionNavigationThrottle. + if (!is_navigation_request && to_url.SchemeIs(extensions::kExtensionScheme)) { const Extension* extension = ExtensionRegistry::Get(factory_->browser_context_) ->enabled_extensions() diff --git a/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.h b/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.h index ddc6a3e4ea7..dcbeee72d5a 100644 --- a/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.h +++ b/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.h @@ -116,7 +116,9 @@ class WebRequestProxyingURLLoaderFactory void HandleResponseOrRedirectHeaders( net::CompletionOnceCallback continuation); void OnRequestError(const network::URLLoaderCompletionStatus& status); - bool IsRedirectSafe(const GURL& from_url, const GURL& to_url); + bool IsRedirectSafe(const GURL& from_url, + const GURL& to_url, + bool is_navigation_request); void HandleBeforeRequestRedirect(); WebRequestProxyingURLLoaderFactory* const factory_; |