[Backport] Security issue 1098860v5.15.1

M85: Correctly retrieve the plugin when printing. The logic in PrintRenderFrameHelper to retrieve a plugin is out of sync with the logic in WebLocalFrameImpl::PrintBegin(). If PrintRenderFrameHelper thinks it is printing a webpage, while WebLocalFrameImpl thinks it is printing a plugin, bad things happen. Fix this by adding WebLocalFrame::GetPluginToPrint(), to expose the plugin finding logic in WebLocalFrameImpl. With GetPluginToPrint() available, PrintRenderFrameHelper can delete its own GetPlugin() helper, and switch the GetPlugin() callers to use GetPluginToPrint() instead. Once synchronized, some use cases for printing Flash now work correctly. (cherry picked from commit f8d7d428b1549ff1f87e3d34c5ca0b53d6ce4e84) Tbr: japhet@chromium.org Bug: 1098860 Change-Id: I9500db9ed2d6da0f87dad84c197f738d3a1e3c84 Reviewed-by: Nate Chapin <japhet@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#791564} Reviewed-by: Lei Zhang <thestig@chromium.org> Cr-Commit-Position: refs/branch-heads/4183@{#1009} Cr-Branched-From: 740e9e8a40505392ba5c8e022a8024b3d018ca65-refs/heads/master@{#782793} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2020-08-31 14:45:45 +0200
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2020-08-31 13:46:46 +0000
commit: 62bc475876cbae17e2e39175fe321780512e5951 (patch)
tree: 8fbf70395d93c7bb7216c4d305290e881259f0f6
parent: a9c2e7190bbf1da1133d8d80f0208dc320e003cc (diff)
download: qtwebengine-chromium-62bc475876cbae17e2e39175fe321780512e5951.tar.gz
5 files changed, 50 insertions, 45 deletions
diff --git a/chromium/components/printing/renderer/print_render_frame_helper.cc b/chromium/components/printing/renderer/print_render_frame_helper.cc
index 3c0d337bb26..c54783ed299 100644
--- a/chromium/components/printing/renderer/print_render_frame_helper.cc
+++ b/chromium/components/printing/renderer/print_render_frame_helper.cc
@@ -58,8 +58,6 @@
 #include "third_party/blink/public/web/web_local_frame_client.h"
 #include "third_party/blink/public/web/web_navigation_control.h"
 #include "third_party/blink/public/web/web_plugin.h"
-#include "third_party/blink/public/web/web_plugin_container.h"
-#include "third_party/blink/public/web/web_plugin_document.h"
 #include "third_party/blink/public/web/web_print_params.h"
 #include "third_party/blink/public/web/web_print_preset_options.h"
 #include "third_party/blink/public/web/web_script_source.h"
@@ -340,28 +338,14 @@ void ComputeWebKitPrintParamsInDesiredDpi(
   webkit_print_params->pages_per_sheet = print_params.pages_per_sheet;
 }
 
-blink::WebPlugin* GetPlugin(const blink::WebLocalFrame* frame) {
-  return frame->GetDocument().IsPluginDocument()
-             ? frame->GetDocument().To<blink::WebPluginDocument>().Plugin()
-             : nullptr;
-}
-
-bool IsPrintingNodeOrPdfFrame(const blink::WebLocalFrame* frame,
+bool IsPrintingNodeOrPdfFrame(blink::WebLocalFrame* frame,
                               const blink::WebNode& node) {
-  if (!node.IsNull())
-    return true;
-  blink::WebPlugin* plugin = GetPlugin(frame);
+  blink::WebPlugin* plugin = frame->GetPluginToPrint(node);
   return plugin && plugin->SupportsPaginatedPrint();
 }
 
 bool IsPrintingPdf(blink::WebLocalFrame* frame, const blink::WebNode& node) {
-  blink::WebPlugin* plugin;
-  if (node.IsNull()) {
-    plugin = GetPlugin(frame);
-  } else {
-    blink::WebPluginContainer* plugin_container = node.PluginContainer();
-    plugin = plugin_container ? plugin_container->Plugin() : nullptr;
-  }
+  blink::WebPlugin* plugin = frame->GetPluginToPrint(node);
   return plugin && plugin->IsPdfPlugin();
 }
 
@@ -2317,7 +2301,7 @@ void PrintRenderFrameHelper::RequestPrintPreview(PrintPreviewRequestType type) {
       // 2. PrintHostMsg_ShowScriptedPrintPreview shows preview once the
       //    document has been loaded.
       is_scripted_preview_delayed_ = true;
-      if (is_loading_ && GetPlugin(print_preview_context_.source_frame())) {
+      if (is_loading_ && print_preview_context_.IsPlugin()) {
         // Wait for DidStopLoading. Plugins may not know the correct
         // |is_modifiable| value until they are fully loaded, which occurs when
         // DidStopLoading() is called. Defer showing the preview until then.
@@ -2344,7 +2328,7 @@ void PrintRenderFrameHelper::RequestPrintPreview(PrintPreviewRequestType type) {
       // Wait for DidStopLoading. Continuing with this function while
       // |is_loading_| is true will cause print preview to hang when try to
       // print a PDF document.
-      if (is_loading_ && GetPlugin(print_preview_context_.source_frame())) {
+      if (is_loading_ && print_preview_context_.IsPlugin()) {
         on_stop_loading_closure_ =
             base::BindOnce(&PrintRenderFrameHelper::RequestPrintPreview,
                            weak_ptr_factory_.GetWeakPtr(), type);
@@ -2355,12 +2339,12 @@ void PrintRenderFrameHelper::RequestPrintPreview(PrintPreviewRequestType type) {
     }
     case PRINT_PREVIEW_USER_INITIATED_SELECTION: {
       DCHECK(has_selection);
-      DCHECK(!GetPlugin(print_preview_context_.source_frame()));
+      DCHECK(!print_preview_context_.IsPlugin());
       params.selection_only = has_selection;
       break;
     }
     case PRINT_PREVIEW_USER_INITIATED_CONTEXT_NODE: {
-      if (is_loading_ && GetPlugin(print_preview_context_.source_frame())) {
+      if (is_loading_ && print_preview_context_.IsPlugin()) {
         on_stop_loading_closure_ =
             base::BindOnce(&PrintRenderFrameHelper::RequestPrintPreview,
                            weak_ptr_factory_.GetWeakPtr(), type);
@@ -2429,8 +2413,7 @@ void PrintRenderFrameHelper::PrintPreviewContext::InitWithFrame(
   state_ = INITIALIZED;
   source_frame_.Reset(web_frame);
   source_node_.Reset();
-  CalculateIsModifiable();
-  CalculateIsPdf();
+  CalculatePluginAttributes();
 }
 
 void PrintRenderFrameHelper::PrintPreviewContext::InitWithNode(
@@ -2441,8 +2424,7 @@ void PrintRenderFrameHelper::PrintPreviewContext::InitWithNode(
   state_ = INITIALIZED;
   source_frame_.Reset(web_node.GetDocument().GetFrame());
   source_node_ = web_node;
-  CalculateIsModifiable();
-  CalculateIsPdf();
+  CalculatePluginAttributes();
 }
 
 void PrintRenderFrameHelper::PrintPreviewContext::OnPrintPreview() {
@@ -2580,6 +2562,11 @@ bool PrintRenderFrameHelper::PrintPreviewContext::IsForArc() const {
   return is_for_arc_;
 }
 
+bool PrintRenderFrameHelper::PrintPreviewContext::IsPlugin() const {
+  DCHECK(state_ != UNINITIALIZED);
+  return is_plugin_;
+}
+
 bool PrintRenderFrameHelper::PrintPreviewContext::IsModifiable() const {
   DCHECK(state_ != UNINITIALIZED);
   return is_modifiable_;
@@ -2670,11 +2657,9 @@ void PrintRenderFrameHelper::PrintPreviewContext::ClearContext() {
   error_ = PREVIEW_ERROR_NONE;
 }
 
-void PrintRenderFrameHelper::PrintPreviewContext::CalculateIsModifiable() {
+void PrintRenderFrameHelper::PrintPreviewContext::CalculatePluginAttributes() {
+  is_plugin_ = !!source_frame()->GetPluginToPrint(source_node_);
   is_modifiable_ = !IsPrintingNodeOrPdfFrame(source_frame(), source_node_);
-}
-
-void PrintRenderFrameHelper::PrintPreviewContext::CalculateIsPdf() {
   is_pdf_ = IsPrintingPdf(source_frame(), source_node_);
 }
 
diff --git a/chromium/components/printing/renderer/print_render_frame_helper.h b/chromium/components/printing/renderer/print_render_frame_helper.h
index a432a1e0071..f0cac89594e 100644
--- a/chromium/components/printing/renderer/print_render_frame_helper.h
+++ b/chromium/components/printing/renderer/print_render_frame_helper.h
@@ -499,6 +499,7 @@ class PrintRenderFrameHelper
     int GetNextPageNumber();
     bool IsRendering() const;
     bool IsForArc() const;
+    bool IsPlugin() const;
     bool IsModifiable() const;
     bool IsPdf() const;
     bool HasSelection();
@@ -539,9 +540,7 @@ class PrintRenderFrameHelper
     // Reset some of the internal rendering context.
     void ClearContext();
 
-    void CalculateIsModifiable();
-
-    void CalculateIsPdf();
+    void CalculatePluginAttributes();
 
     // Specifies what to render for print preview.
     FrameReference source_frame_;
@@ -559,6 +558,9 @@ class PrintRenderFrameHelper
     // List of page indices that need to be rendered.
     std::vector<int> pages_to_render_;
 
+    // True, if the document source is a plugin.
+    bool is_plugin_ = false;
+
     // True, if the document source is modifiable. e.g. HTML and not PDF.
     bool is_modifiable_ = true;
 
diff --git a/chromium/third_party/blink/public/web/web_local_frame.h b/chromium/third_party/blink/public/web/web_local_frame.h
index 3eed50d6101..1b359a40ccd 100644
--- a/chromium/third_party/blink/public/web/web_local_frame.h
+++ b/chromium/third_party/blink/public/web/web_local_frame.h
@@ -48,6 +48,7 @@ class WebLocalFrameClient;
 class WebFrameWidget;
 class WebInputMethodController;
 class WebPerformance;
+class WebPlugin;
 class WebRange;
 class WebSecurityOrigin;
 class WebScriptExecutionCallback;
@@ -672,13 +673,16 @@ class WebLocalFrame : public WebFrame {
   // This function should be called before pairs of PrintBegin() and PrintEnd().
   virtual void DispatchBeforePrintEvent() = 0;
 
+  // Get the plugin to print, if any. The |constrain_to_node| parameter is the
+  // same as the one for PrintBegin() below.
+  virtual WebPlugin* GetPluginToPrint(const WebNode& constrain_to_node) = 0;
+
   // Reformats the WebFrame for printing. WebPrintParams specifies the printable
   // content size, paper size, printable area size, printer DPI and print
-  // scaling option. If constrainToNode node is specified, then only the given
+  // scaling option. If |constrain_to_node| is specified, then only the given
   // node is printed (for now only plugins are supported), instead of the entire
   // frame.
-  // Returns the number of pages that can be printed at the given
-  // page size.
+  // Returns the number of pages that can be printed at the given page size.
   virtual int PrintBegin(const WebPrintParams&,
                          const WebNode& constrain_to_node = WebNode()) = 0;
 
diff --git a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc
index 82373c9da3c..b75796effac 100644
--- a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc
+++ b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc
@@ -1544,19 +1544,29 @@ void WebLocalFrameImpl::DispatchPrintEventRecursively(
   }
 }
 
-int WebLocalFrameImpl::PrintBegin(const WebPrintParams& print_params,
-                                  const WebNode& constrain_to_node) {
-  WebPluginContainerImpl* plugin_container = nullptr;
+WebPluginContainerImpl* WebLocalFrameImpl::GetPluginToPrintHelper(
+    const WebNode& constrain_to_node) {
   if (constrain_to_node.IsNull()) {
     // If this is a plugin document, check if the plugin supports its own
     // printing. If it does, we will delegate all printing to that.
-    plugin_container = GetFrame()->GetWebPluginContainer();
-  } else {
-    // We only support printing plugin nodes for now.
-    plugin_container =
-        ToWebPluginContainerImpl(constrain_to_node.PluginContainer());
+    return GetFrame()->GetWebPluginContainer();
   }
 
+  // We only support printing plugin nodes for now.
+  return ToWebPluginContainerImpl(constrain_to_node.PluginContainer());
+}
+
+WebPlugin* WebLocalFrameImpl::GetPluginToPrint(
+    const WebNode& constrain_to_node) {
+  WebPluginContainerImpl* plugin_container =
+      GetPluginToPrintHelper(constrain_to_node);
+  return plugin_container ? plugin_container->Plugin() : nullptr;
+}
+
+int WebLocalFrameImpl::PrintBegin(const WebPrintParams& print_params,
+                                  const WebNode& constrain_to_node) {
+  WebPluginContainerImpl* plugin_container =
+      GetPluginToPrintHelper(constrain_to_node);
   if (plugin_container && plugin_container->SupportsPaginatedPrint()) {
     print_context_ = MakeGarbageCollected<ChromePluginPrintContext>(
         GetFrame(), plugin_container, print_params);
diff --git a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h
index 494da9a58b2..ba64811212c 100644
--- a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h
+++ b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h
@@ -292,6 +292,7 @@ class CORE_EXPORT WebLocalFrameImpl final
   bool HasVisibleContent() const override;
   WebRect VisibleContentRect() const override;
   void DispatchBeforePrintEvent() override;
+  WebPlugin* GetPluginToPrint(const WebNode& constrain_to_node) override;
   int PrintBegin(const WebPrintParams&,
                  const WebNode& constrain_to_node) override;
   float GetPrintPageShrink(int page) override;
@@ -477,6 +478,9 @@ class CORE_EXPORT WebLocalFrameImpl final
   // A helper for DispatchBeforePrintEvent() and DispatchAfterPrintEvent().
   void DispatchPrintEventRecursively(const AtomicString& event_type);
 
+  WebPluginContainerImpl* GetPluginToPrintHelper(
+      const WebNode& constrain_to_node);
+
   Node* ContextMenuNodeInner() const;
 
   WebLocalFrameClient* client_;
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2020-08-31 14:45:45 +0200
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2020-08-31 13:46:46 +0000
commit	62bc475876cbae17e2e39175fe321780512e5951 (patch)
tree	8fbf70395d93c7bb7216c4d305290e881259f0f6
parent	a9c2e7190bbf1da1133d8d80f0208dc320e003cc (diff)
download	qtwebengine-chromium-62bc475876cbae17e2e39175fe321780512e5951.tar.gz