summaryrefslogtreecommitdiff
path: root/chromium/content/public/browser/navigation_controller.cc
diff options
context:
space:
mode:
authorAllan Sandfeld Jensen <allan.jensen@qt.io>2019-10-15 10:48:34 +0200
committerAllan Sandfeld Jensen <allan.jensen@qt.io>2019-10-16 12:23:47 +0000
commit1f64c1f27840316f9f525d9b74a9ac9a22da841d (patch)
tree45883cb940ff4a92e2e9fa6dc469195dd630eec6 /chromium/content/public/browser/navigation_controller.cc
parente8ba421d30c92f095346c574c0d2bbf7e6a10369 (diff)
downloadqtwebengine-chromium-1f64c1f27840316f9f525d9b74a9ac9a22da841d.tar.gz
[Backport] CVE-2019-13665
Fix multiple download protection for <a download> x-origin redirect The bug: multiple downloads protection is bypassed when there are multiple <a download> download attempts and they end up triggering a x-origin redirect to another download. The cause: Each x-origin redirect following the <a download> is being treated as a navigation. (See DownloadManagerImpl::InterceptDownload() (NetworkService enabled), DownloadResourceHandler::OnRequestRedirected() (NetworkService disabled)). The navigation will hit DownloadRequestLimiter::TabDownloadState::DidStartNavigation that resets some state of the limiter, and future downloads won't be prevented. The solution: plumb |from_download_cross_origin_redirect| to NavigationRequest, and skip resetting the limiter state when the flag is true. Bug: 959640 Change-Id: I7d8aca09670be5258e149e34e3e6f2f3107442ff Reviewed-by: Jochen Eisinger <jochen@chromium.org> Reviewed-by: Min Qin <qinmin@chromium.org> Commit-Queue: Yao Xiao <yaoxia@chromium.org> Cr-Commit-Position: refs/heads/master@{#665973} Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Diffstat (limited to 'chromium/content/public/browser/navigation_controller.cc')
-rw-r--r--chromium/content/public/browser/navigation_controller.cc1
1 files changed, 1 insertions, 0 deletions
diff --git a/chromium/content/public/browser/navigation_controller.cc b/chromium/content/public/browser/navigation_controller.cc
index 28abe1171a9..7b11ca8f266 100644
--- a/chromium/content/public/browser/navigation_controller.cc
+++ b/chromium/content/public/browser/navigation_controller.cc
@@ -25,6 +25,7 @@ NavigationController::LoadURLParams::LoadURLParams(const GURL& url)
should_clear_history_list(false),
started_from_context_menu(false),
navigation_ui_data(nullptr),
+ from_download_cross_origin_redirect(false),
was_activated(WasActivatedOption::kUnknown),
reload_type(ReloadType::NONE) {}
View Lorry Controller Status