diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-15 10:48:34 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-16 12:23:47 +0000 |
commit | 1f64c1f27840316f9f525d9b74a9ac9a22da841d (patch) | |
tree | 45883cb940ff4a92e2e9fa6dc469195dd630eec6 /chromium/content/public/browser/navigation_controller.cc | |
parent | e8ba421d30c92f095346c574c0d2bbf7e6a10369 (diff) | |
download | qtwebengine-chromium-1f64c1f27840316f9f525d9b74a9ac9a22da841d.tar.gz |
[Backport] CVE-2019-13665
Fix multiple download protection for <a download> x-origin redirect
The bug: multiple downloads protection is bypassed when there are multiple
<a download> download attempts and they end up triggering a x-origin redirect
to another download.
The cause: Each x-origin redirect following the <a download> is being treated as
a navigation. (See DownloadManagerImpl::InterceptDownload() (NetworkService
enabled), DownloadResourceHandler::OnRequestRedirected() (NetworkService
disabled)). The navigation will hit
DownloadRequestLimiter::TabDownloadState::DidStartNavigation that resets some
state of the limiter, and future downloads won't be prevented.
The solution: plumb |from_download_cross_origin_redirect| to NavigationRequest,
and skip resetting the limiter state when the flag is true.
Bug: 959640
Change-Id: I7d8aca09670be5258e149e34e3e6f2f3107442ff
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Min Qin <qinmin@chromium.org>
Commit-Queue: Yao Xiao <yaoxia@chromium.org>
Cr-Commit-Position: refs/heads/master@{#665973}
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Diffstat (limited to 'chromium/content/public/browser/navigation_controller.cc')
-rw-r--r-- | chromium/content/public/browser/navigation_controller.cc | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/chromium/content/public/browser/navigation_controller.cc b/chromium/content/public/browser/navigation_controller.cc index 28abe1171a9..7b11ca8f266 100644 --- a/chromium/content/public/browser/navigation_controller.cc +++ b/chromium/content/public/browser/navigation_controller.cc @@ -25,6 +25,7 @@ NavigationController::LoadURLParams::LoadURLParams(const GURL& url) should_clear_history_list(false), started_from_context_menu(false), navigation_ui_data(nullptr), + from_download_cross_origin_redirect(false), was_activated(WasActivatedOption::kUnknown), reload_type(ReloadType::NONE) {} |