diff options
author | Yoav Weiss <yoavweiss@chromium.org> | 2021-01-07 20:07:33 +0000 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2021-02-08 09:50:35 +0000 |
commit | 6470481805c7b928d809d8e1997ec451fad0c06e (patch) | |
tree | e49f51a57dc57367e0d9f9ae2d3c3d6ac9d9f5e2 /chromium/third_party | |
parent | 19c6bab869563fc97a5047eeea6eed7992458af8 (diff) | |
download | qtwebengine-chromium-6470481805c7b928d809d8e1997ec451fad0c06e.tar.gz |
[Backport] CVE-2021-21135: Inappropriate implementation in Performance API
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2592792:
Fix negative duration case
Bug: 1157818
Change-Id: Ie5e75ccb239735f3500f8763e4d9255eba2056e6
Commit-Queue: Yoav Weiss <yoavweiss@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Nicolás Peña Moreno <npm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#841159}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/third_party')
9 files changed, 45 insertions, 26 deletions
diff --git a/chromium/third_party/blink/public/platform/web_url_loader_client.h b/chromium/third_party/blink/public/platform/web_url_loader_client.h index 55be6c1dae9..ec58e5d183a 100644 --- a/chromium/third_party/blink/public/platform/web_url_loader_client.h +++ b/chromium/third_party/blink/public/platform/web_url_loader_client.h @@ -116,8 +116,10 @@ class BLINK_PLATFORM_EXPORT WebURLLoaderClient { bool should_report_corb_blocking) {} // Called when the load completes with an error. + // |finish_time| indicating the time in which the response failed. // |total_encoded_data_length| may be equal to kUnknownEncodedDataLength. virtual void DidFail(const WebURLError&, + base::TimeTicks finish_time, int64_t total_encoded_data_length, int64_t total_encoded_body_length, int64_t total_decoded_body_length) {} diff --git a/chromium/third_party/blink/renderer/core/testing/sim/sim_network.cc b/chromium/third_party/blink/renderer/core/testing/sim/sim_network.cc index d98907c1e4b..bca903565cc 100644 --- a/chromium/third_party/blink/renderer/core/testing/sim/sim_network.cc +++ b/chromium/third_party/blink/renderer/core/testing/sim/sim_network.cc @@ -71,8 +71,8 @@ void SimNetwork::DidFail(WebURLLoaderClient* client, int64_t total_encoded_body_length, int64_t total_decoded_body_length) { if (!current_request_) { - client->DidFail(error, total_encoded_data_length, total_encoded_body_length, - total_decoded_body_length); + client->DidFail(error, base::TimeTicks::Now(), total_encoded_data_length, + total_encoded_body_length, total_decoded_body_length); return; } current_request_->DidFail(error); diff --git a/chromium/third_party/blink/renderer/core/testing/sim/sim_request.cc b/chromium/third_party/blink/renderer/core/testing/sim/sim_request.cc index dd397737b83..d551d8023e6 100644 --- a/chromium/third_party/blink/renderer/core/testing/sim/sim_request.cc +++ b/chromium/third_party/blink/renderer/core/testing/sim/sim_request.cc @@ -90,17 +90,17 @@ void SimRequestBase::Finish(bool body_loader_finished) { DCHECK(started_); if (error_) { DCHECK(!navigation_body_loader_); - client_->DidFail(*error_, total_encoded_data_length_, - total_encoded_data_length_, total_encoded_data_length_); + client_->DidFail(*error_, base::TimeTicks::Now(), + total_encoded_data_length_, total_encoded_data_length_, + total_encoded_data_length_); } else { if (navigation_body_loader_) { if (!body_loader_finished) navigation_body_loader_->Finish(); } else { - // TODO(esprehn): Is claiming a request time of 0 okay for tests? - client_->DidFinishLoading(base::TimeTicks(), total_encoded_data_length_, - total_encoded_data_length_, - total_encoded_data_length_, false); + client_->DidFinishLoading( + base::TimeTicks::Now(), total_encoded_data_length_, + total_encoded_data_length_, total_encoded_data_length_, false); } } Reset(); diff --git a/chromium/third_party/blink/renderer/platform/exported/web_url_loader_test_delegate.cc b/chromium/third_party/blink/renderer/platform/exported/web_url_loader_test_delegate.cc index 417aab048d2..015bb3cc5e8 100644 --- a/chromium/third_party/blink/renderer/platform/exported/web_url_loader_test_delegate.cc +++ b/chromium/third_party/blink/renderer/platform/exported/web_url_loader_test_delegate.cc @@ -33,8 +33,8 @@ void WebURLLoaderTestDelegate::DidFail(WebURLLoaderClient* original_client, int64_t total_encoded_data_length, int64_t total_encoded_body_length, int64_t total_decoded_body_length) { - original_client->DidFail(error, total_encoded_data_length, - total_encoded_body_length, + original_client->DidFail(error, base::TimeTicks::Now(), + total_encoded_data_length, total_encoded_body_length, total_decoded_body_length); } diff --git a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc index a868834b808..94e1366b698 100644 --- a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc +++ b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc @@ -1915,6 +1915,7 @@ void ResourceFetcher::HandleLoaderFinish(Resource* resource, } void ResourceFetcher::HandleLoaderError(Resource* resource, + base::TimeTicks finish_time, const ResourceError& error, uint32_t inflight_keepalive_bytes) { DCHECK(resource); @@ -1927,7 +1928,7 @@ void ResourceFetcher::HandleLoaderError(Resource* resource, if (scoped_refptr<ResourceTimingInfo> info = resource_timing_info_map_.Take(resource)) { PopulateAndAddResourceTimingInfo( - resource, info, info->InitialTime(), + resource, info, finish_time, resource->GetResponse().EncodedDataLength()); if (resource->Options().request_initiator_context == kDocumentContext) Context().AddResourceTiming(*info); diff --git a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h index 39d66364c87..edebf8237e9 100644 --- a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h +++ b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h @@ -227,6 +227,7 @@ class PLATFORM_EXPORT ResourceFetcher uint32_t inflight_keepalive_bytes, bool should_report_corb_blocking); void HandleLoaderError(Resource*, + base::TimeTicks finish_time, const ResourceError&, uint32_t inflight_keepalive_bytes); blink::mojom::ControllerServiceWorkerMode IsControlledByServiceWorker() const; diff --git a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_loader.cc b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_loader.cc index 8b1845860be..611b08945d7 100644 --- a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_loader.cc +++ b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_loader.cc @@ -544,7 +544,7 @@ void ResourceLoader::DidFinishLoadingBody() { const ResourceResponse& response = resource_->GetResponse(); if (deferred_finish_loading_info_) { DidFinishLoading( - deferred_finish_loading_info_->response_end, + deferred_finish_loading_info_->response_end_time, response.EncodedDataLength(), response.EncodedBodyLength(), response.DecodedBodyLength(), deferred_finish_loading_info_->should_report_corb_blocking); @@ -552,7 +552,8 @@ void ResourceLoader::DidFinishLoadingBody() { } void ResourceLoader::DidFailLoadingBody() { - DidFail(WebURLError(ResourceError::Failure(resource_->Url())), 0, 0, 0); + DidFail(WebURLError(ResourceError::Failure(resource_->Url())), + base::TimeTicks::Now(), 0, 0, 0); } void ResourceLoader::DidCancelLoadingBody() { @@ -1090,7 +1091,7 @@ void ResourceLoader::DidFinishLoadingFirstPartInMultipart() { 0, false); } -void ResourceLoader::DidFinishLoading(base::TimeTicks response_end, +void ResourceLoader::DidFinishLoading(base::TimeTicks response_end_time, int64_t encoded_data_length, int64_t encoded_body_length, int64_t decoded_body_length, @@ -1099,13 +1100,15 @@ void ResourceLoader::DidFinishLoading(base::TimeTicks response_end, resource_->SetEncodedBodyLength(encoded_body_length); resource_->SetDecodedBodyLength(decoded_body_length); + response_end_time_for_error_cases_ = response_end_time; + if ((response_body_loader_ && !has_seen_end_of_body_ && !response_body_loader_->IsAborted()) || (is_downloading_to_blob_ && !blob_finished_ && blob_response_started_)) { // If the body is still being loaded, we defer the completion until all the // body is received. - deferred_finish_loading_info_ = - DeferredFinishLoadingInfo{response_end, should_report_corb_blocking}; + deferred_finish_loading_info_ = DeferredFinishLoadingInfo{ + response_end_time, should_report_corb_blocking}; if (data_pipe_completion_notifier_) data_pipe_completion_notifier_->SignalComplete(); @@ -1128,15 +1131,17 @@ void ResourceLoader::DidFinishLoading(base::TimeTicks response_end, "endData", EndResourceLoadData(RequestOutcome::kSuccess)); fetcher_->HandleLoaderFinish( - resource_.Get(), response_end, ResourceFetcher::kDidFinishLoading, + resource_.Get(), response_end_time, ResourceFetcher::kDidFinishLoading, inflight_keepalive_bytes_, should_report_corb_blocking); } void ResourceLoader::DidFail(const WebURLError& error, + base::TimeTicks response_end_time, int64_t encoded_data_length, int64_t encoded_body_length, int64_t decoded_body_length) { const ResourceRequestHead& request = resource_->GetResourceRequest(); + response_end_time_for_error_cases_ = response_end_time; if (request.IsAutomaticUpgrade()) { mojo::PendingRemote<ukm::mojom::UkmRecorderInterface> pending_recorder; @@ -1192,7 +1197,14 @@ void ResourceLoader::HandleError(const ResourceError& error) { TRACE_ID_LOCAL(resource_->InspectorId())), "endData", EndResourceLoadData(RequestOutcome::kFail)); - fetcher_->HandleLoaderError(resource_.Get(), error, + // Set Now() as the response time, in case a more accurate one wasn't set in + // DidFinishLoading or DidFail. This is important for error cases that don't + // go through those methods. + if (response_end_time_for_error_cases_.is_null()) { + response_end_time_for_error_cases_ = base::TimeTicks::Now(); + } + fetcher_->HandleLoaderError(resource_.Get(), + response_end_time_for_error_cases_, error, inflight_keepalive_bytes_); } @@ -1246,8 +1258,8 @@ void ResourceLoader::RequestSynchronously(const ResourceRequestHead& request) { return; int64_t decoded_body_length = data_out.size(); if (error_out) { - DidFail(*error_out, encoded_data_length, encoded_body_length, - decoded_body_length); + DidFail(*error_out, base::TimeTicks::Now(), encoded_data_length, + encoded_body_length, decoded_body_length); return; } DidReceiveResponse(response_out); @@ -1399,7 +1411,7 @@ void ResourceLoader::FinishedCreatingBlob( if (deferred_finish_loading_info_) { const ResourceResponse& response = resource_->GetResponse(); DidFinishLoading( - deferred_finish_loading_info_->response_end, + deferred_finish_loading_info_->response_end_time, response.EncodedDataLength(), response.EncodedBodyLength(), response.DecodedBodyLength(), deferred_finish_loading_info_->should_report_corb_blocking); diff --git a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_loader.h b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_loader.h index e862faad874..b67413c3831 100644 --- a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_loader.h +++ b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_loader.h @@ -129,12 +129,13 @@ class PLATFORM_EXPORT ResourceLoader final void DidReceiveTransferSizeUpdate(int transfer_size_diff) override; void DidStartLoadingResponseBody( mojo::ScopedDataPipeConsumerHandle body) override; - void DidFinishLoading(base::TimeTicks response_end, + void DidFinishLoading(base::TimeTicks response_end_time, int64_t encoded_data_length, int64_t encoded_body_length, int64_t decoded_body_length, bool should_report_corb_blocking) override; void DidFail(const WebURLError&, + base::TimeTicks response_end_time, int64_t encoded_data_length, int64_t encoded_body_length, int64_t decoded_body_length) override; @@ -233,7 +234,7 @@ class PLATFORM_EXPORT ResourceLoader final // struct is used to store the information needed to refire DidFinishLoading // when the blob is finished too. struct DeferredFinishLoadingInfo { - base::TimeTicks response_end; + base::TimeTicks response_end_time; bool should_report_corb_blocking; }; base::Optional<DeferredFinishLoadingInfo> deferred_finish_loading_info_; @@ -249,6 +250,8 @@ class PLATFORM_EXPORT ResourceLoader final FrameScheduler::SchedulingAffectingFeatureHandle feature_handle_for_scheduler_; + + base::TimeTicks response_end_time_for_error_cases_; }; } // namespace blink diff --git a/chromium/third_party/blink/renderer/platform/loader/internet_disconnected_web_url_loader.cc b/chromium/third_party/blink/renderer/platform/loader/internet_disconnected_web_url_loader.cc index 5cd7acf5a61..17555ff90c7 100644 --- a/chromium/third_party/blink/renderer/platform/loader/internet_disconnected_web_url_loader.cc +++ b/chromium/third_party/blink/renderer/platform/loader/internet_disconnected_web_url_loader.cc @@ -77,9 +77,9 @@ void InternetDisconnectedWebURLLoader::DidChangePriority( void InternetDisconnectedWebURLLoader::DidFail(WebURLLoaderClient* client, const WebURLError& error) { DCHECK(client); - client->DidFail(error, 0 /* total_encoded_data_length */, - 0 /* total_encoded_body_length */, - 0 /* total_decoded_body_length */); + client->DidFail( + error, base::TimeTicks::Now(), /*total_encoded_data_length=*/0, + /*total_encoded_body_length=*/0, /*total_decoded_body_length=*/0); } scoped_refptr<base::SingleThreadTaskRunner> |