diff options
| author | Carlos IL <carlosil@chromium.org> | 2022-03-16 07:38:59 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-09 12:14:59 +0000 |
| commit | d659296c46c0fddcd99a70dc2f56156e0b9d67e2 (patch) | |
| tree | 823a3688f9256410f70899c107b10ec9fd809cd0 /chromium/url | |
| parent | 5ce03cfdadcdfd150ea51197d216ce139e701ad4 (diff) | |
| download | qtwebengine-chromium-d659296c46c0fddcd99a70dc2f56156e0b9d67e2.tar.gz | |
[Backport] CVE-2022-1498: Inappropriate implementation in HTML Parser
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3527120:
Carry over potentially dangling markup flag for scheme only replacements
Prior to this change, the potentially dangling markup flag was being
carried over only in DoCanonicalizeStandardURL, but this failed for
scheme-only replacements (since the old parsed URL is not passed to
DoCanonicalize for those). This adds a check for the flag directly in
DoReplaceComponent that covers scheme only replacements.
Bug: 1297138
Change-Id: I120682b6ee094e7aebb614754855c3e1db2b5544
Auto-Submit: Carlos IL <carlosil@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/main@{#981520}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/url')
| -rw-r--r-- | chromium/url/url_util.cc | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/chromium/url/url_util.cc b/chromium/url/url_util.cc index 007baebe7c4..41e74d7092f 100644 --- a/chromium/url/url_util.cc +++ b/chromium/url/url_util.cc @@ -441,6 +441,13 @@ bool DoReplaceComponents(const char* spec, // ref). Replacements<CHAR> replacements_no_scheme = replacements; replacements_no_scheme.SetScheme(NULL, Component()); + // If the input URL has potentially dangling markup, set the flag on the + // output too. Note that in some cases the replacement gets rid of the + // potentially dangling markup, but this ok since the check will fail + // closed. + if (parsed.potentially_dangling_markup) { + out_parsed->potentially_dangling_markup = true; + } return DoReplaceComponents(recanonicalized.data(), recanonicalized.length(), recanonicalized_parsed, replacements_no_scheme, charset_converter, output, out_parsed); |