diff options
author | Xiaocheng Hu <xiaochengh@chromium.org> | 2019-11-27 22:14:31 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-06 16:05:24 +0000 |
commit | 3f6e9bf1fb04dcd353aaf2c3a8c17d40eea6a154 (patch) | |
tree | c6b20bb54832fb178760871a34ceb4532b1f3140 /chromium | |
parent | e7980ade9ab1ec70db29623ff658e38497c7385d (diff) | |
download | qtwebengine-chromium-3f6e9bf1fb04dcd353aaf2c3a8c17d40eea6a154.tar.gz |
[Backport] CVE-2020-6391 - Insufficient validation of untrusted input in Blink (3/3)
Manual backport of patch originally reviewed on
Disable CSS @import rules in clipboard markup sanitization
While clipboard markup is allowed to carry style sheets to style the
elements to be pasted (e.g., when copying from Excel), @import rules
should be disabled for security reasons.
This patch disables @import rules when sanitizing the markup in a dummy
document to make sure we don't initiate any stylesheet loading during
the process.
Bug: 1017871:
Change-Id: Ibf997611a0879dd9bb789619044a416e139b0e3c
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Diffstat (limited to 'chromium')
5 files changed, 24 insertions, 4 deletions
diff --git a/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.cc b/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.cc index 7740ac294b9..2659382232b 100644 --- a/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.cc +++ b/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.cc @@ -254,6 +254,10 @@ bool CSSParserContext::CustomElementsV0Enabled() const { return RuntimeEnabledFeatures::CustomElementsV0Enabled(document_); } +bool CSSParserContext::IsForMarkupSanitization() const { + return document_ && document_->IsForMarkupSanitization(); +} + void CSSParserContext::Trace(blink::Visitor* visitor) { visitor->Trace(document_); } diff --git a/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.h b/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.h index c7435d8330f..1ff90457c38 100644 --- a/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.h +++ b/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.h @@ -126,6 +126,8 @@ class CORE_EXPORT CSSParserContext // TODO(yoichio): Remove when CustomElementsV0 is removed. crrev.com/660759. bool CustomElementsV0Enabled() const; + bool IsForMarkupSanitization() const; + void Trace(blink::Visitor*); private: diff --git a/chromium/third_party/blink/renderer/core/css/parser/css_parser_impl.cc b/chromium/third_party/blink/renderer/core/css/parser/css_parser_impl.cc index dd681c46f74..7eabb762d87 100644 --- a/chromium/third_party/blink/renderer/core/css/parser/css_parser_impl.cc +++ b/chromium/third_party/blink/renderer/core/css/parser/css_parser_impl.cc @@ -265,12 +265,15 @@ ParseSheetResult CSSParserImpl::ParseStyleSheet( ParseSheetResult result = ParseSheetResult::kSucceeded; bool first_rule_valid = parser.ConsumeRuleList( stream, kTopLevelRuleList, - [&style_sheet, &result, allow_import_rules](StyleRuleBase* rule) { + [&style_sheet, &result, allow_import_rules, + context](StyleRuleBase* rule) { if (rule->IsCharsetRule()) return; - if (rule->IsImportRule() && !allow_import_rules) { - result = ParseSheetResult::kHasUnallowedImportRule; - return; + if (rule->IsImportRule()) { + if (!allow_import_rules || context->IsForMarkupSanitization()) { + result = ParseSheetResult::kHasUnallowedImportRule; + return; + } } style_sheet->ParserAppendRule(rule); }); diff --git a/chromium/third_party/blink/renderer/core/dom/document.h b/chromium/third_party/blink/renderer/core/dom/document.h index 312715d83f2..4f07178eaeb 100644 --- a/chromium/third_party/blink/renderer/core/dom/document.h +++ b/chromium/third_party/blink/renderer/core/dom/document.h @@ -1583,6 +1583,13 @@ class CORE_EXPORT Document : public ContainerNode, // applied to this document. void BindContentSecurityPolicy(); + // We setup a dummy document to sanitize clipboard markup before pasting. + // Sets and indicates whether this is the dummy document. + void SetIsForMarkupSanitization(bool is_for_sanitization) { + is_for_markup_sanitization_ = is_for_sanitization; + } + bool IsForMarkupSanitization() const { return is_for_markup_sanitization_; } + bool HasPendingJavaScriptUrlsForTest() { return !pending_javascript_urls_.IsEmpty(); } @@ -2101,6 +2108,8 @@ class CORE_EXPORT Document : public ContainerNode, // TODO(altimin): We should be able to remove it after we complete // frame:document lifetime refactoring. std::unique_ptr<FrameOrWorkerScheduler> detached_scheduler_; + + bool is_for_markup_sanitization_ = false; }; extern template class CORE_EXTERN_TEMPLATE_EXPORT Supplement<Document>; diff --git a/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc b/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc index 4d3a1075398..633ad1b4247 100644 --- a/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc +++ b/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc @@ -786,6 +786,8 @@ static Document* CreateStagingDocumentForMarkupSanitization() { DCHECK(document->IsHTMLDocument()); DCHECK(document->body()); + document->SetIsForMarkupSanitization(true); + return document; } |