From 3f6e9bf1fb04dcd353aaf2c3a8c17d40eea6a154 Mon Sep 17 00:00:00 2001
From: Xiaocheng Hu <xiaochengh@chromium.org>
Date: Wed, 27 Nov 2019 22:14:31 +0000
Subject: [Backport] CVE-2020-6391 - Insufficient validation of untrusted input
 in Blink (3/3)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Manual backport of patch originally reviewed on
Disable CSS @import rules in clipboard markup sanitization

While clipboard markup is allowed to carry style sheets to style the
elements to be pasted (e.g., when copying from Excel), @import rules
should be disabled for security reasons.

This patch disables @import rules when sanitizing the markup in a dummy
document to make sure we don't initiate any stylesheet loading during
the process.

Bug: 1017871:
Change-Id: Ibf997611a0879dd9bb789619044a416e139b0e3c
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
---
 .../blink/renderer/core/css/parser/css_parser_context.cc      |  4 ++++
 .../blink/renderer/core/css/parser/css_parser_context.h       |  2 ++
 .../blink/renderer/core/css/parser/css_parser_impl.cc         | 11 +++++++----
 chromium/third_party/blink/renderer/core/dom/document.h       |  9 +++++++++
 .../blink/renderer/core/editing/serializers/serialization.cc  |  2 ++
 5 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.cc b/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.cc
index 7740ac294b9..2659382232b 100644
--- a/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.cc
+++ b/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.cc
@@ -254,6 +254,10 @@ bool CSSParserContext::CustomElementsV0Enabled() const {
   return RuntimeEnabledFeatures::CustomElementsV0Enabled(document_);
 }
 
+bool CSSParserContext::IsForMarkupSanitization() const {
+  return document_ && document_->IsForMarkupSanitization();
+}
+
 void CSSParserContext::Trace(blink::Visitor* visitor) {
   visitor->Trace(document_);
 }
diff --git a/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.h b/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.h
index c7435d8330f..1ff90457c38 100644
--- a/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.h
+++ b/chromium/third_party/blink/renderer/core/css/parser/css_parser_context.h
@@ -126,6 +126,8 @@ class CORE_EXPORT CSSParserContext
   // TODO(yoichio): Remove when CustomElementsV0 is removed. crrev.com/660759.
   bool CustomElementsV0Enabled() const;
 
+  bool IsForMarkupSanitization() const;
+
   void Trace(blink::Visitor*);
 
  private:
diff --git a/chromium/third_party/blink/renderer/core/css/parser/css_parser_impl.cc b/chromium/third_party/blink/renderer/core/css/parser/css_parser_impl.cc
index dd681c46f74..7eabb762d87 100644
--- a/chromium/third_party/blink/renderer/core/css/parser/css_parser_impl.cc
+++ b/chromium/third_party/blink/renderer/core/css/parser/css_parser_impl.cc
@@ -265,12 +265,15 @@ ParseSheetResult CSSParserImpl::ParseStyleSheet(
   ParseSheetResult result = ParseSheetResult::kSucceeded;
   bool first_rule_valid = parser.ConsumeRuleList(
       stream, kTopLevelRuleList,
-      [&style_sheet, &result, allow_import_rules](StyleRuleBase* rule) {
+      [&style_sheet, &result, allow_import_rules,
+       context](StyleRuleBase* rule) {
         if (rule->IsCharsetRule())
           return;
-        if (rule->IsImportRule() && !allow_import_rules) {
-          result = ParseSheetResult::kHasUnallowedImportRule;
-          return;
+        if (rule->IsImportRule()) {
+          if (!allow_import_rules || context->IsForMarkupSanitization()) {
+            result = ParseSheetResult::kHasUnallowedImportRule;
+            return;
+          }
         }
         style_sheet->ParserAppendRule(rule);
       });
diff --git a/chromium/third_party/blink/renderer/core/dom/document.h b/chromium/third_party/blink/renderer/core/dom/document.h
index 312715d83f2..4f07178eaeb 100644
--- a/chromium/third_party/blink/renderer/core/dom/document.h
+++ b/chromium/third_party/blink/renderer/core/dom/document.h
@@ -1583,6 +1583,13 @@ class CORE_EXPORT Document : public ContainerNode,
   // applied to this document.
   void BindContentSecurityPolicy();
 
+  // We setup a dummy document to sanitize clipboard markup before pasting.
+  // Sets and indicates whether this is the dummy document.
+  void SetIsForMarkupSanitization(bool is_for_sanitization) {
+    is_for_markup_sanitization_ = is_for_sanitization;
+  }
+  bool IsForMarkupSanitization() const { return is_for_markup_sanitization_; }
+
   bool HasPendingJavaScriptUrlsForTest() {
     return !pending_javascript_urls_.IsEmpty();
   }
@@ -2101,6 +2108,8 @@ class CORE_EXPORT Document : public ContainerNode,
   // TODO(altimin): We should be able to remove it after we complete
   // frame:document lifetime refactoring.
   std::unique_ptr<FrameOrWorkerScheduler> detached_scheduler_;
+
+  bool is_for_markup_sanitization_ = false;
 };
 
 extern template class CORE_EXTERN_TEMPLATE_EXPORT Supplement<Document>;
diff --git a/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc b/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc
index 4d3a1075398..633ad1b4247 100644
--- a/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc
+++ b/chromium/third_party/blink/renderer/core/editing/serializers/serialization.cc
@@ -786,6 +786,8 @@ static Document* CreateStagingDocumentForMarkupSanitization() {
   DCHECK(document->IsHTMLDocument());
   DCHECK(document->body());
 
+  document->SetIsForMarkupSanitization(true);
+
   return document;
 }
 
-- 
cgit v1.2.1