From 4c5d12c41150ac34adae6095322f305fa65273eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Br=C3=BCning?= <michael.bruning@qt.io>
Date: Mon, 2 Dec 2019 16:26:15 +0100
Subject: [Backport] CVE-2019-5832

Manual backport of:
Use response tainting to calculate CORS-exposed header-name list

XHR uses the same-originness of the request origin and the destination
URL to calculate the CORS-exposed header-name list, which leads to
wrong results with redirects. Use response tainting as specced.

Bug: 959390
Change-Id: I0531847b73ced5155a898e4c4607a5dbb4825f82
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 .../WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp | 16 +++++++++-------
 .../WebKit/Source/core/xmlhttprequest/XMLHttpRequest.h   |  1 -
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp b/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp
index f3994e4e895..2add6bb5280 100644
--- a/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp
+++ b/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp
@@ -244,7 +244,6 @@ XMLHttpRequest::XMLHttpRequest(
       m_error(false),
       m_uploadEventsAllowed(true),
       m_uploadComplete(false),
-      m_sameOriginRequest(true),
       m_downloadingToFile(false),
       m_responseTextOverflow(false),
       m_sendFlag(false) {}
@@ -948,7 +947,7 @@ void XMLHttpRequest::createRequest(PassRefPtr<EncodedFormData> httpBody,
     }
   }
 
-  m_sameOriginRequest = getSecurityOrigin()->canRequestNoSuborigin(m_url);
+  const bool sameOriginRequest = getSecurityOrigin()->canRequestNoSuborigin(m_url);
 
   // Per https://w3c.github.io/webappsec-suborigins/#security-model-opt-outs,
   // credentials are forced when credentials mode is "same-origin", the
@@ -962,14 +961,14 @@ void XMLHttpRequest::createRequest(PassRefPtr<EncodedFormData> httpBody,
        SecurityOrigin::create(m_url)->isSameSchemeHostPort(
            getSecurityOrigin()));
 
-  if (!m_sameOriginRequest && includeCredentials)
+  if (!sameOriginRequest && includeCredentials)
     UseCounter::count(&executionContext,
                       UseCounter::XMLHttpRequestCrossOriginWithCredentials);
 
   // We also remember whether upload events should be allowed for this request
   // in case the upload listeners are added after the request is started.
   m_uploadEventsAllowed =
-      m_sameOriginRequest || uploadEvents ||
+      sameOriginRequest || uploadEvents ||
       !FetchUtils::isSimpleRequest(m_method, m_requestHeaders);
 
   ResourceRequest request(m_url);
@@ -1010,7 +1009,7 @@ void XMLHttpRequest::createRequest(PassRefPtr<EncodedFormData> httpBody,
 
   ResourceLoaderOptions resourceLoaderOptions;
   resourceLoaderOptions.allowCredentials =
-      (m_sameOriginRequest || includeCredentials) ? AllowStoredCredentials
+      (sameOriginRequest || includeCredentials) ? AllowStoredCredentials
                                                   : DoNotAllowStoredCredentials;
   resourceLoaderOptions.credentialsRequested =
       includeCredentials ? ClientRequestedCredentials
@@ -1370,7 +1369,8 @@ String XMLHttpRequest::getAllResponseHeaders() const {
         !getSecurityOrigin()->canLoadLocalResources())
       continue;
 
-    if (!m_sameOriginRequest &&
+    if (m_response.serviceWorkerResponseType() ==
+         WebServiceWorkerResponseType::WebServiceWorkerResponseTypeCORS &&
         !isOnAccessControlResponseHeaderWhitelist(it->key) &&
         !accessControlExposeHeaderSet.contains(it->key))
       continue;
@@ -1402,7 +1402,9 @@ const AtomicString& XMLHttpRequest::getResponseHeader(
   HTTPHeaderSet accessControlExposeHeaderSet;
   extractCorsExposedHeaderNamesList(m_response, accessControlExposeHeaderSet);
 
-  if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(name) &&
+  if (m_response.serviceWorkerResponseType() ==
+         WebServiceWorkerResponseType::WebServiceWorkerResponseTypeCORS &&
+      !isOnAccessControlResponseHeaderWhitelist(name) &&
       !accessControlExposeHeaderSet.contains(name)) {
     logConsoleError(getExecutionContext(),
                     "Refused to get unsafe header \"" + name + "\"");
diff --git a/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.h b/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.h
index 5fb689cef0e..93dde08206d 100644
--- a/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.h
+++ b/chromium/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.h
@@ -338,7 +338,6 @@ class XMLHttpRequest final : public XMLHttpRequestEventTarget,
   bool m_error;
   bool m_uploadEventsAllowed;
   bool m_uploadComplete;
-  bool m_sameOriginRequest;
   // True iff the ongoing resource loading is using the downloadToFile
   // option.
   bool m_downloadingToFile;
-- 
cgit v1.2.1