From 80029e447371aa473ac524177cc0667742e93ee2 Mon Sep 17 00:00:00 2001 From: Dominic Battre Date: Fri, 3 Jan 2020 20:01:10 +0000 Subject: [Backport] CVE-2020-6393 - Insufficient policy enforcement in Blink MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Manual backport of patch originally reviewed https://chromium-review.googlesource.com/c/chromium/src/+/1972849 https://chromium-review.googlesource.com/c/chromium/src/+/1986791: Override scroll{Width,Height} in suggest state We have added input::-internal-input-suggested, textarea::-internal-input-suggested { font: -webkit-small-control !important; } to html.css to prevent that the scrollWidth/scrollHeight attributes of an input element disclose information about autofill content that is in suggest (preview) state. This CL mocks out the scrollWidth/scrollHeight values in preview state and may allow us to disable the font overriding again. TBR=kojii@chromium.org (cherry picked from commit 39f06061af8da287363cba093071ec348ef642c2) Bug: 1035058 Change-Id: Ib7b56127f780a19672beb61e4b760a13e3f260cd Reviewed-by: Jüri Valdmann --- .../blink/renderer/core/html/resources/html.css | 5 +++++ .../core/layout/layout_text_control_multi_line.cc | 16 ++++++++++++++++ .../core/layout/layout_text_control_multi_line.h | 3 +++ .../core/layout/layout_text_control_single_line.cc | 10 ++++++++++ 4 files changed, 34 insertions(+) diff --git a/chromium/third_party/blink/renderer/core/html/resources/html.css b/chromium/third_party/blink/renderer/core/html/resources/html.css index 5c5b6501fe4..00d87abffa1 100644 --- a/chromium/third_party/blink/renderer/core/html/resources/html.css +++ b/chromium/third_party/blink/renderer/core/html/resources/html.css @@ -533,6 +533,11 @@ input::-internal-input-suggested { input::-internal-input-suggested, textarea::-internal-input-suggested { font: -webkit-small-control !important; + /* Prevent that overflow affects the scrollable area. Without this, + LayoutBox::*Scroll{Height,Width}() may determine the scroll width/height + from the scrollable area instead of from the overrides in + LayoutTextControl{Single,Multi}Line::Scroll{Height,Width}(). */ + overflow: hidden !important; } input[type="password" i] { diff --git a/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.cc b/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.cc index ef3a634471d..33ec87c2d86 100644 --- a/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.cc +++ b/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.cc @@ -108,4 +108,20 @@ LayoutObject* LayoutTextControlMultiLine::LayoutSpecialExcludedChild( return placeholder_layout_object; } +LayoutUnit LayoutTextControlMultiLine::ScrollWidth() const { + // If in preview state, fake the scroll width to prevent that any information + // about the suggested content can be derived from the size. + if (!GetTextControlElement()->SuggestedValue().IsEmpty()) + return ClientWidth(); + return LayoutTextControl::ScrollWidth(); +} + +LayoutUnit LayoutTextControlMultiLine::ScrollHeight() const { + // If in preview state, fake the scroll height to prevent that any information + // about the suggested content can be derived from the size. + if (!GetTextControlElement()->SuggestedValue().IsEmpty()) + return ClientHeight(); + return LayoutTextControl::ScrollHeight(); +} + } // namespace blink diff --git a/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.h b/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.h index 67401f83c24..dd9325d1250 100644 --- a/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.h +++ b/chromium/third_party/blink/renderer/core/layout/layout_text_control_multi_line.h @@ -62,6 +62,9 @@ class LayoutTextControlMultiLine final : public LayoutTextControl { LayoutObject* LayoutSpecialExcludedChild(bool relayout_children, SubtreeLayoutScope&) override; + + LayoutUnit ScrollWidth() const override; + LayoutUnit ScrollHeight() const override; }; DEFINE_LAYOUT_OBJECT_TYPE_CASTS(LayoutTextControlMultiLine, IsTextArea()); diff --git a/chromium/third_party/blink/renderer/core/layout/layout_text_control_single_line.cc b/chromium/third_party/blink/renderer/core/layout/layout_text_control_single_line.cc index 135c0ce4703..2e5726c3993 100644 --- a/chromium/third_party/blink/renderer/core/layout/layout_text_control_single_line.cc +++ b/chromium/third_party/blink/renderer/core/layout/layout_text_control_single_line.cc @@ -276,6 +276,11 @@ void LayoutTextControlSingleLine::Autoscroll(const PhysicalOffset& position) { } LayoutUnit LayoutTextControlSingleLine::ScrollWidth() const { + // If in preview state, fake the scroll width to prevent that any information + // about the suggested content can be derived from the size. + if (!GetTextControlElement()->SuggestedValue().IsEmpty()) + return ClientWidth(); + if (LayoutBox* inner = InnerEditorElement() ? InnerEditorElement()->GetLayoutBox() : nullptr) { @@ -288,6 +293,11 @@ LayoutUnit LayoutTextControlSingleLine::ScrollWidth() const { } LayoutUnit LayoutTextControlSingleLine::ScrollHeight() const { + // If in preview state, fake the scroll height to prevent that any information + // about the suggested content can be derived from the size. + if (!GetTextControlElement()->SuggestedValue().IsEmpty()) + return ClientHeight(); + if (LayoutBox* inner = InnerEditorElement() ? InnerEditorElement()->GetLayoutBox() : nullptr) { -- cgit v1.2.1