From 9df23a4c06e64a0f35fe5541e5542ccec9dad170 Mon Sep 17 00:00:00 2001 From: Clark DuVall Date: Wed, 15 Jan 2020 13:41:02 +0100 Subject: [Backport] CVE-2019-13754: Insufficient policy enforcement in extensions. (3/3) Manual backport of patch: Change WebRequest proxy redirect logic to match NavigationURLLoaderImpl The safe redirect checking logic in NavigationURLLoaderImpl was changed in http://crrev.com/c/1779310 to remove the check for web accessible extensions resources. There was similar logic in the WebRequest proxy that should be removed to match. This was causing the network_service_web_request_proxy_browser_tests to fail on the Mojo Linux bot. These tests run with a WebRequest proxy forced on to test the logic: https://ci.chromium.org/p/chromium/builders/ci/Mojo%20Linux/40022 Bug: 442579 Change-Id: Ifb90d3e5478faec1956877f7fe683e306f7664d3 Reviewed-by: Michal Klocek --- .../api/web_request/web_request_proxying_url_loader_factory.cc | 10 +++++++--- .../api/web_request/web_request_proxying_url_loader_factory.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc b/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc index dc342974f9c..efe0bf7cd33 100644 --- a/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc +++ b/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc @@ -278,7 +278,8 @@ void WebRequestProxyingURLLoaderFactory::InProgressRequest::OnReceiveRedirect( const net::RedirectInfo& redirect_info, const network::ResourceResponseHead& head) { if (redirect_url_ != redirect_info.new_url && - !IsRedirectSafe(request_.url, redirect_info.new_url)) { + !IsRedirectSafe(request_.url, redirect_info.new_url, + info_->is_navigation_request)) { OnRequestError( network::URLLoaderCompletionStatus(net::ERR_UNSAFE_REDIRECT)); return; @@ -829,8 +830,11 @@ void WebRequestProxyingURLLoaderFactory::InProgressRequest::OnRequestError( // Determines whether it is safe to redirect from |from_url| to |to_url|. bool WebRequestProxyingURLLoaderFactory::InProgressRequest::IsRedirectSafe( const GURL& from_url, - const GURL& to_url) { - if (to_url.SchemeIs(extensions::kExtensionScheme)) { + const GURL& to_url, + bool is_navigation_request) { + // For navigations, non-web accessible resources will be blocked by + // ExtensionNavigationThrottle. + if (!is_navigation_request && to_url.SchemeIs(extensions::kExtensionScheme)) { const Extension* extension = ExtensionRegistry::Get(factory_->browser_context_) ->enabled_extensions() diff --git a/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.h b/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.h index ddc6a3e4ea7..dcbeee72d5a 100644 --- a/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.h +++ b/chromium/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.h @@ -116,7 +116,9 @@ class WebRequestProxyingURLLoaderFactory void HandleResponseOrRedirectHeaders( net::CompletionOnceCallback continuation); void OnRequestError(const network::URLLoaderCompletionStatus& status); - bool IsRedirectSafe(const GURL& from_url, const GURL& to_url); + bool IsRedirectSafe(const GURL& from_url, + const GURL& to_url, + bool is_navigation_request); void HandleBeforeRequestRedirect(); WebRequestProxyingURLLoaderFactory* const factory_; -- cgit v1.2.1