diff options
author | Nasko Oskov <nasko@chromium.org> | 2016-10-28 16:50:38 -0700 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-03-16 14:47:54 +0000 |
commit | 2f62aa6037733692870167ed2623735356be5811 (patch) | |
tree | df21debb99fa0e683628d7fb11c6748920fdb48d | |
parent | 00c30cdbc6f847ea361e56e028853109f1dc19d4 (diff) |
[Backport] Drop navigations to NavigationEntry with invalid virtual URLs.
BUG=657720
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
Review-Url: https://codereview.chromium.org/2452443002
Cr-Commit-Position: refs/heads/master@{#428056}
(cherry picked from commit e4ebe078840e65d673722e94f8251b334030b5e8)
Review URL: https://codereview.chromium.org/2459913003 .
Cr-Commit-Position: refs/branch-heads/2883@{#373}
Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768}
(CVE-2016-5222)
Change-Id: I4d8c5f5dc6fc30b849166b1fe0ba499f4d8c18a3
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
-rw-r--r-- | chromium/content/browser/frame_host/navigator_impl.cc | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/chromium/content/browser/frame_host/navigator_impl.cc b/chromium/content/browser/frame_host/navigator_impl.cc index 2acedd76a19..1ba044c8b21 100644 --- a/chromium/content/browser/frame_host/navigator_impl.cc +++ b/chromium/content/browser/frame_host/navigator_impl.cc @@ -263,6 +263,16 @@ bool NavigatorImpl::NavigateToEntry( dest_referrer = Referrer(); } + // Don't attempt to navigate if the virtual URL is non-empty and invalid. + if (frame_tree_node->IsMainFrame()) { + const GURL& virtual_url = entry.GetVirtualURL(); + if (!virtual_url.is_valid() && !virtual_url.is_empty()) { + LOG(WARNING) << "Refusing to load for invalid virtual URL: " + << virtual_url.possibly_invalid_spec(); + return false; + } + } + // Don't attempt to navigate to non-empty invalid URLs. if (!dest_url.is_valid() && !dest_url.is_empty()) { LOG(WARNING) << "Refusing to load invalid URL: " |