diff options
| author | Andrey Kosyakov <caseq@chromium.org> | 2020-09-19 01:38:53 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-12-09 12:53:19 +0000 |
| commit | 0fdd19c558ef40a277440155d18ffd0f3fdbe360 (patch) | |
| tree | e4cd2acfe5fa66f406310114ae7d4da209666856 | |
| parent | 10cb7cc9b1103f1db3810146679477e33f0c5afa (diff) | |
[Backport] CVE-2020-16027: Insufficient policy enforcement in developer tools.
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2419712:
Do not execute global commands on non-root targets
Bug: 1116444
Change-Id: Ic50dfc144f8024870131e7586b9dce2dff591e42
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Andrey Kosyakov <caseq@chromium.org>
Cr-Commit-Position: refs/heads/master@{#808635}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/content/browser/devtools/protocol/page_handler.cc | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/chromium/content/browser/devtools/protocol/page_handler.cc b/chromium/content/browser/devtools/protocol/page_handler.cc index a55920d878a..47f8c012923 100644 --- a/chromium/content/browser/devtools/protocol/page_handler.cc +++ b/chromium/content/browser/devtools/protocol/page_handler.cc @@ -72,6 +72,8 @@ constexpr int kDefaultScreenshotQuality = 80; constexpr int kFrameRetryDelayMs = 100; constexpr int kCaptureRetryLimit = 2; constexpr int kMaxScreencastFramesInFlight = 2; +constexpr char kCommandIsOnlyAvailableAtTopTarget[] = + "Command can only be executed on top-level targets"; std::string EncodeImage(const gfx::Image& image, const std::string& format, @@ -181,6 +183,17 @@ void GetMetadataFromFrame(const media::VideoFrame& frame, root_scroll_offset->set_y(root_scroll_offset_y); } +template <typename ProtocolCallback> +bool CanExecuteGlobalCommands( + RenderFrameHost* host, + const std::unique_ptr<ProtocolCallback>& callback) { + if (!host || !host->GetParent()) + return true; + callback->sendFailure( + Response::Error(kCommandIsOnlyAvailableAtTopTarget)); + return false; +} + } // namespace PageHandler::PageHandler(EmulationHandler* emulation_handler) @@ -610,7 +623,8 @@ void PageHandler::CaptureScreenshot( callback->sendFailure(Response::InternalError()); return; } - + if (!CanExecuteGlobalCommands(host_, callback)) + return; RenderWidgetHostImpl* widget_host = host_->GetRenderWidgetHost(); std::string screenshot_format = format.fromMaybe(kPng); int screenshot_quality = quality.fromMaybe(kDefaultScreenshotQuality); @@ -861,6 +875,9 @@ Response PageHandler::SetDownloadBehavior(const std::string& behavior, WebContentsImpl* web_contents = GetWebContents(); if (!web_contents) return Response::InternalError(); + if (host_ && host_->GetParent()) + return Response::Error(kCommandIsOnlyAvailableAtTopTarget); + if (behavior == Page::SetDownloadBehavior::BehaviorEnum::Allow && !download_path.isJust()) @@ -904,6 +921,8 @@ void PageHandler::GetAppManifest( callback->sendFailure(Response::Error("Cannot retrieve manifest")); return; } + if (!CanExecuteGlobalCommands(host_, callback)) + return; web_contents->GetManifestManagerHost()->RequestManifestDebugInfo( base::BindOnce(&PageHandler::GotManifest, weak_factory_.GetWeakPtr(), std::move(callback))); |