diff options
author | Michal Klocek <michal.klocek@qt.io> | 2018-06-07 12:16:50 +0200 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2018-06-07 10:26:48 +0000 |
commit | 5a69840e18ea97c9787cf0976506ed1dfe94ad86 (patch) | |
tree | 871c6f91d9881ccafd4eb7035e59626f6950df99 | |
parent | 7f6fe4d90fb2fd831071209beebde0044d7d8858 (diff) |
[Backport] CVE-2018-6148
[M67 Merge] Fixed CSP directive value parsing accepted character range
Bug: 845961
Reviewed-on: https://chromium-review.googlesource.com/1071510
Change-Id: I5439f10c123b96057b9995dd7e8ad6672ba141f4
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp index 7af69e01190..1717cc51cb6 100644 --- a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp +++ b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp @@ -1839,6 +1839,10 @@ bool ContentSecurityPolicy::ShouldBypassContentSecurityPolicy( // static bool ContentSecurityPolicy::IsValidCSPAttr(const String& attr) { + // we don't allow any newline characters in the CSP attributes + if (attr.Contains('\n') || attr.Contains('\r')) + return false; + ContentSecurityPolicy* policy = ContentSecurityPolicy::Create(); policy->AddPolicyFromHeaderValue(attr, kContentSecurityPolicyHeaderTypeEnforce, |