[Backport] CVE-2018-6148

[M67 Merge] Fixed CSP directive value parsing accepted character range Bug: 845961 Reviewed-on: https://chromium-review.googlesource.com/1071510 Change-Id: I5439f10c123b96057b9995dd7e8ad6672ba141f4 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Michal Klocek <michal.klocek@qt.io> 2018-06-07 12:16:50 +0200
committer: Michal Klocek <michal.klocek@qt.io> 2018-06-07 10:26:48 +0000
commit: 5a69840e18ea97c9787cf0976506ed1dfe94ad86 (patch)
tree: 871c6f91d9881ccafd4eb7035e59626f6950df99
parent: 7f6fe4d90fb2fd831071209beebde0044d7d8858 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
index 7af69e01190..1717cc51cb6 100644
--- a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -1839,6 +1839,10 @@ bool ContentSecurityPolicy::ShouldBypassContentSecurityPolicy(
 
 // static
 bool ContentSecurityPolicy::IsValidCSPAttr(const String& attr) {
+  // we don't allow any newline characters in the CSP attributes
+  if (attr.Contains('\n') || attr.Contains('\r'))
+  return false;
+
   ContentSecurityPolicy* policy = ContentSecurityPolicy::Create();
   policy->AddPolicyFromHeaderValue(attr,
                                    kContentSecurityPolicyHeaderTypeEnforce,
author	Michal Klocek <michal.klocek@qt.io>	2018-06-07 12:16:50 +0200
committer	Michal Klocek <michal.klocek@qt.io>	2018-06-07 10:26:48 +0000
commit	5a69840e18ea97c9787cf0976506ed1dfe94ad86 (patch)
tree	871c6f91d9881ccafd4eb7035e59626f6950df99
parent	7f6fe4d90fb2fd831071209beebde0044d7d8858 (diff)