[Backport] CVE-2018-18347

Don't preserve NavigationEntry for failed navigations with invalid URLs.

The formatting logic may rewrite such URLs into an unsafe state.  This
is a first step before preventing navigations to invalid URLs entirely.

Bug: 850824
Reviewed-on: https://chromium-review.googlesource.com/c/1252942
Change-Id: Ibe4d9dedaa0232d18f8dbaa93c41f008518d0fb3
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 7 insertions, 2 deletions

diff --git a/chromium/content/browser/frame_host/navigator_impl.cc b/chromium/content/browser/frame_host/navigator_impl.cc
index 71063d8c46b..f8313849855 100644
--- a/chromium/content/browser/frame_host/navigator_impl.cc
+++ b/chromium/content/browser/frame_host/navigator_impl.cc
@@ -1102,9 +1102,14 @@ void NavigatorImpl::DiscardPendingEntryIfNeeded(NavigationHandleImpl* handle) {
   // allow the view to clear the pending entry and typed URL if the user
   // requests (e.g., hitting Escape with focus in the address bar).
   //
+  // Do not leave the pending entry visible if it has an invalid URL, since this
+  // might be formatted in an unexpected or unsafe way.
+  // TODO(creis): Block navigations to invalid URLs in https://crbug.com/850824.
+  //
   // Note: don't touch the transient entry, since an interstitial may exist.
-  bool should_preserve_entry = controller_->IsUnmodifiedBlankTab() ||
-                               delegate_->ShouldPreserveAbortedURLs();
+  bool should_preserve_entry = pending_entry->GetURL().is_valid() &&
+                               (controller_->IsUnmodifiedBlankTab() ||
+                                delegate_->ShouldPreserveAbortedURLs());
   if (pending_entry != controller_->GetVisibleEntry() ||
       !should_preserve_entry) {
     controller_->DiscardPendingEntry(true);