diff options
author | Michal Klocek <michal.klocek@qt.io> | 2018-12-13 17:02:48 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-03-28 08:51:25 +0000 |
commit | 8cf373773b2c5345c3e24809d0bc4df00c21ee13 (patch) | |
tree | 33e83f9c73083bba10ed1ba0f9c4f7441119bd2f | |
parent | 958b480a3c1a786d881f90d880ea40f14a193540 (diff) |
[Backport] CVE-2018-18347
Don't preserve NavigationEntry for failed navigations with invalid URLs.
The formatting logic may rewrite such URLs into an unsafe state. This
is a first step before preventing navigations to invalid URLs entirely.
Bug: 850824
Reviewed-on: https://chromium-review.googlesource.com/c/1252942
Change-Id: Ibe4d9dedaa0232d18f8dbaa93c41f008518d0fb3
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/content/browser/frame_host/navigator_impl.cc | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/chromium/content/browser/frame_host/navigator_impl.cc b/chromium/content/browser/frame_host/navigator_impl.cc index 71063d8c46b..f8313849855 100644 --- a/chromium/content/browser/frame_host/navigator_impl.cc +++ b/chromium/content/browser/frame_host/navigator_impl.cc @@ -1102,9 +1102,14 @@ void NavigatorImpl::DiscardPendingEntryIfNeeded(NavigationHandleImpl* handle) { // allow the view to clear the pending entry and typed URL if the user // requests (e.g., hitting Escape with focus in the address bar). // + // Do not leave the pending entry visible if it has an invalid URL, since this + // might be formatted in an unexpected or unsafe way. + // TODO(creis): Block navigations to invalid URLs in https://crbug.com/850824. + // // Note: don't touch the transient entry, since an interstitial may exist. - bool should_preserve_entry = controller_->IsUnmodifiedBlankTab() || - delegate_->ShouldPreserveAbortedURLs(); + bool should_preserve_entry = pending_entry->GetURL().is_valid() && + (controller_->IsUnmodifiedBlankTab() || + delegate_->ShouldPreserveAbortedURLs()); if (pending_entry != controller_->GetVisibleEntry() || !should_preserve_entry) { controller_->DiscardPendingEntry(true); |