From 2f62aa6037733692870167ed2623735356be5811 Mon Sep 17 00:00:00 2001
From: Nasko Oskov <nasko@chromium.org>
Date: Fri, 28 Oct 2016 16:50:38 -0700
Subject: [Backport] Drop navigations to NavigationEntry with invalid virtual
 URLs.

BUG=657720
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2452443002
Cr-Commit-Position: refs/heads/master@{#428056}
(cherry picked from commit e4ebe078840e65d673722e94f8251b334030b5e8)

Review URL: https://codereview.chromium.org/2459913003 .

Cr-Commit-Position: refs/branch-heads/2883@{#373}
Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768}
(CVE-2016-5222)

Change-Id: I4d8c5f5dc6fc30b849166b1fe0ba499f4d8c18a3
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
---
 chromium/content/browser/frame_host/navigator_impl.cc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/chromium/content/browser/frame_host/navigator_impl.cc b/chromium/content/browser/frame_host/navigator_impl.cc
index 2acedd76a19..1ba044c8b21 100644
--- a/chromium/content/browser/frame_host/navigator_impl.cc
+++ b/chromium/content/browser/frame_host/navigator_impl.cc
@@ -263,6 +263,16 @@ bool NavigatorImpl::NavigateToEntry(
     dest_referrer = Referrer();
   }
 
+  // Don't attempt to navigate if the virtual URL is non-empty and invalid.
+  if (frame_tree_node->IsMainFrame()) {
+    const GURL& virtual_url = entry.GetVirtualURL();
+    if (!virtual_url.is_valid() && !virtual_url.is_empty()) {
+      LOG(WARNING) << "Refusing to load for invalid virtual URL: "
+                   << virtual_url.possibly_invalid_spec();
+      return false;
+    }
+  }
+
   // Don't attempt to navigate to non-empty invalid URLs.
   if (!dest_url.is_valid() && !dest_url.is_empty()) {
     LOG(WARNING) << "Refusing to load invalid URL: "
-- 
cgit v1.2.3