From 5a69840e18ea97c9787cf0976506ed1dfe94ad86 Mon Sep 17 00:00:00 2001
From: Michal Klocek <michal.klocek@qt.io>
Date: Thu, 7 Jun 2018 12:16:50 +0200
Subject: [Backport] CVE-2018-6148

[M67 Merge] Fixed CSP directive value parsing accepted character range

Bug: 845961

Reviewed-on: https://chromium-review.googlesource.com/1071510
Change-Id: I5439f10c123b96057b9995dd7e8ad6672ba141f4
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 .../WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp            | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
index 7af69e01190..1717cc51cb6 100644
--- a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -1839,6 +1839,10 @@ bool ContentSecurityPolicy::ShouldBypassContentSecurityPolicy(
 
 // static
 bool ContentSecurityPolicy::IsValidCSPAttr(const String& attr) {
+  // we don't allow any newline characters in the CSP attributes
+  if (attr.Contains('\n') || attr.Contains('\r'))
+  return false;
+
   ContentSecurityPolicy* policy = ContentSecurityPolicy::Create();
   policy->AddPolicyFromHeaderValue(attr,
                                    kContentSecurityPolicyHeaderTypeEnforce,
-- 
cgit v1.2.3