From 8a39f81276fe83e66bd0955cefadd620c591c3fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Br=C3=BCning?= Date: Fri, 26 Oct 2018 16:06:06 +0200 Subject: [Backport] Fix for CVE-2018-17476 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a dialog is shown, drop fullscreen. BUG=875066, 817809, 792876, 812769, 813815 TEST=included This cherry-picks the part that is applicable to Qt WebEngine Reviewed-on: https://chromium-review.googlesource.com/1185208 Reviewed-by: Sidney San Martín Commit-Queue: Avi Drissman Change-Id: I525506d427f8d8db7be6d27562757dbe9653884d Reviewed-by: Allan Sandfeld Jensen --- .../content/browser/web_contents/web_contents_impl.cc | 4 ++++ .../content/browser/web_contents/web_contents_impl.h | 2 ++ .../web_contents/web_contents_impl_browsertest.cc | 17 +++++++++++++++++ 3 files changed, 23 insertions(+) diff --git a/chromium/content/browser/web_contents/web_contents_impl.cc b/chromium/content/browser/web_contents/web_contents_impl.cc index 05a6efa2535..741c7af2563 100644 --- a/chromium/content/browser/web_contents/web_contents_impl.cc +++ b/chromium/content/browser/web_contents/web_contents_impl.cc @@ -4751,6 +4751,10 @@ void WebContentsImpl::RunBeforeUnloadConfirm( void WebContentsImpl::RunFileChooser(RenderFrameHost* render_frame_host, const FileChooserParams& params) { + // Any explicit focusing of another window while this WebContents is in + // fullscreen can be used to confuse the user, so drop fullscreen. + ForSecurityDropFullscreen(); + if (delegate_) delegate_->RunFileChooser(render_frame_host, params); } diff --git a/chromium/content/browser/web_contents/web_contents_impl.h b/chromium/content/browser/web_contents/web_contents_impl.h index a22ae338156..8a1bf2db1d5 100644 --- a/chromium/content/browser/web_contents/web_contents_impl.h +++ b/chromium/content/browser/web_contents/web_contents_impl.h @@ -966,6 +966,8 @@ class CONTENT_EXPORT WebContentsImpl : public WebContents, DialogsFromJavaScriptEndFullscreen); FRIEND_TEST_ALL_PREFIXES(WebContentsImplBrowserTest, DialogsFromJavaScriptEndFullscreenEvenInInnerWC); + FRIEND_TEST_ALL_PREFIXES(WebContentsImplBrowserTest, + FileChooserEndsFullscreen); FRIEND_TEST_ALL_PREFIXES(WebContentsImplBrowserTest, PopupsFromJavaScriptEndFullscreen); FRIEND_TEST_ALL_PREFIXES(WebContentsImplBrowserTest, diff --git a/chromium/content/browser/web_contents/web_contents_impl_browsertest.cc b/chromium/content/browser/web_contents/web_contents_impl_browsertest.cc index be1c7378a03..98f1185a0ff 100644 --- a/chromium/content/browser/web_contents/web_contents_impl_browsertest.cc +++ b/chromium/content/browser/web_contents/web_contents_impl_browsertest.cc @@ -1644,6 +1644,23 @@ IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest, top_contents->SetJavaScriptDialogManagerForTesting(nullptr); } +IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest, FileChooserEndsFullscreen) { + WebContentsImpl* wc = static_cast(shell()->web_contents()); + TestWCDelegateForDialogsAndFullscreen test_delegate; + wc->SetDelegate(&test_delegate); + + GURL url("about:blank"); + EXPECT_TRUE(NavigateToURL(shell(), url)); + + wc->EnterFullscreenMode(url, blink::WebFullscreenOptions()); + EXPECT_TRUE(wc->IsFullscreenForCurrentTab()); + wc->RunFileChooser(wc->GetMainFrame(), FileChooserParams()); + EXPECT_FALSE(wc->IsFullscreenForCurrentTab()); + + wc->SetDelegate(nullptr); + wc->SetJavaScriptDialogManagerForTesting(nullptr); +} + IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest, PopupsFromJavaScriptEndFullscreen) { WebContentsImpl* wc = static_cast(shell()->web_contents()); -- cgit v1.2.3