diff options
author | inferno@chromium.org <inferno@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-02 18:49:11 +0000 |
---|---|---|
committer | inferno@chromium.org <inferno@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-02 18:49:11 +0000 |
commit | de07023e1d45ca422e316460c6a0183c3648f206 (patch) | |
tree | e535cd2066eee395352e1a204ade4c6777787010 | |
parent | 6287c6f0d1da801ae02c26a4379caf5a2ead3cd7 (diff) | |
download | chromium_src-de07023e1d45ca422e316460c6a0183c3648f206.zip chromium_src-de07023e1d45ca422e316460c6a0183c3648f206.tar.gz chromium_src-de07023e1d45ca422e316460c6a0183c3648f206.tar.bz2 |
Block plugin URLRequest calls with invalid chars like @,;,\ before the first / (or start of path) in URL.
Reviewed: http://codereview.chromium.org/1540011
BUG=40016
TEST=None
Review URL: http://codereview.chromium.org/1611003
git-svn-id: svn://svn.chromium.org/chrome/branches/249/src@43504 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | webkit/glue/webplugin_impl.cc | 32 | ||||
-rw-r--r-- | webkit/glue/webplugin_impl.h | 3 |
2 files changed, 35 insertions, 0 deletions
diff --git a/webkit/glue/webplugin_impl.cc b/webkit/glue/webplugin_impl.cc index 183d3df..d36a31d 100644 --- a/webkit/glue/webplugin_impl.cc +++ b/webkit/glue/webplugin_impl.cc @@ -478,6 +478,27 @@ bool WebPluginImpl::SetPostData(WebURLRequest* request, return rv; } +bool WebPluginImpl::IsValidUrl(const GURL& url, Referrer referrer_flag) { + if (referrer_flag == PLUGIN_SRC && + mime_type_ == "application/x-shockwave-flash" && + url.GetOrigin() != plugin_url_.GetOrigin()) { + // Do url check to make sure that there are no @, ;, \ chars in between url + // scheme and url path. + const char* url_to_check(url.spec().data()); + url_parse::Parsed parsed; + url_parse::ParseStandardURL(url_to_check, strlen(url_to_check), &parsed); + std::string string_to_search; + string_to_search.assign(url_to_check + parsed.scheme.end(), + parsed.path.begin - parsed.scheme.end()); + if (string_to_search.find("@") != std::string::npos || + string_to_search.find(";") != std::string::npos || + string_to_search.find("\\") != std::string::npos) + return false; + } + + return true; +} + WebPluginImpl::RoutingStatus WebPluginImpl::RouteToFrame( const char* url, bool is_javascript_url, @@ -521,6 +542,9 @@ WebPluginImpl::RoutingStatus WebPluginImpl::RouteToFrame( // Go fetch the URL. GURL complete_url = CompleteURL(url); + // Remove when flash bug is fixed. http://crbug.com/40016. + if (!WebPluginImpl::IsValidUrl(complete_url, referrer_flag)) + return INVALID_URL; if (strcmp(method, "GET") != 0) { // We're only going to route HTTP/HTTPS requests @@ -858,6 +882,10 @@ void WebPluginImpl::HandleURLRequestInternal(const char* url, return; GURL complete_url = CompleteURL(url); + // Remove when flash bug is fixed. http://crbug.com/40016. + if (!WebPluginImpl::IsValidUrl(complete_url, referrer_flag)) + return; + WebPluginResourceClient* resource_client = delegate_->CreateResourceClient( resource_id, complete_url, notify_id); if (!resource_client) @@ -948,6 +976,10 @@ void WebPluginImpl::InitiateHTTPRangeRequest( return; GURL complete_url = CompleteURL(url); + // Remove when flash bug is fixed. http://crbug.com/40016. + if (!WebPluginImpl::IsValidUrl(complete_url, + load_manually_ ? NO_REFERRER : PLUGIN_SRC)) + return; WebPluginResourceClient* resource_client = delegate_->CreateSeekableResourceClient(resource_id, range_request_id); diff --git a/webkit/glue/webplugin_impl.h b/webkit/glue/webplugin_impl.h index be0b55a..7e2cea6 100644 --- a/webkit/glue/webplugin_impl.h +++ b/webkit/glue/webplugin_impl.h @@ -251,6 +251,9 @@ class WebPluginImpl : public WebPlugin, // Helper function to set the referrer on the request passed in. void SetReferrer(WebKit::WebURLRequest* request, Referrer referrer_flag); + // Check for invalid chars like @, ;, \ before the first / (in path). + bool IsValidUrl(const GURL& url, Referrer referrer_flag); + std::vector<ClientInfo> clients_; bool windowless_; |