diff options
| author | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-01-08 00:08:22 +0000 |
|---|---|---|
| committer | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-01-08 00:08:22 +0000 |
| commit | 7bd904b2052fe21762ae7cd2ee70e829eb5524e0 (patch) | |
| tree | 5d305c7bf13d460695b31fce7f600110d5ec0721 /chrome | |
| parent | ba3ccd34fe2a47f1fe58126dc482c1b43ed00361 (diff) | |
| download | chromium_src-7bd904b2052fe21762ae7cd2ee70e829eb5524e0.zip chromium_src-7bd904b2052fe21762ae7cd2ee70e829eb5524e0.tar.gz chromium_src-7bd904b2052fe21762ae7cd2ee70e829eb5524e0.tar.bz2 | |
Avoid accepting suspiciously long URLs from the renderer. These can take down
the browser with OOM.
BUG=20233
TEST=NONE
Review URL: http://codereview.chromium.org/523088
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@35757 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome')
| -rw-r--r-- | chrome/common/chrome_constants.cc | 1 | ||||
| -rw-r--r-- | chrome/common/chrome_constants.h | 6 | ||||
| -rw-r--r-- | chrome/common/common_param_traits.cc | 3 |
3 files changed, 8 insertions, 2 deletions
diff --git a/chrome/common/chrome_constants.cc b/chrome/common/chrome_constants.cc index 1b85a19..c75ab65 100644 --- a/chrome/common/chrome_constants.cc +++ b/chrome/common/chrome_constants.cc @@ -116,6 +116,7 @@ const int kStatsMaxThreads = 32; const int kStatsMaxCounters = 300; const size_t kMaxTitleChars = 4 * 1024; +const size_t kMaxURLChars = 10 * 1024 * 1024; // We don't enable record mode in the released product because users could // potentially be tricked into running a product in record mode without diff --git a/chrome/common/chrome_constants.h b/chrome/common/chrome_constants.h index ea79fd8..c8121d0 100644 --- a/chrome/common/chrome_constants.h +++ b/chrome/common/chrome_constants.h @@ -67,8 +67,12 @@ extern const int kStatsMaxThreads; extern const int kStatsMaxCounters; // The maximum number of characters of the document's title that we're willing -// to send to the browser process. +// to accept in the browser process. extern const size_t kMaxTitleChars; +// The maximum number of characters in the URL that we're willing to accept +// in the browser process. It is set low enough to avoid damage to the browser +// but high enough that a web site can abuse location.hash for a little storage. +extern const size_t kMaxURLChars; extern const bool kRecordModeEnabled; diff --git a/chrome/common/common_param_traits.cc b/chrome/common/common_param_traits.cc index 684337d..5e6880e3 100644 --- a/chrome/common/common_param_traits.cc +++ b/chrome/common/common_param_traits.cc @@ -5,6 +5,7 @@ #include "chrome/common/common_param_traits.h" #include "base/gfx/rect.h" +#include "chrome/common/chrome_constants.h" #include "googleurl/src/gurl.h" #ifndef EXCLUDE_SKIA_DEPENDENCIES #include "third_party/skia/include/core/SkBitmap.h" @@ -99,7 +100,7 @@ void ParamTraits<GURL>::Write(Message* m, const GURL& p) { bool ParamTraits<GURL>::Read(const Message* m, void** iter, GURL* p) { std::string s; - if (!m->ReadString(iter, &s)) { + if (!m->ReadString(iter, &s) || s.length() > chrome::kMaxURLChars) { *p = GURL(); return false; } |