diff options
| author | jsbell@chromium.org <jsbell@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-06-20 22:51:11 +0000 |
|---|---|---|
| committer | jsbell@chromium.org <jsbell@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-06-20 22:51:11 +0000 |
| commit | 37fde6a752162681ce6b62f1a96683483f2df596 (patch) | |
| tree | 49a34250c972496045fa5bfb3971ebfcaab84db5 /content/child | |
| parent | ca6b5d0f13f12c9accc65a683f5868fc5d3c15b0 (diff) | |
| download | chromium_src-37fde6a752162681ce6b62f1a96683483f2df596.zip chromium_src-37fde6a752162681ce6b62f1a96683483f2df596.tar.gz chromium_src-37fde6a752162681ce6b62f1a96683483f2df596.tar.bz2 | |
ServiceWorker: Reject overly long scope/script URLs
IPC enforces a limit on receipt, but we should check on the sending side
and reject the (un)registration promise too.
BUG=386724
R=falken@chromium.org, michaeln@chromium.org
Review URL: https://codereview.chromium.org/342163005
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@278850 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content/child')
| -rw-r--r-- | content/child/service_worker/service_worker_dispatcher.cc | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/content/child/service_worker/service_worker_dispatcher.cc b/content/child/service_worker/service_worker_dispatcher.cc index 131b714..936f5c8 100644 --- a/content/child/service_worker/service_worker_dispatcher.cc +++ b/content/child/service_worker/service_worker_dispatcher.cc @@ -14,6 +14,7 @@ #include "content/child/thread_safe_sender.h" #include "content/child/webmessageportchannel_impl.h" #include "content/common/service_worker/service_worker_messages.h" +#include "content/public/common/url_utils.h" #include "third_party/WebKit/public/platform/WebServiceWorkerProviderClient.h" #include "third_party/WebKit/public/web/WebSecurityOrigin.h" @@ -78,6 +79,17 @@ void ServiceWorkerDispatcher::RegisterServiceWorker( const GURL& script_url, WebServiceWorkerProvider::WebServiceWorkerCallbacks* callbacks) { DCHECK(callbacks); + + if (pattern.possibly_invalid_spec().size() > GetMaxURLChars() || + script_url.possibly_invalid_spec().size() > GetMaxURLChars()) { + scoped_ptr<WebServiceWorkerProvider::WebServiceWorkerCallbacks> + owned_callbacks(callbacks); + scoped_ptr<WebServiceWorkerError> error(new WebServiceWorkerError( + WebServiceWorkerError::ErrorTypeSecurity, "URL too long")); + callbacks->onError(error.release()); + return; + } + int request_id = pending_callbacks_.Add(callbacks); thread_safe_sender_->Send(new ServiceWorkerHostMsg_RegisterServiceWorker( CurrentWorkerId(), request_id, provider_id, pattern, script_url)); @@ -88,6 +100,16 @@ void ServiceWorkerDispatcher::UnregisterServiceWorker( const GURL& pattern, WebServiceWorkerProvider::WebServiceWorkerCallbacks* callbacks) { DCHECK(callbacks); + + if (pattern.possibly_invalid_spec().size() > GetMaxURLChars()) { + scoped_ptr<WebServiceWorkerProvider::WebServiceWorkerCallbacks> + owned_callbacks(callbacks); + scoped_ptr<WebServiceWorkerError> error(new WebServiceWorkerError( + WebServiceWorkerError::ErrorTypeSecurity, "URL too long")); + callbacks->onError(error.release()); + return; + } + int request_id = pending_callbacks_.Add(callbacks); thread_safe_sender_->Send(new ServiceWorkerHostMsg_UnregisterServiceWorker( CurrentWorkerId(), request_id, provider_id, pattern)); @@ -215,7 +237,7 @@ void ServiceWorkerDispatcher::OnRegistrationError( if (!callbacks) return; - scoped_ptr<WebServiceWorkerError> error( + scoped_ptr<WebServiceWorkerError> error( new WebServiceWorkerError(error_type, message)); callbacks->onError(error.release()); pending_callbacks_.Remove(request_id); |