diff options
| author | rob@robwu.nl <rob@robwu.nl@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-08-19 23:48:22 +0000 |
|---|---|---|
| committer | rob@robwu.nl <rob@robwu.nl@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-08-19 23:50:05 +0000 |
| commit | 30f0f606ce6b03f865ae2792ca0ca2498e49092a (patch) | |
| tree | 0ea8ba3c4b32a18e3d375407db91f687ffe983e0 /extensions/common/csp_validator.cc | |
| parent | 04caf73c3a5edfd8d10d07e29c7e77a932fdd882 (diff) | |
| download | chromium_src-30f0f606ce6b03f865ae2792ca0ca2498e49092a.zip chromium_src-30f0f606ce6b03f865ae2792ca0ca2498e49092a.tar.gz chromium_src-30f0f606ce6b03f865ae2792ca0ca2498e49092a.tar.bz2 | |
Disallow non-subdomain wildcards such as https:// and https://*.com wildcard
patterns in the extension's Content Security policy and update the documentation
to clarify the constraints of the CSP.
BUG=404295
Review URL: https://codereview.chromium.org/481643002
Cr-Commit-Position: refs/heads/master@{#290699}
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@290699 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'extensions/common/csp_validator.cc')
| -rw-r--r-- | extensions/common/csp_validator.cc | 91 |
1 files changed, 65 insertions, 26 deletions
diff --git a/extensions/common/csp_validator.cc b/extensions/common/csp_validator.cc index d19c7f2..fc3f541 100644 --- a/extensions/common/csp_validator.cc +++ b/extensions/common/csp_validator.cc @@ -11,6 +11,7 @@ #include "base/strings/string_util.h" #include "content/public/common/url_constants.h" #include "extensions/common/constants.h" +#include "net/base/registry_controlled_domains/registry_controlled_domain.h" namespace extensions { @@ -38,30 +39,68 @@ struct DirectiveStatus { bool is_secure; }; +// Returns whether |url| starts with |scheme_and_separator| and does not have a +// too permissive wildcard host name. If |should_check_rcd| is true, then the +// Public suffix list is used to exclude wildcard TLDs such as "https://*.org". +bool isNonWildcardTLD(const std::string& url, + const std::string& scheme_and_separator, + bool should_check_rcd) { + if (!StartsWithASCII(url, scheme_and_separator, true)) + return false; + + size_t start_of_host = scheme_and_separator.length(); + + size_t end_of_host = url.find("/", start_of_host); + if (end_of_host == std::string::npos) + end_of_host = url.size(); + + // Note: It is sufficient to only compare the first character against '*' + // because the CSP only allows wildcards at the start of a directive, see + // host-source and host-part at http://www.w3.org/TR/CSP2/#source-list-syntax + bool is_wildcard_subdomain = end_of_host > start_of_host + 2 && + url[start_of_host] == '*' && url[start_of_host + 1] == '.'; + if (is_wildcard_subdomain) + start_of_host += 2; + + size_t start_of_port = url.rfind(":", end_of_host); + // The ":" check at the end of the following condition is used to avoid + // treating the last part of an IPv6 address as a port. + if (start_of_port > start_of_host && url[start_of_port - 1] != ':') { + bool is_valid_port = false; + // Do a quick sanity check. The following check could mistakenly flag + // ":123456" or ":****" as valid, but that does not matter because the + // relaxing CSP directive will just be ignored by Blink. + for (size_t i = start_of_port + 1; i < end_of_host; ++i) { + is_valid_port = IsAsciiDigit(url[i]) || url[i] == '*'; + if (!is_valid_port) + break; + } + if (is_valid_port) + end_of_host = start_of_port; + } + + std::string host(url, start_of_host, end_of_host - start_of_host); + // Global wildcards are not allowed. + if (host.empty() || host.find("*") != std::string::npos) + return false; + + if (!is_wildcard_subdomain || !should_check_rcd) + return true; + + // Wildcards on subdomains of a TLD are not allowed. + size_t registry_length = net::registry_controlled_domains::GetRegistryLength( + host, + net::registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES, + net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES); + return registry_length != 0; +} + bool HasOnlySecureTokens(base::StringTokenizer& tokenizer, Manifest::Type type) { while (tokenizer.GetNext()) { std::string source = tokenizer.token(); base::StringToLowerASCII(&source); - // Don't alow whitelisting of all hosts. This boils down to: - // 1. Maximum of 2 '*' characters. - // 2. Each '*' is either followed by a '.' or preceded by a ':' - int wildcards = 0; - size_t length = source.length(); - for (size_t i = 0; i < length; ++i) { - if (source[i] == L'*') { - wildcards++; - if (wildcards > 2) - return false; - - bool isWildcardPort = i > 0 && source[i - 1] == L':'; - bool isWildcardSubdomain = i + 1 < length && source[i + 1] == L'.'; - if (!isWildcardPort && !isWildcardSubdomain) - return false; - } - } - // We might need to relax this whitelist over time. if (source == "'self'" || source == "'none'" || @@ -69,14 +108,14 @@ bool HasOnlySecureTokens(base::StringTokenizer& tokenizer, LowerCaseEqualsASCII(source, "blob:") || LowerCaseEqualsASCII(source, "filesystem:") || LowerCaseEqualsASCII(source, "http://localhost") || - StartsWithASCII(source, "http://127.0.0.1:", false) || - StartsWithASCII(source, "http://localhost:", false) || - StartsWithASCII(source, "https://", true) || - StartsWithASCII(source, "chrome://", true) || - StartsWithASCII(source, - std::string(extensions::kExtensionScheme) + - url::kStandardSchemeSeparator, - true) || + StartsWithASCII(source, "http://127.0.0.1:", true) || + StartsWithASCII(source, "http://localhost:", true) || + isNonWildcardTLD(source, "https://", true) || + isNonWildcardTLD(source, "chrome://", false) || + isNonWildcardTLD(source, + std::string(extensions::kExtensionScheme) + + url::kStandardSchemeSeparator, + false) || StartsWithASCII(source, "chrome-extension-resource:", true)) { continue; } |