summaryrefslogtreecommitdiffstats
path: root/chrome/browser
diff options
context:
space:
mode:
Diffstat (limited to 'chrome/browser')
-rw-r--r--chrome/browser/child_process_security_policy.cc10
-rw-r--r--chrome/browser/child_process_security_policy_unittest.cc8
2 files changed, 16 insertions, 2 deletions
diff --git a/chrome/browser/child_process_security_policy.cc b/chrome/browser/child_process_security_policy.cc
index 635e0cf..7f28d31 100644
--- a/chrome/browser/child_process_security_policy.cc
+++ b/chrome/browser/child_process_security_policy.cc
@@ -302,8 +302,14 @@ bool ChildProcessSecurityPolicy::CanRequestURL(
if (url.SchemeIs(chrome::kViewSourceScheme) ||
url.SchemeIs(chrome::kPrintScheme)) {
// View-source and print URL's are allowed if the renderer is permitted
- // to request the embedded URL.
- return CanRequestURL(renderer_id, GURL(url.path()));
+ // to request the embedded URL. Careful to avoid pointless recursion.
+ GURL child_url(url.path());
+ if (child_url.SchemeIs(chrome::kPrintScheme) ||
+ (child_url.SchemeIs(chrome::kViewSourceScheme) &&
+ url.SchemeIs(chrome::kViewSourceScheme)))
+ return false;
+
+ return CanRequestURL(renderer_id, child_url);
}
if (LowerCaseEqualsASCII(url.spec(), chrome::kAboutBlankURL))
diff --git a/chrome/browser/child_process_security_policy_unittest.cc b/chrome/browser/child_process_security_policy_unittest.cc
index 6dbb5d1..ae8645b 100644
--- a/chrome/browser/child_process_security_policy_unittest.cc
+++ b/chrome/browser/child_process_security_policy_unittest.cc
@@ -173,6 +173,14 @@ TEST_F(ChildProcessSecurityPolicyTest, ViewSource) {
EXPECT_FALSE(p->CanRequestURL(kRendererID,
GURL("view-source:file:///etc/passwd")));
EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
+ EXPECT_FALSE(p->CanRequestURL(
+ kRendererID, GURL("view-source:view-source:http://www.google.com/")));
+ EXPECT_FALSE(p->CanRequestURL(
+ kRendererID, GURL("view-source:print:http://www.google.com/")));
+ EXPECT_TRUE(p->CanRequestURL(
+ kRendererID, GURL("print:view-source:http://www.google.com/")));
+ EXPECT_FALSE(p->CanRequestURL(kRendererID,
+ GURL("print:print:http://www.google.com/")));
p->GrantRequestURL(kRendererID, GURL("view-source:file:///etc/passwd"));
// View source needs to be able to request the embedded scheme.
generated by cgit v1.1 at 2025-02-02 23:58:56 +0000