From 4ebac9d38cb476ece9345363527c059bf591357b Mon Sep 17 00:00:00 2001 From: Pedro Pontes Date: Thu, 23 Jun 2022 11:07:51 +0200 Subject: [PATCH 1/2] chore: cherry-pick 22c61cfae5d1 from chromium --- patches/chromium/.patches | 1 + .../chromium/cherry-pick-22c61cfae5d1.patch | 98 +++++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 patches/chromium/cherry-pick-22c61cfae5d1.patch diff --git a/patches/chromium/.patches b/patches/chromium/.patches index d99943b872111..33a3d49f12899 100644 --- a/patches/chromium/.patches +++ b/patches/chromium/.patches @@ -119,3 +119,4 @@ build_disable_print_content_analysis.patch feat_move_firstpartysets_to_content_browser_client.patch custom_protocols_plzserviceworker.patch posix_replace_doubleforkandexec_with_forkandspawn.patch +cherry-pick-22c61cfae5d1.patch diff --git a/patches/chromium/cherry-pick-22c61cfae5d1.patch b/patches/chromium/cherry-pick-22c61cfae5d1.patch new file mode 100644 index 0000000000000..3e6bb24beb6e0 --- /dev/null +++ b/patches/chromium/cherry-pick-22c61cfae5d1.patch @@ -0,0 +1,98 @@ +From 22c61cfae5d1b37c773e638d342488ae11118b51 Mon Sep 17 00:00:00 2001 +From: Austin Sullivan +Date: Thu, 12 May 2022 04:52:20 +0000 +Subject: [PATCH] FSA: Sanitize .url files + +Bug: 1307930 +Change-Id: I7ed3cca5942a5334ba761d269bdd8961fa9d13fe +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3638698 +Reviewed-by: Marijn Kruisselbrink +Commit-Queue: Marijn Kruisselbrink +Auto-Submit: Austin Sullivan +Cr-Commit-Position: refs/heads/main@{#1002495} +--- + +diff --git a/content/browser/file_system_access/file_system_chooser.cc b/content/browser/file_system_access/file_system_chooser.cc +index 4adbbe5..1608613 100644 +--- a/content/browser/file_system_access/file_system_chooser.cc ++++ b/content/browser/file_system_access/file_system_chooser.cc +@@ -275,13 +275,15 @@ + base::FilePath::StringType extension_lower = + base::ToLowerASCII(GetLastExtension(extension)); + +- // .lnk and .scf files may be used to execute arbitrary code (see ++ // '.lnk' and '.scf' files may be used to execute arbitrary code (see + // https://nvd.nist.gov/vuln/detail/CVE-2010-2568 and +- // https://crbug.com/1227995, respectively). .local files are used by Windows +- // to determine which DLLs to load for an application. ++ // https://crbug.com/1227995, respectively). '.local' files are used by ++ // Windows to determine which DLLs to load for an application. '.url' files ++ // can be used to read arbirtary files (see https://crbug.com/1307930). + if ((extension_lower == FILE_PATH_LITERAL("lnk")) || + (extension_lower == FILE_PATH_LITERAL("local")) || +- (extension_lower == FILE_PATH_LITERAL("scf"))) { ++ (extension_lower == FILE_PATH_LITERAL("scf")) || ++ (extension_lower == FILE_PATH_LITERAL("url"))) { + return true; + } + +diff --git a/content/browser/file_system_access/file_system_chooser_browsertest.cc b/content/browser/file_system_access/file_system_chooser_browsertest.cc +index 9ea4db7..79dda31 100644 +--- a/content/browser/file_system_access/file_system_chooser_browsertest.cc ++++ b/content/browser/file_system_access/file_system_chooser_browsertest.cc +@@ -1556,13 +1556,21 @@ + name_infos.push_back({"not_matching.jpg", ListValueOf(".txt"), false, + "not_matching.jpg", false}); + +- // ".lnk", ".local", and ".scf" extensions should be sanitized. +- name_infos.push_back({"dangerous_extension.local", ListValueOf(".local"), +- true, "dangerous_extension.download", false}); ++ // ".lnk", ".local", ".scf", and ".url" extensions should be sanitized. + name_infos.push_back({"dangerous_extension.lnk", ListValueOf(".lnk"), true, + "dangerous_extension.download", false}); ++ name_infos.push_back({"dangerous_extension.lnk", ListValueOf(".LNK"), true, ++ "dangerous_extension.download", false}); ++ name_infos.push_back({"dangerous_extension.LNK", ListValueOf(".lnk"), true, ++ "dangerous_extension.download", false}); ++ name_infos.push_back({"dangerous_extension.LNK", ListValueOf(".LNK"), true, ++ "dangerous_extension.download", false}); ++ name_infos.push_back({"dangerous_extension.local", ListValueOf(".local"), ++ true, "dangerous_extension.download", false}); + name_infos.push_back({"dangerous_extension.scf", ListValueOf(".scf"), true, + "dangerous_extension.download", false}); ++ name_infos.push_back({"dangerous_extension.url", ListValueOf(".url"), true, ++ "dangerous_extension.download", false}); + // Compound extensions ending in a dangerous extension should be sanitized. + name_infos.push_back({"dangerous_extension.png.local", ListValueOf(".local"), + true, "dangerous_extension.png.download", false}); +@@ -1570,6 +1578,8 @@ + true, "dangerous_extension.png.download", false}); + name_infos.push_back({"dangerous_extension.png.scf", ListValueOf(".scf"), + true, "dangerous_extension.png.download", false}); ++ name_infos.push_back({"dangerous_extension.png.url", ListValueOf(".url"), ++ true, "dangerous_extension.png.download", false}); + // Compound extensions not ending in a dangerous extension should not be + // sanitized. + name_infos.push_back({"dangerous_extension.local.png", ListValueOf(".png"), +@@ -1578,6 +1588,8 @@ + true, "dangerous_extension.lnk.png", true}); + name_infos.push_back({"dangerous_extension.scf.png", ListValueOf(".png"), + true, "dangerous_extension.scf.png", true}); ++ name_infos.push_back({"dangerous_extension.url.png", ListValueOf(".png"), ++ true, "dangerous_extension.url.png", true}); + // Invalid characters should be sanitized. + name_infos.push_back({R"(inv*l:d\\ch%rבאמת!a({}), + std::vector( +- {"lnk", "foo.lnk", "foo.bar.local", "text", "local", "scf"}))); ++ {"lnk", "foo.lnk", "foo.bar.local", "text", "local", "scf", "url"}))); + SyncShowDialog(std::move(accepts), /*include_accepts_all=*/false); + + ASSERT_TRUE(dialog_params.file_types); From 13af535b726a1b563d9308197c6afc94dacee7ef Mon Sep 17 00:00:00 2001 From: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Date: Thu, 23 Jun 2022 09:20:30 +0000 Subject: [PATCH 2/2] chore: update patches --- .../chromium/cherry-pick-22c61cfae5d1.patch | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/patches/chromium/cherry-pick-22c61cfae5d1.patch b/patches/chromium/cherry-pick-22c61cfae5d1.patch index 3e6bb24beb6e0..2da2d28a5d794 100644 --- a/patches/chromium/cherry-pick-22c61cfae5d1.patch +++ b/patches/chromium/cherry-pick-22c61cfae5d1.patch @@ -1,7 +1,7 @@ -From 22c61cfae5d1b37c773e638d342488ae11118b51 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Austin Sullivan Date: Thu, 12 May 2022 04:52:20 +0000 -Subject: [PATCH] FSA: Sanitize .url files +Subject: FSA: Sanitize .url files Bug: 1307930 Change-Id: I7ed3cca5942a5334ba761d269bdd8961fa9d13fe @@ -10,13 +10,12 @@ Reviewed-by: Marijn Kruisselbrink Commit-Queue: Marijn Kruisselbrink Auto-Submit: Austin Sullivan Cr-Commit-Position: refs/heads/main@{#1002495} ---- diff --git a/content/browser/file_system_access/file_system_chooser.cc b/content/browser/file_system_access/file_system_chooser.cc -index 4adbbe5..1608613 100644 +index f8cd9d51222c70166a82cdd6dd4b7d0c24970606..8c38f004109aa967e1e5439a17dc35d3013e8ecf 100644 --- a/content/browser/file_system_access/file_system_chooser.cc +++ b/content/browser/file_system_access/file_system_chooser.cc -@@ -275,13 +275,15 @@ +@@ -275,13 +275,15 @@ bool FileSystemChooser::IsShellIntegratedExtension( base::FilePath::StringType extension_lower = base::ToLowerASCII(GetLastExtension(extension)); @@ -37,10 +36,10 @@ index 4adbbe5..1608613 100644 } diff --git a/content/browser/file_system_access/file_system_chooser_browsertest.cc b/content/browser/file_system_access/file_system_chooser_browsertest.cc -index 9ea4db7..79dda31 100644 +index 9ea4db7807f6bbac799452fd138848b2a650d6fd..79dda31bd228e785d54e5486bb4417a75ee62b3a 100644 --- a/content/browser/file_system_access/file_system_chooser_browsertest.cc +++ b/content/browser/file_system_access/file_system_chooser_browsertest.cc -@@ -1556,13 +1556,21 @@ +@@ -1556,13 +1556,21 @@ IN_PROC_BROWSER_TEST_F(FileSystemChooserBrowserTest, SuggestedName) { name_infos.push_back({"not_matching.jpg", ListValueOf(".txt"), false, "not_matching.jpg", false}); @@ -65,7 +64,7 @@ index 9ea4db7..79dda31 100644 // Compound extensions ending in a dangerous extension should be sanitized. name_infos.push_back({"dangerous_extension.png.local", ListValueOf(".local"), true, "dangerous_extension.png.download", false}); -@@ -1570,6 +1578,8 @@ +@@ -1570,6 +1578,8 @@ IN_PROC_BROWSER_TEST_F(FileSystemChooserBrowserTest, SuggestedName) { true, "dangerous_extension.png.download", false}); name_infos.push_back({"dangerous_extension.png.scf", ListValueOf(".scf"), true, "dangerous_extension.png.download", false}); @@ -74,7 +73,7 @@ index 9ea4db7..79dda31 100644 // Compound extensions not ending in a dangerous extension should not be // sanitized. name_infos.push_back({"dangerous_extension.local.png", ListValueOf(".png"), -@@ -1578,6 +1588,8 @@ +@@ -1578,6 +1588,8 @@ IN_PROC_BROWSER_TEST_F(FileSystemChooserBrowserTest, SuggestedName) { true, "dangerous_extension.lnk.png", true}); name_infos.push_back({"dangerous_extension.scf.png", ListValueOf(".png"), true, "dangerous_extension.scf.png", true}); @@ -84,10 +83,10 @@ index 9ea4db7..79dda31 100644 name_infos.push_back({R"(inv*l:d\\ch%rבאמת!a({}), std::vector(