Restrict chrome.runtime.setUninstallURL to http(s)

extensions/browser/api/runtime/runtime_api.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/api/runtime/runtime_api.h"
 
 #include <utility>
 
 #include "base/lazy_instance.h"
 #include "base/logging.h"
@@ skipping 36 matching lines @@
 const char kNoBackgroundPageError[] = "You do not have a background page.";
 const char kPageLoadError[] = "Background page failed to load.";
 const char kFailedToCreateOptionsPage[] = "Could not create an options page.";
 const char kInstallId[] = "id";
 const char kInstallReason[] = "reason";
 const char kInstallReasonChromeUpdate[] = "chrome_update";
 const char kInstallReasonUpdate[] = "update";
 const char kInstallReasonInstall[] = "install";
 const char kInstallReasonSharedModuleUpdate[] = "shared_module_update";
 const char kInstallPreviousVersion[] = "previousVersion";
-const char kInvalidUrlError[] = "Invalid URL.";
+const char kInvalidUrlError[] = "Invalid URL: \"*\".";
 const char kPlatformInfoUnavailable[] = "Platform information unavailable.";
 
 const char kUpdatesDisabledError[] = "Autoupdate is not enabled.";
 
 // A preference key storing the url loaded when an extension is uninstalled.
 const char kUninstallUrl[] = "uninstall_url";
 
 // The name of the directory to be returned by getPackageDirectoryEntry. This
 // particular value does not matter to user code, but is chosen for consistency
 // with the equivalent Pepper API.
@@ skipping 330 matching lines @@
     const std::string& extension_id,
     UninstallReason reason) {
   if (!(reason == UNINSTALL_REASON_USER_INITIATED ||
         reason == UNINSTALL_REASON_MANAGEMENT_API)) {
     return;
   }
 
   GURL uninstall_url(
       GetUninstallURL(ExtensionPrefs::Get(context), extension_id));
 
-  if (uninstall_url.is_empty())
+  if (!uninstall_url.SchemeIsHTTPOrHTTPS()) {
+    // Previous versions of Chrome allowed non-http(s) URLs to be stored in the
+    // prefs. Now they're disallowed, but the old data may still exist.
     return;
+  }
 
   RuntimeAPI::GetFactoryInstance()->Get(context)->OpenURL(uninstall_url);
 }
 
 ExtensionFunction::ResponseAction RuntimeGetBackgroundPageFunction::Run() {
   ExtensionHost* host = ProcessManager::Get(browser_context())
                             ->GetBackgroundHostForExtension(extension_id());
   if (LazyBackgroundTaskQueue::Get(browser_context())
           ->ShouldEnqueueTask(browser_context(), extension())) {
     LazyBackgroundTaskQueue::Get(browser_context())
@@ skipping 21 matching lines @@
   RuntimeAPI* api = RuntimeAPI::GetFactoryInstance()->Get(browser_context());
   return RespondNow(api->OpenOptionsPage(extension())
                         ? NoArguments()
                         : Error(kFailedToCreateOptionsPage));
 }
 
 ExtensionFunction::ResponseAction RuntimeSetUninstallURLFunction::Run() {
   std::string url_string;
   EXTENSION_FUNCTION_VALIDATE(args_->GetString(0, &url_string));
 
-  GURL url(url_string);
-  if (!url.is_valid()) {
-    return RespondNow(
-        Error(ErrorUtils::FormatErrorMessage(kInvalidUrlError, url_string)));
+  if (!url_string.empty() && !GURL(url_string).SchemeIsHTTPOrHTTPS()) {
+    return RespondNow(Error(kInvalidUrlError, url_string));
   }
   SetUninstallURL(
       ExtensionPrefs::Get(browser_context()), extension_id(), url_string);
   return RespondNow(NoArguments());
 }
 
 ExtensionFunction::ResponseAction RuntimeReloadFunction::Run() {
   RuntimeAPI::GetFactoryInstance()->Get(browser_context())->ReloadExtension(
       extension_id());
   return RespondNow(NoArguments());
@@ skipping 60 matching lines @@
   content::ChildProcessSecurityPolicy* policy =
       content::ChildProcessSecurityPolicy::GetInstance();
   policy->GrantReadFileSystem(renderer_id, filesystem_id);
   base::DictionaryValue* dict = new base::DictionaryValue();
   dict->SetString("fileSystemId", filesystem_id);
   dict->SetString("baseName", relative_path);
   return RespondNow(OneArgument(dict));
 }
 
 }  // namespace extensions