Chromium Code Reviews
Help | Chromium Project | Gerrit Changes | Sign in
(7)

Issue 2527413002: Fix XSS in app launcher and remove use of unvalidated URL (Closed)

Created:
2 years, 3 months ago by robwu
Modified:
2 years, 3 months ago
Reviewers:
Dan Beam
CC:
chromium-reviews, dbeam+watch-ntp_chromium.org, arv+watch_chromium.org, ntp-dev+reviews_chromium.org, pedrosimonetti+watch_chromium.org
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Fix XSS in app launcher and remove use of unvalidated URL The third parameter of "launchApp" is only used for the webstore app, and used to append utm_source=chrome-ntp-icon to the app URL. But the launchApp handler did not validate that the URL is safe. To fix that issue, I specialize the parameter for launchApp: It now takes the source string ("chrome-ntp-icon") instead of a URL without validation. BUG=668665 TEST=Manually using test case from bug report. Also opened the app launcher and verified that clicking on the Webstore icon still leads to the same place. CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation Committed: https://crrev.com/15120efa4b9394086d687086e443f47290b5170a Cr-Commit-Position: refs/heads/master@{#434939}

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+18 lines, -14 lines) Patch
M chrome/browser/resources/ntp4/apps_page.js View 2 chunks +4 lines, -9 lines 0 comments Download
M chrome/browser/ui/webui/ntp/app_launcher_handler.cc View 5 chunks +14 lines, -5 lines 0 comments Download

Messages

Total messages: 14 (9 generated)
robwu
2 years, 3 months ago (2016-11-25 17:31:08 UTC) #5
Dan Beam
lgtm
2 years, 3 months ago (2016-11-29 06:27:21 UTC) #8
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2527413002/1
2 years, 3 months ago (2016-11-29 08:28:35 UTC) #10
commit-bot: I haz the power
Committed patchset #1 (id:1)
2 years, 3 months ago (2016-11-29 09:39:18 UTC) #12
commit-bot: I haz the power
2 years, 3 months ago (2016-11-29 09:40:53 UTC) #14
Message was sent while issue was closed.
Patchset 1 (id:??) landed as
https://crrev.com/15120efa4b9394086d687086e443f47290b5170a
Cr-Commit-Position: refs/heads/master@{#434939}

Powered by Google App Engine
This is Rietveld 408576698