chrome/browser/ui/webui/ntp/app_launcher_handler.cc - Issue 2527413002: Fix XSS in app launcher and remove use of unvalidated URL

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: chrome/browser/ui/webui/ntp/app_launcher_handler.cc

Issue 2527413002: Fix XSS in app launcher and remove use of unvalidated URL (Closed)

Patch Set: Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: chrome/browser/ui/webui/ntp/app_launcher_handler.cc

diff --git a/chrome/browser/ui/webui/ntp/app_launcher_handler.cc b/chrome/browser/ui/webui/ntp/app_launcher_handler.cc

index a8c2df64327b99da934c88f7f951944c1b28fd5f..0e2b5bede13f0a449e4b3e963808aac13416d65c 100644

--- a/chrome/browser/ui/webui/ntp/app_launcher_handler.cc

+++ b/chrome/browser/ui/webui/ntp/app_launcher_handler.cc

@@ -67,6 +67,7 @@

#include "extensions/common/extension.h"

#include "extensions/common/extension_icon_set.h"

#include "extensions/common/extension_set.h"

+#include "net/base/url_util.h"

#include "ui/base/l10n/l10n_util.h"

#include "ui/base/webui/web_ui_util.h"

#include "url/gurl.h"

@@ -482,9 +483,7 @@ void AppLauncherHandler::HandleLaunchApp(const base::ListValue* args) {

CHECK(args->GetString(0, &extension_id));

double source = -1.0;

CHECK(args->GetDouble(1, &source));

- std::string url;

- if (args->GetSize() > 2)

- CHECK(args->GetString(2, &url));

+ GURL override_url;

extension_misc::AppLaunchBucket launch_bucket =

static_cast<extension_misc::AppLaunchBucket>(

@@ -511,6 +510,16 @@ void AppLauncherHandler::HandleLaunchApp(const base::ListValue* args) {

extensions::RecordAppLaunchType(launch_bucket, extension->GetType());

} else {

extensions::RecordWebStoreLaunch();

+ if (args->GetSize() > 2) {

+ std::string source_value;

+ CHECK(args->GetString(2, &source_value));

+ if (!source_value.empty()) {

+ override_url = net::AppendQueryParameter(

+ extensions::AppLaunchInfo::GetFullLaunchURL(extension),

+ extension_urls::kWebstoreSourceField, source_value);

+ }

}

if (disposition == WindowOpenDisposition::NEW_FOREGROUND_TAB ||

@@ -522,7 +531,7 @@ void AppLauncherHandler::HandleLaunchApp(const base::ListValue* args) {

? extensions::LAUNCH_CONTAINER_WINDOW

: extensions::LAUNCH_CONTAINER_TAB,

disposition, extensions::SOURCE_NEW_TAB_PAGE);

- params.override_url = GURL(url);

+ params.override_url = override_url;

OpenApplication(params);

} else {

// To give a more "launchy" experience when using the NTP launcher, we close

@@ -538,7 +547,7 @@ void AppLauncherHandler::HandleLaunchApp(const base::ListValue* args) {

old_contents ? WindowOpenDisposition::CURRENT_TAB

: WindowOpenDisposition::NEW_FOREGROUND_TAB,

extensions::SOURCE_NEW_TAB_PAGE);

- params.override_url = GURL(url);

+ params.override_url = override_url;

WebContents* new_contents = OpenApplication(params);

// This will also destroy the handler, so do not perform any actions after.

« no previous file with comments | « chrome/browser/resources/ntp4/apps_page.js ('k') | no next file » | no next file with comments »