Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 639658 Security: Navigating to "chrome://" URLs via 'about:' protocol
Starred by 2 users Reported by martinzh...@gmail.com, Aug 21 2016 Back to list
Status: Fixed
Owner:
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 2
Type: Bug-Security



Sign in to add a comment
Steps to reproduce the problem:
1. Open the PoC.html
<a href="about:history-frame" target="x" onclick="setTimeout('d()', 2000);">Click Me</a>

Or you could visit the online PoC page:
http://115.159.58.203/chrome/poc.html

2. You will find the Chrome iOS version opened a new window and navigated to "chrome://". But according to the Chrome desktop version, I could not find the same behavior. 

What is the expected behavior?

What went wrong?
There have been similar issues in the Chrome 44.0.2403.157 stable and Chrome 49.0.2623.87. 
https://bugs.chromium.org/p/chromium/issues/detail?id=528505
https://bugs.chromium.org/p/chromium/issues/detail?id=595514

But the PoC I offered above bypassed the patch imposed on the Chrome iOS version.

Did this work before? N/A 

Chrome version: 52.0.2743.84  Channel: stable
OS Version: iOS 9.3.3
Flash Version: Shockwave Flash 22.0 r0
 
PoC.html
88 bytes View Download
Components: UI>Browser>Navigation
Labels: Security_Impact-Stable Security_Severity-Low
Owner: eugene...@chromium.org
Status: Assigned
+eugenebut@, since you are the owner of https://bugs.chromium.org/p/chromium/issues/detail?id=595514.
Could you help triage this issue? Please feel free to suggest other owner. 
Comment 2 by creis@chromium.org, Aug 22 2016
This should probably be higher severity, as it's similar to  issue 604086 .  That one was rated Security_Severity-Medium.
Cc: creis@chromium.org
creis@, just FYI: 604086 allowed to load WebUI url in the same window (and same web process). This bug allows a WebUI child window which is run in a separate process. 
Cc: jyqu...@chromium.org
Project Member Comment 5 by bugdroid1@chromium.org, Aug 23 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5bdbf8b4a257e3264644900234c1d31126394c5f

commit 5bdbf8b4a257e3264644900234c1d31126394c5f
Author: eugenebut <eugenebut@chromium.org>
Date: Tue Aug 23 21:11:29 2016

[ios] Do not allow WebUI URLs for windows open by DOM.

BUG= 639658 

Review-Url: https://codereview.chromium.org/2268053002
Cr-Commit-Position: refs/heads/master@{#413834}

[modify] https://crrev.com/5bdbf8b4a257e3264644900234c1d31126394c5f/ios/web/web_state/ui/crw_web_controller.mm

Labels: M-54
Status: Fixed
Project Member Comment 7 by sheriffbot@chromium.org, Aug 24 2016
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Reward-topanel?
Labels: reward-topanel
Sure, we can take this to the reward panel to review. Ultimately it's up to them to determine if this qualifies for a reward. Low severity issues are usually case-by-case, and don't necessarily qualify.
Labels: Release-0-M54
Labels: CVE-2016-5193
Labels: -reward-topanel reward-unpaid reward-500
Congratulations, the panel awarded $500 for this bug.  A member of our finance team will be in touch shortly.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Labels: reward-inprocess
Labels: -reward-unpaid
Project Member Comment 16 by sheriffbot@chromium.org, Nov 30 2016
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment