[cc dbeam@ for review]

Patch to fix XSS: https://codereview.chromium.org/2526323004

[+jochen for review too]
Patch to enforce user gesture: https://codereview.chromium.org/2535483003/

Before landing the patches, vulcanize should be run - https://cs.chromium.org/chromium/src/docs/vulcanize.md (Otherwise the changes won't make it into Chrome).
Locally I verified that either patch (after running vulcanize & compiling) breaks the exploit chain.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f49156a6624e78d73636eb0f4113f541e599cefb

commit f49156a6624e78d73636eb0f4113f541e599cefb
Author: rob <rob@robwu.nl>
Date: Tue Nov 29 00:08:01 2016

Require user gesture for powerful download operations

BUG= 668653 
TEST=Manually clicking on the open download folder works,
running the test case from the bug report triggers NOTREACHED.
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2535483003
Cr-Commit-Position: refs/heads/master@{#434786}

[modify] https://crrev.com/f49156a6624e78d73636eb0f4113f541e599cefb/chrome/browser/resources/md_downloads/action_service.js
[modify] https://crrev.com/f49156a6624e78d73636eb0f4113f541e599cefb/chrome/browser/resources/md_downloads/crisper.js
[modify] https://crrev.com/f49156a6624e78d73636eb0f4113f541e599cefb/chrome/browser/ui/webui/md_downloads/md_downloads_dom_handler.cc
[modify] https://crrev.com/f49156a6624e78d73636eb0f4113f541e599cefb/content/renderer/web_ui_extension.cc

Adding a couple of labels. Thanks for contributing patches to this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6d9a7916b48581f72fda060a1210ebef7f89b229

commit 6d9a7916b48581f72fda060a1210ebef7f89b229
Author: rob <rob@robwu.nl>
Date: Tue Nov 29 23:21:10 2016

Remove XSS from chrome://downloads

BUG= 668653 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2526323004
Cr-Commit-Position: refs/heads/master@{#435104}

[modify] https://crrev.com/6d9a7916b48581f72fda060a1210ebef7f89b229/chrome/browser/resources/md_downloads/compiled_resources2.gyp
[modify] https://crrev.com/6d9a7916b48581f72fda060a1210ebef7f89b229/chrome/browser/resources/md_downloads/crisper.js
[modify] https://crrev.com/6d9a7916b48581f72fda060a1210ebef7f89b229/chrome/browser/resources/md_downloads/item.js

[+jialiul to re-assess the severity]

This allows a full sandbox bypass, requiring nothing more than having a malicious extension installed. The video did no effort at hiding how the exploit operates, but in reality the exploit can be executed without the user noticing. Exploiting this bug is easy: buy an extension with many users, publish an update that uses this bug and profit.

Escaping the sandbox from a web page is rated as critical severity (https://www.chromium.org/developers/severity-guidelines). I think that the extension requirement is not enough mitigation to drop the severity by two levels in the class, so this should be rated Security_Severity-High.


Can I merge 6d9a7916b48581f72fda060a1210ebef7f89b229 with the first release of M-55?
The patch is dead simple and cannot have undesired side effects. I verified the fix in 57.0.2937.0 on Windows (using the steps to repro from the bug). (The other patch fixes another part of the exploit chain, but if there are no other XSS issues in chrome://downloads we should be fine.)

Adding Release blocker just to make sure that this merge request is evaluated before the M-55 release.

awhalley@ for M55 merge review (FYI: We're cutting M55 Stable RC soon).

Yea, we're out of time for M55, though we should keep to the standard flow for this and consider a merge if we do a stable update later on.

[Automated comment] Less than a week to go before stable on M55, we might already have a stable candidate build. Manual review required.

Your change meets the bar and is auto-approved for M56 (branch: 2924)

[Automated comment] Less than a week to go before stable on M55, we might already have a stable candidate build. Manual review required.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/deb94aef51054feb86021d2168182caf3d26886b

commit deb94aef51054feb86021d2168182caf3d26886b
Author: Rob Wu <rob@robwu.nl>
Date: Wed Nov 30 22:50:51 2016

Remove XSS from chrome://downloads

BUG= 668653 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2526323004
Cr-Commit-Position: refs/heads/master@{#435104}
(cherry picked from commit 6d9a7916b48581f72fda060a1210ebef7f89b229)

Review URL: https://codereview.chromium.org/2537893004 .

Cr-Commit-Position: refs/branch-heads/2924@{#218}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/deb94aef51054feb86021d2168182caf3d26886b/chrome/browser/resources/md_downloads/compiled_resources2.gyp
[modify] https://crrev.com/deb94aef51054feb86021d2168182caf3d26886b/chrome/browser/resources/md_downloads/crisper.js
[modify] https://crrev.com/deb94aef51054feb86021d2168182caf3d26886b/chrome/browser/resources/md_downloads/item.js

How about the severity re-assessment as requested in comment 7?

I found a way to easily install extensions from a web page ( bug 671007 ), so this effectively means that web pages can run arbitrary code outside the sandbox with minimal user interaction (e.g. double-click in a fixed location on a web page).

We are not planning any further M55 stable releases.

We'll consider this for reward in conjunction with 668645.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

is there anyway i can view  bug 671007 ? i'm doing research for a uni paper

luca.ermancio@ - added.

Could you please add me, so that I can view  bug 671007  for a university research? Same situation as luca.ermancio@.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Hi Rob, the VRP panel decided to award $5,000 for this report, thanks!