Issue metadata
Sign in to add a comment
|
Security: chrome-devtools protocol allows to read the content of C:\ drive
Reported by
chromium...@gmail.com,
Jan 3 2017
|
||||||||||||||||||||||
Issue descriptionChrome Version: 57.0.2970.0 canary Operating System: Windows 7 REPRODUCTION CASE 1. Navigate to chrome-devtools://devtools/remote/serve_rev/@199588/devtools.html 2. Navigate to the link below in chrome-dev.txt 3. Tap to go Back to chrome-devtoo... 4. Tap to go forward to the link
,
Jan 4 2017
Can you force a victim to navigate through those links without copypasting the malicious URL and clicking Back/Forward? Looks like a duplicate of issue 677858 .
,
Jan 4 2017
Looks like a duplicate of issue 662859 . @caseq: could you please take a look?
,
Jan 4 2017
I'm still able to repro this issue on 57.0.2971.0 Canary though issue 662859 is already fixed.
,
Jan 5 2017
Yup, not exactly a duplicate, reproduces for me :(
,
Jan 6 2017
,
Jan 10 2017
,
Jan 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c2db881506f5709433a5bf6ed981b1bc0c860598 commit c2db881506f5709433a5bf6ed981b1bc0c860598 Author: caseq <caseq@chromium.org> Date: Wed Jan 11 03:39:32 2017 Fix front-end host creation upon navigation - when navigating, add host bindings to the pending frame rather than old frame; - force renderer swap if front-end URL is invalid; - move front-end URL validation to DevToolsUIBindingds This also re-lands https://codereview.chromium.org/2607833002 BUG= 662859 , 678035 Review-Url: https://codereview.chromium.org/2620153002 Cr-Commit-Position: refs/heads/master@{#442781} [modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/BUILD.gn [modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/devtools_ui_bindings.cc [modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/devtools_ui_bindings.h [rename] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/devtools_ui_bindings_unittest.cc [modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/devtools_window.cc [add] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/url_constants.cc [add] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/url_constants.h [modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/ui/webui/chrome_web_ui_controller_factory.cc [modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/ui/webui/devtools_ui.cc [modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/ui/webui/devtools_ui.h [modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/test/BUILD.gn
,
Jan 11 2017
,
Jan 11 2017
Is this "sec-high" as issue 662859 ?
,
Jan 12 2017
,
Jan 12 2017
,
Jan 23 2017
Hi - the panel declined to reward for this given the level of user interaction, but said they would reconsider if you could show this being performed successfully by an unprivileged plugin.
,
Jan 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d6f1c251f409263302a2df863df61314418dc4b2 commit d6f1c251f409263302a2df863df61314418dc4b2 Author: Andrey Kosyakov <caseq@chromium.org> Date: Tue Jan 24 03:21:21 2017 Fix front-end host creation upon navigation - when navigating, add host bindings to the pending frame rather than old frame; - force renderer swap if front-end URL is invalid; - move front-end URL validation to DevToolsUIBindingds This also re-lands https://codereview.chromium.org/2607833002 BUG= 662859 , 678035 Review-Url: https://codereview.chromium.org/2620153002 Cr-Commit-Position: refs/heads/master@{#442781} (cherry picked from commit c2db881506f5709433a5bf6ed981b1bc0c860598) Review-Url: https://codereview.chromium.org/2653783003 . Cr-Commit-Position: refs/branch-heads/2924@{#853} Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059} [modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/BUILD.gn [modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/devtools_ui_bindings.cc [modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/devtools_ui_bindings.h [rename] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/devtools_ui_bindings_unittest.cc [modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/devtools_window.cc [add] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/url_constants.cc [add] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/url_constants.h [modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/ui/webui/chrome_web_ui_controller_factory.cc [modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/ui/webui/devtools_ui.cc [modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/ui/webui/devtools_ui.h [modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/test/BUILD.gn
,
Apr 20 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 22 2017
Issue 685438 has been merged into this issue.
,
Jul 28
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jan 3 2017