Issue metadata
Sign in to add a comment
|
Extension names aren't sanitized when displayed in the UI |
||||||||||||||||||||||
Issue descriptionThere are several places where extension names are displayed without sanitization, including chrome://extensions, permission dialogs, console warnings etc. - RTL characters aren't handled properly: It's possible to modify the rest of the text by embedding an RTL character in the extension name or one of the permissions. - New line and whitespace characters aren't collapsed. E.g. It's possible to display an empty extension details dialog in chrome://extension by padding the extension name with new lines. Arguably, extension names should be checked by the Webstore, but it would be nice to do some sanitization on Chrome side as well.
,
Jan 27 2017
,
Feb 7 2017
It seems like, at a minimum, we could do (Python example):
name = re.sub(r"\s+", " ", name).strip()
assert len(name) > 1
,
Feb 7 2017
,
Feb 7 2017
Also relevant: bug 685750
,
Feb 21 2017
This is relevant for our security review for https://bugs.chromium.org/p/chromium/issues/detail?id=677165, is anyone able to take this on in the near future to unblock?
,
Feb 21 2017
,
Feb 21 2017
I can take this one, we probably want to address this along with crbug.com/677165 (display extension chip). Currently, RTL characters also affect the extension chip, but the chip properly strips off whitespace characters. Not sure what the right approach is for RTL characters, both in the extension chip and elsewhere. Perhaps Webstore should scan for RTL characters and reject them outright? ericdingle: Is that something we could do?
,
Feb 21 2017
Rejecting RTL seems a bit too restrictive. What about Arabic- or Hebrew-specific extensions (surely, there are some)? If you want to be strict about it, which is probably good, maybe require that the extension name be 100% LTR or RTL?
,
Apr 19 2017
,
Apr 19 2017
,
Apr 19 2017
,
Apr 21 2017
,
Oct 18 2017
I'm probably not the right owner for this bug. Catherine, I think you recently fixed bugs with extension permission strings. Could this be of interest to you?
,
Dec 9 2017
I have a CL out fixing the whitespace and new line issue. Currently I'm investigating approaches to fix the RTL character issue.
,
Dec 12 2017
,
Dec 12 2017
,
Jan 18 2018
+jshin@, just fyi in case you would like more context on the RTL CL.
,
Jan 18 2018
,
Jan 23 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7af24b97fe4f69e15aa03ea2334be167355257c4 commit 7af24b97fe4f69e15aa03ea2334be167355257c4 Author: Catherine Mullings <catmullings@chromium.org> Date: Tue Jan 23 18:16:11 2018 [Extensions] Sanitize extension names: collapse whitespaces and new lines Ensure new lines and multiple whitespaces are collapsed in an extension's name. Bug: 685747 Change-Id: I1ddccacbbfa6c491c9ac83e7d529a3d5871e6cd7 Reviewed-on: https://chromium-review.googlesource.com/818457 Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: catmullings <catmullings@chromium.org> Commit-Queue: catmullings <catmullings@chromium.org> Cr-Commit-Position: refs/heads/master@{#531281} [modify] https://crrev.com/7af24b97fe4f69e15aa03ea2334be167355257c4/chrome/common/extensions/extension_unittest.cc [modify] https://crrev.com/7af24b97fe4f69e15aa03ea2334be167355257c4/extensions/common/extension.cc [modify] https://crrev.com/7af24b97fe4f69e15aa03ea2334be167355257c4/extensions/common/extension.h
,
Feb 8 2018
,
Feb 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/867fbaacc16ed58d5a7c8cb682bf5fafc79d47f9 commit 867fbaacc16ed58d5a7c8cb682bf5fafc79d47f9 Author: Catherine Mullings <catmullings@chromium.org> Date: Tue Feb 13 16:28:18 2018 [Extensions] Handle RTL and directional characters in extension names This CL introduces base::i18n::EnsureTerminatedDirectionalFormatting to ensure that the supplied text contains no unterminated directional formatting characters. Additionally, this CL introduces base::i18n::SanitizeUserSuppliedString which adjusts the supplied text according to the locale direction and relies on the previous method to handle unterminated directional formatting characters. The SanitizeUserSuppliedString is applied to sanitize RTL and directional characters in extension names. Bug: 685747 Change-Id: I48db3a37b8a54d5c4ca5556d56cde4c9da31abe3 Reviewed-on: https://chromium-review.googlesource.com/876522 Commit-Queue: catmullings <catmullings@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Jungshik Shin <jshin@chromium.org> Reviewed-by: Matt Giuca <mgiuca@chromium.org> Cr-Commit-Position: refs/heads/master@{#536375} [modify] https://crrev.com/867fbaacc16ed58d5a7c8cb682bf5fafc79d47f9/base/i18n/rtl.cc [modify] https://crrev.com/867fbaacc16ed58d5a7c8cb682bf5fafc79d47f9/base/i18n/rtl.h [modify] https://crrev.com/867fbaacc16ed58d5a7c8cb682bf5fafc79d47f9/base/i18n/rtl_unittest.cc [modify] https://crrev.com/867fbaacc16ed58d5a7c8cb682bf5fafc79d47f9/chrome/common/extensions/extension_unittest.cc [modify] https://crrev.com/867fbaacc16ed58d5a7c8cb682bf5fafc79d47f9/extensions/common/extension.cc
,
May 16 2018
Is there any more work to do here?
,
May 18 2018
I think this was completed.
,
May 18 2018
,
Aug 24
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mea...@chromium.org
, Jan 26 20171.1 KB
1.1 KB Download
929 bytes
929 bytes Download