New issue
Advanced search Search tips

Issue 690311 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Feb 2017
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Can set arbitrary clipboard formats with compromised renders

Reported by mishra.d...@gmail.com, Feb 9 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0

Steps to reproduce the problem:
1. Open copy.html 

Copy the text and try to paste the text which is copied.
Works for me Chrome Beta Linux OS as well.

What is the expected behavior?

What went wrong?
ClipboardHostMsg_WriteObjectsAsync allows callers to pass in a Clipboard::ObjectMap of things to write. One of the keys that a render can pass is CBF_DATA. If the IPC handler sees that, then it uses the  render-supplied format type and writes the data to that format type on the clipboard.

Did this work before? N/A 

Chrome version: 56.0.2924.87 (Official Build) (64-bit)  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 24.0 r0

Comment 1 by palmer@chromium.org, Feb 9 2017

Status: WontFix (was: Unconfirmed)
You forgot to attach copy.html. But, this sounds like a re-report of an old, fixed bug: https://bugs.chromium.org/p/chromium/issues/detail?id=352395. If you search the Chromium code, you will see that ClipboardHostMsg_WriteObjectsAsync no longer exists. Please don't re-report old bugs.
Project Member

Comment 2 by sheriffbot@chromium.org, May 19 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment