New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
OOO July 19-22
Closed: Apr 2011
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Url bar spoof

Reported by kuz...@gmail.com, Mar 31 2011

Issue description

Test chrome 12.0.712.0 dev windows xp sp3 & chromium 12.0.719.0 (79793)

1,Click "clickme"

 
testcase.htm
386 bytes View Download

Comment 1 by jsc...@chromium.org, Mar 31 2011

Cc: darin@chromium.org a deleted user
Owner: a deleted user
@creis - Adding this to the pile. It may be a dupe of the ones you're looking at.
Labels: -Pri-0 Pri-1 SecSeverity-High OS-All Mstone-11
Status: Assigned
@inferno - I didn't confirm this before I added the CCs. Did you confirm it before assigning severity and milestone?

Comment 4 by creis@chromium.org, Apr 4 2011

I can confirm it.  It's hitting an assert in FrameLoaderClientImpl::dispatchDidStartProvisionalLoad():

    // If this load is what we expected from a client redirect, treat it as a
    // redirect from that original page. The expected redirect urls will be
    // cleared by DidCancelClientRedirect.
    bool completingClientRedirect = false;
    if (m_expectedClientRedirectSrc.isValid()) {
        // m_expectedClientRedirectDest could be something like
        // "javascript:history.go(-1)" thus we need to exclude url starts with
        // "javascript:". See bug: 1080873
        ASSERT(m_expectedClientRedirectDest.protocolIs("javascript")
            || m_expectedClientRedirectDest == url);


I'm tied up with a few other URL spoof bugs at the moment, but I'll look at it if others don't have time to.
Thanks Charlie.
Thanks Charlie for adding this to your bunch. 

Justin, yeah i did confirm it. Although i don't know if all of these are dupes or similar or whatever :)

Comment 7 by creis@chromium.org, Apr 7 2011

Cc: brettw%c...@gtempaccount.com
Status: Started
The FrameLoaderClientImpl assert is a red herring.  It's being tracked in http://webkit.org/b/44079.

The real issue here is that NavigationController was classifying the history.back() navigation as a same-page navigation, due to this check in ClassifyNavigation:
  if (pending_entry_ &&
      existing_entry != pending_entry_ &&
      pending_entry_->page_id() == -1) {
    // ...
    return NavigationType::SAME_PAGE;
  }

In this case, the pending entry does have page_id -1, but the existing entry doesn't match the page that's currently showing.  It should be straightforward to check that existing entry is the same as GetLastCommittedEntry before returning SAME_PAGE here.
Project Member

Comment 8 by bugdroid1@chromium.org, Apr 8 2011

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=80941

------------------------------------------------------------------------
r80941 | creis@chromium.org | Fri Apr 08 09:27:24 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/tab_contents/navigation_controller.cc?r1=80941&r2=80940&pathrev=80941
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/tab_contents/navigation_controller_unittest.cc?r1=80941&r2=80940&pathrev=80941

Fix classification of a history.back() that interrupts a pending navigation.

BUG= 78031 
TEST=NavigationControllerTest.LoadURL_BackPreemptsPending

Review URL: http://codereview.chromium.org/6801052
------------------------------------------------------------------------

Comment 9 by creis@chromium.org, Apr 8 2011

Status: Fixed
Fixed in r80941.
Labels: reward-topanel
Thanks, Charlie! Does this affect older versions (10 stable, 11 beta?) It affects both merging and release notes.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: WillMerge
Affects M10, M11. I'll merge it to M11.
Status: FixUnreleased
Merged to M11 @ r81005
Labels: ReleaseBlock-Stable
Project Member

Comment 14 by bugdroid1@chromium.org, Apr 8 2011

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=81005

------------------------------------------------------------------------
r81005 | cevans@chromium.org | Fri Apr 08 15:42:38 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/696/src/content/browser/tab_contents/navigation_controller_unittest.cc?r1=81005&r2=81004&pathrev=81005
 M http://src.chromium.org/viewvc/chrome/branches/696/src/content/browser/tab_contents/navigation_controller.cc?r1=81005&r2=81004&pathrev=81005

Merge 80941 - Fix classification of a history.back() that interrupts a pending navigation.

BUG= 78031 
TEST=NavigationControllerTest.LoadURL_BackPreemptsPending

Review URL: http://codereview.chromium.org/6801052

TBR=creis@chromium.org
Review URL: http://codereview.chromium.org/6826017
------------------------------------------------------------------------
Labels: -reward-topanel reward-1000 reward-unpaid
@kuzzcc - another textbook spoof, thanks! And other provisional $1000 Chromium Security Reward for your help.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: CVE-2011-1446
Labels: -reward-unpaid
Invoice finalized; payment is in e-payment system; it can take a couple of weeks.
Labels: SecImpacts-Stable
Batch update.
Lifting view restrictions.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member

Comment 22 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -SecSeverity-High -Mstone-11 -SecImpacts-Stable Security-Impact-Stable Security-Severity-High M-11 Type-Bug-Security
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 11 2013

Labels: -Area-Undefined
Project Member

Comment 25 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 26 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 27 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 29 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment