From 81497c7f2e7ca4de7779580b72ec10da37012949 Mon Sep 17 00:00:00 2001 From: Micha Hanselmann Date: Fri, 21 Jun 2019 09:23:57 -0700 Subject: [PATCH] fix: sanitize invalid custom protocol headers (#18854) --- shell/browser/net/url_request_async_asar_job.cc | 14 ++++++++++++++ spec/api-protocol-spec.js | 13 +++++++++++++ 2 files changed, 27 insertions(+) diff --git a/shell/browser/net/url_request_async_asar_job.cc b/shell/browser/net/url_request_async_asar_job.cc index b50d14091ced..e8a83f17e31c 100644 --- a/shell/browser/net/url_request_async_asar_job.cc +++ b/shell/browser/net/url_request_async_asar_job.cc @@ -38,6 +38,20 @@ void BeforeStartInUI(base::WeakPtr job, error = net::ERR_NOT_IMPLEMENTED; } + // sanitize custom headers + if (request_options && request_options->is_dict()) { + const base::Value* headersDict = request_options->FindDictKey("headers"); + if (headersDict) { + for (const auto& iter : headersDict->DictItems()) { + if (!iter.second.is_string()) { + args->ThrowError("Value of '" + iter.first + + "' header has to be a string"); + return; + } + } + } + } + base::PostTaskWithTraits( FROM_HERE, {content::BrowserThread::IO}, base::BindOnce(&URLRequestAsyncAsarJob::StartAsync, job, diff --git a/spec/api-protocol-spec.js b/spec/api-protocol-spec.js index 12590c195cfb..652118f60d29 100644 --- a/spec/api-protocol-spec.js +++ b/spec/api-protocol-spec.js @@ -235,6 +235,19 @@ describe('protocol module', () => { expect(r.headers).to.include('x-great-header: sogreat') }) + it('throws an error when custom headers are invalid', (done) => { + const handler = (request, callback) => { + expect(() => callback({ + path: filePath, + headers: { 'X-Great-Header': 42 } + })).to.throw(Error, 'Value of \'X-Great-Header\' header has to be a string') + done() + } + registerFileProtocol(protocolName, handler).then(() => { + ajax(protocolName + '://fake-host') + }) + }) + it('sends object as response', async () => { const handler = (request, callback) => callback({ path: filePath }) await registerFileProtocol(protocolName, handler)