fix: sanitize invalid custom protocol headers (#18854)

shell/browser/net/url_request_async_asar_job.cc

@@ -38,6 +38,20 @@ void BeforeStartInUI(base::WeakPtr<URLRequestAsyncAsarJob> job,
     error = net::ERR_NOT_IMPLEMENTED;
   }
 
+  // sanitize custom headers
+  if (request_options && request_options->is_dict()) {
+    const base::Value* headersDict = request_options->FindDictKey("headers");
+    if (headersDict) {
+      for (const auto& iter : headersDict->DictItems()) {
+        if (!iter.second.is_string()) {
+          args->ThrowError("Value of '" + iter.first +
+                           "' header has to be a string");
+          return;
+        }
+      }
+    }
+  }
+
   base::PostTaskWithTraits(
       FROM_HERE, {content::BrowserThread::IO},
       base::BindOnce(&URLRequestAsyncAsarJob::StartAsync, job,

spec/api-protocol-spec.js

@@ -235,6 +235,19 @@ describe('protocol module', () => {
       expect(r.headers).to.include('x-great-header: sogreat')
     })
 
+    it('throws an error when custom headers are invalid', (done) => {
+      const handler = (request, callback) => {
+        expect(() => callback({
+          path: filePath,
+          headers: { 'X-Great-Header': 42 }
+        })).to.throw(Error, 'Value of \'X-Great-Header\' header has to be a string')
+        done()
+      }
+      registerFileProtocol(protocolName, handler).then(() => {
+        ajax(protocolName + '://fake-host')
+      })
+    })
+
     it('sends object as response', async () => {
       const handler = (request, callback) => callback({ path: filePath })
       await registerFileProtocol(protocolName, handler)