Propagate attr() taint ranges when resolving shorthands [chromium/src : main]
0 views
Skip to first unread message
Munira Tursunova (Gerrit)
6:55 AM (3 hours ago) 6:55 AM
to Anders Hartvoll Ruud, Menard, Alexis, chromium...@chromium.org, apavlo...@chromium.org, blink-re...@chromium.org, blink-revie...@chromium.org, blink-...@chromium.org
Attention needed from Anders Hartvoll Ruud
Munira Tursunova voted Commit-Queue+1![]( "Open in Gerrit")
| Commit-Queue | +1 |
Related details
Attention is currently required from:
- Anders Hartvoll Ruud
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Anders Hartvoll Ruud (Gerrit)
7:10 AM (3 hours ago) 7:10 AM
to Munira Tursunova, Chromium LUCI CQ, Menard, Alexis, chromium...@chromium.org, apavlo...@chromium.org, blink-re...@chromium.org, blink-revie...@chromium.org, blink-...@chromium.org
Attention needed from Munira Tursunova
Anders Hartvoll Ruud voted Code-Review+1![]( "Open in Gerrit")
Attention is currently required from:
- Munira Tursunova
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Munira Tursunova (Gerrit)
7:10 AM (3 hours ago) 7:10 AM
to Anders Hartvoll Ruud, Chromium LUCI CQ, Menard, Alexis, chromium...@chromium.org, apavlo...@chromium.org, blink-re...@chromium.org, blink-revie...@chromium.org, blink-...@chromium.org
Munira Tursunova voted Commit-Queue+2![]( "Open in Gerrit")
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
chromium-scoped@luci-project-accounts.iam.gserviceaccount.com (Gerrit)
7:48 AM (2 hours ago) 7:48 AM
to Munira Tursunova, Anders Hartvoll Ruud, Menard, Alexis, chromium...@chromium.org, apavlo...@chromium.org, blink-re...@chromium.org, blink-revie...@chromium.org, blink-...@chromium.org
chromiu...@luci-project-accounts.iam.gserviceaccount.com submitted the change![]( "Open in Gerrit")
Change information
Commit message:
Propagate attr() taint ranges when resolving shorthands
When resolving pending substitutions for shorthand properties, the
original text is reparsed into a new CSSParserTokenStream. Previously,
the attr() taint ranges from the CSSVariableData were not passed along
to the new stream. This allowed values from attr() functions to bypass
security checks when used within shorthand properties.
This patch ensures that `GetAttrTaintedRanges()` is passed to the new
`CSSParserTokenStream` when reparsing the shorthand value, correctly
enforcing attr() security restrictions.
Fixed: 502035074
Change-Id: I6dff0854f29937988a757ded902b6f6c47802773
Commit-Queue: Munira Tursunova <moo...@google.com>
Reviewed-by: Anders Hartvoll Ruud <and...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1613629}
Files:
- M third_party/blink/renderer/core/css/resolver/style_cascade.cc
- M third_party/blink/web_tests/external/wpt/css/css-values/attr-security.html
Change size: S
Delta: 2 files changed, 20 insertions(+), 1 deletion(-)
Branch: refs/heads/main
Submit Requirements:
Code-Review: +1 by Anders Hartvoll Ruud
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages