[chromecast] Fix Command-line flag injection and sandbox escape in CastBrowserService [chromium/src : main]
1 view
Skip to first unread message
Simeon Anfinrud (Gerrit)
May 12, 2026, 7:53:36 PMMay 12
to Jerome Jiang, Mirko Bonadei, Sandeep Vijayasekar, Code Review Nudger, Chromium LUCI CQ, chromium...@chromium.org, android-bu...@system.gserviceaccount.com, chrome-intelligence-te...@google.com, grt+...@chromium.org, net-r...@chromium.org, cblume...@chromium.org, devtools...@chromium.org, chrome-intell...@chromium.org, penghuan...@chromium.org, mar...@chromium.org, fgal...@chromium.org, jz...@chromium.org, security-...@chromium.org, halliwe...@chromium.org
Attention needed from Sandeep Vijayasekar
Simeon Anfinrud added 1 comment![]( "Open in Gerrit")
Message
Gemini says: Addressed Gerrit review comments.
1 comment
File chromecast/browser/android/junit/src/org/chromium/chromecast/shell/CastCommandLineHelperTest.java
File-level comment, Patchset 13 (Latest):
Simeon Anfinrud . resolved
Gemini says: Done. Updated the copyright year to 2026.
Related details
Attention is currently required from:
- Sandeep Vijayasekar
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Simeon Anfinrud (Gerrit)
May 14, 2026, 3:44:32 PMMay 14
to Jerome Jiang, Mirko Bonadei, Sandeep Vijayasekar, Code Review Nudger, Chromium LUCI CQ, chromium...@chromium.org, android-bu...@system.gserviceaccount.com, chrome-intelligence-te...@google.com, grt+...@chromium.org, net-r...@chromium.org, cblume...@chromium.org, devtools...@chromium.org, chrome-intell...@chromium.org, penghuan...@chromium.org, mar...@chromium.org, fgal...@chromium.org, jz...@chromium.org, security-...@chromium.org, halliwe...@chromium.org
Attention needed from Sandeep Vijayasekar
Simeon Anfinrud added 7 comments![]( "Open in Gerrit")
Message
Gemini says: Addressed Gerrit review comments.
7 comments
File chromecast/browser/android/apk/CastBrowserAndroidManifest.xml.jinja2
File-level comment, Patchset 14 (Latest):
Simeon Anfinrud . resolved
Gemini says: Done. Added a custom permission `com.google.android.apps.mediashell.permission.START_CAST_BROWSER` instead of using `DUMP`.
File chromecast/browser/android/apk/src/org/chromium/chromecast/shell/CastCommandLineHelper.java
File-level comment, Patchset 14 (Latest):
Simeon Anfinrud . resolved
Gemini says: Done. Positional arguments are now allowed.
File-level comment, Patchset 14 (Latest):
Simeon Anfinrud . resolved
Gemini says: Done. The code now correctly handles dashes and empty switch names.
File-level comment, Patchset 14 (Latest):
Simeon Anfinrud . resolved
Gemini says: Done. Removed trailing whitespace.
File-level comment, Patchset 14 (Latest):
Simeon Anfinrud . resolved
Gemini says: Good catch. You are completely right, positional arguments should not be forwarded since they can be interpreted as arbitrary URLs or files to open. I have modified the loop to strictly ignore them.
File-level comment, Patchset 14 (Latest):
Simeon Anfinrud . resolved
Gemini says: Done. I added `CastCommandLineHelperTest` to `chromecast/browser/android/BUILD.gn` that thoroughly tests switch parsing, blocking unauthorized flags, and ignoring positional arguments.
File chromecast/browser/android/junit/src/org/chromium/chromecast/shell/CastCommandLineHelperTest.java
Simeon Anfinrud . resolved
Gemini says: Done. Updated the copyright year to 2026.
Related details
Attention is currently required from:
- Sandeep Vijayasekar
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Simeon Anfinrud (Gerrit)
May 20, 2026, 12:56:30 AMMay 20
to Jerome Jiang, Mirko Bonadei, Sandeep Vijayasekar, Code Review Nudger, Chromium LUCI CQ, chromium...@chromium.org, android-bu...@system.gserviceaccount.com, chrome-intelligence-te...@google.com, grt+...@chromium.org, net-r...@chromium.org, cblume...@chromium.org, devtools...@chromium.org, chrome-intell...@chromium.org, penghuan...@chromium.org, mar...@chromium.org, fgal...@chromium.org, jz...@chromium.org, security-...@chromium.org, halliwe...@chromium.org
Attention needed from Sandeep Vijayasekar
Simeon Anfinrud voted![]( "Open in Gerrit")
| Auto-Submit | +1 |
| Commit-Queue | +1 |
Simeon Anfinrud (Gerrit)
May 28, 2026, 8:24:38 PMMay 28
to Jerome Jiang, Mirko Bonadei, Sandeep Vijayasekar, Code Review Nudger, Chromium LUCI CQ, chromium...@chromium.org, android-bu...@system.gserviceaccount.com, chrome-intelligence-te...@google.com, grt+...@chromium.org, net-r...@chromium.org, cblume...@chromium.org, devtools...@chromium.org, chrome-intell...@chromium.org, penghuan...@chromium.org, mar...@chromium.org, fgal...@chromium.org, jz...@chromium.org, security-...@chromium.org, halliwe...@chromium.org
Attention needed from Sandeep Vijayasekar
Simeon Anfinrud voted Commit-Queue+2![]( "Open in Gerrit")
| Commit-Queue | +2 |
Simeon Anfinrud (Gerrit)
Jun 9, 2026, 5:27:57 PMJun 9
to Jerome Jiang, Mirko Bonadei, Sandeep Vijayasekar, Code Review Nudger, Chromium LUCI CQ, chromium...@chromium.org, android-bu...@system.gserviceaccount.com, chrome-intelligence-te...@google.com, grt+...@chromium.org, net-r...@chromium.org, cblume...@chromium.org, devtools...@chromium.org, chrome-intell...@chromium.org, penghuan...@chromium.org, mar...@chromium.org, fgal...@chromium.org, jz...@chromium.org, security-...@chromium.org, halliwe...@chromium.org
Attention needed from Sandeep Vijayasekar
Simeon Anfinrud voted Commit-Queue+1![]( "Open in Gerrit")
| Commit-Queue | +1 |
Related details
Attention is currently required from:
- Sandeep Vijayasekar
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Simeon Anfinrud (Gerrit)
Jun 10, 2026, 4:03:42 PMJun 10
to Jerome Jiang, Mirko Bonadei, Sandeep Vijayasekar, Code Review Nudger, Chromium LUCI CQ, chromium...@chromium.org, android-bu...@system.gserviceaccount.com, feature-me...@chromium.org, jshin...@chromium.org, storage...@chromium.org, chrome-intelligence-te...@google.com, grt+...@chromium.org, net-r...@chromium.org, cblume...@chromium.org, devtools...@chromium.org, chrome-intell...@chromium.org, penghuan...@chromium.org, mar...@chromium.org, fgal...@chromium.org, jz...@chromium.org, security-...@chromium.org, halliwe...@chromium.org
Attention needed from Sandeep Vijayasekar
Simeon Anfinrud voted and added 1 comment![]( "Open in Gerrit")
Votes added by Simeon Anfinrud
| Auto-Submit | +1 |
1 comment
File chromecast/browser/android/junit/src/org/chromium/chromecast/shell/CastCommandLineHelperTest.java
Related details
Attention is currently required from:
- Sandeep Vijayasekar
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Simeon Anfinrud (Gerrit)
Jun 18, 2026, 8:21:23 PM (8 days ago) Jun 18
to Jerome Jiang, Mirko Bonadei, Sandeep Vijayasekar, Code Review Nudger, Chromium LUCI CQ, chromium...@chromium.org, android-bu...@system.gserviceaccount.com, feature-me...@chromium.org, jshin...@chromium.org, storage...@chromium.org, chrome-intelligence-te...@google.com, grt+...@chromium.org, net-r...@chromium.org, cblume...@chromium.org, devtools...@chromium.org, chrome-intell...@chromium.org, penghuan...@chromium.org, mar...@chromium.org, fgal...@chromium.org, jz...@chromium.org, security-...@chromium.org, halliwe...@chromium.org
Attention needed from Sandeep Vijayasekar
Simeon Anfinrud voted and added 1 comment![]( "Open in Gerrit")
Votes added by Simeon Anfinrud
| Auto-Submit | +1 |
1 comment
File chromecast/browser/android/junit/src/org/chromium/chromecast/shell/CastCommandLineHelperTest.java
Line 27, Patchset 18:
CommandLine.reset();Simeon Anfinrud . resolved
Simeon AnfinrudresetForTesting()
Done
Related details
Attention is currently required from:
- Sandeep Vijayasekar
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Sandeep Vijayasekar (Gerrit)
Jun 22, 2026, 1:45:19 PM (4 days ago) Jun 22
to Simeon Anfinrud, Jerome Jiang, Mirko Bonadei, Code Review Nudger, Chromium LUCI CQ, chromium...@chromium.org, android-bu...@system.gserviceaccount.com, feature-me...@chromium.org, jshin...@chromium.org, storage...@chromium.org, chrome-intelligence-te...@google.com, grt+...@chromium.org, net-r...@chromium.org, cblume...@chromium.org, devtools...@chromium.org, chrome-intell...@chromium.org, penghuan...@chromium.org, mar...@chromium.org, fgal...@chromium.org, jz...@chromium.org, security-...@chromium.org, halliwe...@chromium.org
Attention needed from Simeon Anfinrud
Sandeep Vijayasekar voted Code-Review+1![]( "Open in Gerrit")
Attention is currently required from:
- Simeon Anfinrud
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Simeon Anfinrud (Gerrit)
Jun 22, 2026, 1:46:07 PM (4 days ago) Jun 22
to Sandeep Vijayasekar, Jerome Jiang, Mirko Bonadei, Code Review Nudger, Chromium LUCI CQ, chromium...@chromium.org, android-bu...@system.gserviceaccount.com, feature-me...@chromium.org, jshin...@chromium.org, storage...@chromium.org, chrome-intelligence-te...@google.com, grt+...@chromium.org, net-r...@chromium.org, cblume...@chromium.org, devtools...@chromium.org, chrome-intell...@chromium.org, penghuan...@chromium.org, mar...@chromium.org, fgal...@chromium.org, jz...@chromium.org, security-...@chromium.org, halliwe...@chromium.org
Simeon Anfinrud voted Commit-Queue+2![]( "Open in Gerrit")
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Sandeep Vijayasekar (Gerrit)
Jun 22, 2026, 1:46:08 PM (4 days ago) Jun 22
to Simeon Anfinrud, Jerome Jiang, Mirko Bonadei, Code Review Nudger, Chromium LUCI CQ, chromium...@chromium.org, android-bu...@system.gserviceaccount.com, feature-me...@chromium.org, jshin...@chromium.org, storage...@chromium.org, chrome-intelligence-te...@google.com, grt+...@chromium.org, net-r...@chromium.org, cblume...@chromium.org, devtools...@chromium.org, chrome-intell...@chromium.org, penghuan...@chromium.org, mar...@chromium.org, fgal...@chromium.org, jz...@chromium.org, security-...@chromium.org, halliwe...@chromium.org
Sandeep Vijayasekar added 1 comment![]( "Open in Gerrit")
Commit Message
Line 9, Patchset 20 (Latest):
Protected CastBrowserService in AndroidManifest.xml by requiring android.permission.DUMP. Explicitly filter incoming command-line switches in CastCommandLineHelper to a known safe allowlist, preventing injection of malicious flags like --no-sandbox.Sandeep Vijayasekar . unresolved
I dont see this in the CL
Related details
Attention set is empty
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages