Status Update
No update yet.
Comments
du...@gmail.com
Branch: androidx-master-dev
commit b4a3fe1d53c8c8082cf16795da164c446f7fd912
Author: Ian Lake <ilake@google.com>
Date: Wed Jul 15 14:34:08 2020
Add a hook that fires before the Activity's super.onCreate()
Provide a standard, composable API for libraries and
developers to run code as soon as possible after a
Context is available to an Activity (i.e., before the
logic in the base Activity.onCreate() runs and before any
layout is inflated).
This updates the code in FragmentActivity and
AppCompatActivity to use that new API.
Test: new activity tests pass
Test: existing fragment and appcompat tests still pass
BUG: 161390636
Relnote: "`ComponentActivity` now implements
`ContextAware`, allowing you to add one or more
`OnContextAvailableListener` instances which will
receive a callback before the base `Activity.onCreate()`."
Change-Id: I513da73bc0862b62af4166be35ba353fc7869a09
M activity/activity/api/1.2.0-alpha07.txt
M activity/activity/api/current.txt
M activity/activity/api/public_plus_experimental_1.2.0-alpha07.txt
M activity/activity/api/public_plus_experimental_current.txt
M activity/activity/api/restricted_1.2.0-alpha07.txt
M activity/activity/api/restricted_current.txt
M activity/activity/src/androidTest/java/androidx/activity/ComponentActivityLifecycleTest.kt
A activity/activity/src/androidTest/java/androidx/activity/contextaware/ContextAwareHelperTest.kt
M activity/activity/src/main/java/androidx/activity/ComponentActivity.java
A activity/activity/src/main/java/androidx/activity/contextaware/ContextAware.java
A activity/activity/src/main/java/androidx/activity/contextaware/ContextAwareHelper.java
A activity/activity/src/main/java/androidx/activity/contextaware/OnContextAvailableListener.java
M appcompat/appcompat/build.gradle
M appcompat/appcompat/src/main/java/androidx/appcompat/app/AppCompatActivity.java
M fragment/fragment/src/main/java/androidx/fragment/app/FragmentActivity.java
ke...@chromium.org
Branch: androidx-master-dev
commit 494d98d48e3c95c4338bda7ed1bf46797de257f6
Author: Ian Lake <ilake@google.com>
Date: Mon Aug 03 13:07:36 2020
Deliver the Context when added after it is available
Previously, an OnContextAvailableListener would only
receive a callback if added prior to the Context
being made available.
Rather than allow developers fall into a pitfall
where they add a listener and never receive a
callback, synchronously deliver the currently
available Context to listeners.
Test: updated activity tests pass
BUG: 161390636
Relnote: N/A
Change-Id: I24eff02712c90e84e1998407082e0b07cf04b44a
M activity/activity/api/current.txt
M activity/activity/api/public_plus_experimental_current.txt
M activity/activity/api/restricted_current.txt
M activity/activity/src/androidTest/java/androidx/activity/contextaware/ContextAwareHelperTest.kt
M activity/activity/src/main/java/androidx/activity/ComponentActivity.java
M activity/activity/src/main/java/androidx/activity/contextaware/ContextAware.java
M activity/activity/src/main/java/androidx/activity/contextaware/ContextAwareHelper.java
ke...@chromium.org
Branch: androidx-master-dev
commit 5d11382f47626211d512b9135f6b5f40b88f6647
Author: Ian Lake <ilake@google.com>
Date: Mon Aug 03 12:45:55 2020
Simplify OnContextAvailableListener interface
Rather than pass the ContextAware object,
the Context, and a Bundle for saved instance
state, pass only the Context to the
onContextAvailable() callback.
The ContextAware parameter is not needed in
general (unregistering is a corner case that
can be handled by capturing a reference to the
ContextAware).
The saved instance state Bundle is not needed
when we can ensure that the
SavedStateRegistry has had its state restored
before the listeners are called. This ensures
that all Saved State logic is centralized in
the API specifically built for saving state
rather than leaking into other APIs.
To accomplish this API change, the storage of
FragmentManager's and AppCompatDelegate's saved
state was moved to SavedStateRegistry as part of
FragmentActivity and AppCompatActivity,
respectively. Longer term, FragmentManager and
AppCompatDelegate should provide public APIs for
connecting directly to SavedStateRegistry, but
that is out of scope for this change.
Test: activity, fragment, and appcompat tests pass
BUG: 161390636
Relnote: N/A
Change-Id: I32fdd4b2c4c391c3fa97158dbd7508fa96b08d7a
M activity/activity/api/current.txt
M activity/activity/api/public_plus_experimental_current.txt
M activity/activity/api/restricted_current.txt
M activity/activity/src/androidTest/java/androidx/activity/ComponentActivityLifecycleTest.kt
M activity/activity/src/androidTest/java/androidx/activity/ComponentActivitySavedStateTest.kt
M activity/activity/src/androidTest/java/androidx/activity/contextaware/ContextAwareHelperTest.kt
M activity/activity/src/main/java/androidx/activity/ComponentActivity.java
M activity/activity/src/main/java/androidx/activity/contextaware/ContextAwareHelper.java
M activity/activity/src/main/java/androidx/activity/contextaware/OnContextAvailableListener.java
M appcompat/appcompat/src/main/java/androidx/appcompat/app/AppCompatActivity.java
M fragment/fragment/src/androidTest/java/androidx/fragment/app/FragmentArchLifecycleTest.kt
M fragment/fragment/src/main/java/androidx/fragment/app/FragmentActivity.java
cr...@chromium.org
Branch: androidx-master-dev
commit d830158f1671930bab215716e329349a42eec1dd
Author: Ian Lake <ilake@google.com>
Date: Fri Jul 31 14:14:29 2020
Add suspending withContextAvailable to ContextAware
Expand the ContextAware interface to allow developers
to synchronously peek to see if the context is
availble.
This allows us to write a Kotlin extension
withContextAvailable() that runs a non-suspending
block once the context becomes available (either
synchronously if it is already available or by
using a OnContextAvailableListener under the hood
if not).
Test: new tests pass
BUG: 161390636
Relnote: "Added a `peekAvailableContext()` API to
`ContextAware` to allow you to synchronously determine
if a Context is available. A suspending Kotlin extension
`withContextAvailable()` allows you to run a
non-suspending block when the Context becomes available
and return a result."
Change-Id: I8290cd9de8231913036d23a233c177ed45d2d370
M activity/activity-ktx/api/current.txt
M activity/activity-ktx/api/public_plus_experimental_current.txt
M activity/activity-ktx/api/restricted_current.txt
A activity/activity-ktx/src/androidTest/java/androidx/activity/contextaware/ContextAwareTest.kt
A activity/activity-ktx/src/main/java/androidx/activity/contextaware/ContextAware.kt
M activity/activity/api/current.txt
M activity/activity/api/public_plus_experimental_current.txt
M activity/activity/api/restricted_current.txt
M activity/activity/src/androidTest/java/androidx/activity/contextaware/ContextAwareHelperTest.kt
M activity/activity/src/main/java/androidx/activity/ComponentActivity.java
M activity/activity/src/main/java/androidx/activity/contextaware/ContextAware.java
M activity/activity/src/main/java/androidx/activity/contextaware/ContextAwareHelper.java
ke...@chromium.org
The new ContextAware API will be available in Activity 1.2.0-alpha08 and is used by Fragment 1.3.0-alpha08 and AppCompat 1.3.0-alpha02 to implement FragmentManager's and AppCompatDelegate's pre-onCreate() logic.
cr...@chromium.org
Wait, this can't work as advertised.
FragmentActivity extends ComponentActivity
public FragmentActivity(@LayoutRes int contentLayoutId) {
super(contentLayoutId);
init();
}
private void init() {
addOnContextAvailableListener(new OnContextAvailableListener() {
// ...
}
}
ComponentActivity
@Override
protected void onCreate(@Nullable Bundle savedInstanceState) {
// ...
mContextAwareHelper.dispatchOnContextAvailable(this);
super.onCreate(savedInstanceState);
//...
}
- Call
FragmentActivityconstructor, - which calls
ComponentActivitysuper constructor, - which dispatches context available... to noone,
- and calls platform Activity.onCreate.
- Bubble up to
FragmentActivityconstructor and register context listener, - which is invoked synchronously but only after platform
Activity.onCreatehas already been called.
Did I miss something? I'm confused.
du...@gmail.com
Never mind, constructor vs onCreate. :facepalm: Sorry.
pe...@google.com
Re #8 - the fact that these are different things is indeed exactly why this API exists :)
dg...@chromium.org
Sorry I don't have any context on this. I think this 2017 bug was only about some UI changes. The blocking detection logic was done in
ke...@chromium.org
Yes, I see different behaviour. On Windows, Mac and Linux I can allow popups and redirects, and the navigation to a chrome:// URL does not happen.
tw...@chromium.org
cc'ing lbrady@ and shivanisha@ who's team did some work on this code a couple of years ago
ke...@chromium.org
- On both, when popups and redirects are always allowed for the site, then the navigation to the chrome:// URL fails.
- When there is no explicit allow or block, it prompts the user.
- On Android, selecting "Allow" causes the navigation to succeed.
- On desktop you have to click the chip in the omnibox. Clicking "always allow" does not cause the navigation to happen, but clicking on the link to the URL target does succeed.
All of which confirm's creis@'s analysis in comment 7.
cr...@chromium.org
Thanks kenrb@! I can confirm that the bug doesn't happen if popups and redirects are allowed on the site in question (on either desktop or Android).
The bug appears specific to the use of OpenURL, which treats the URL in question as browser-initiated and allows privileged URLs. Because the URL comes from the renderer, it should be filtered first. Thanks to dgn@'s link to
- Android:
FramebustBlockedMessageDelegate::HandleOpenLink() - Desktop:
FramebustBlockTabHelper::OnBlockedUrlClicked()
It looks like I was wrong in
- Using FilterURL on any URLs passed from the renderer. (This can probably be done quickly.)
- Preserving initiator origin (and any other relevant parameters) in the dialog, supposedly similar to what the popup blocker does, and then treating it as renderer-initiated. (This is probably worth doing, possibly as a followup.)
- Optionally preserving more of the navigation context.
I think we may have also previously discussed changing the OpenURL / LoadURL APIs so that they don't allow privileged URLs by default, although this would be a larger overhaul.
Anyway, now that I know where both the desktop and Android code live (and we've confirmed what the bug is across both platforms), I can probably help with the fix.
cr...@chromium.org
Interestingly, there seems to be a test for this case already in
pmonette@: Can you confirm it's ok to change that test to expect that the user can't proceed to chrome:// URLs, and can only proceed to blocked URLs the renderer would have already been able to navigate to in other circumstances?
cr...@chromium.org
I'm working on a first fix in
There's additional cleanup we land after that, but this first CL should resolve the main security concern.
cr...@chromium.org
[Navigation triage]
Just adding the Available hotlist to remove this from the untriaged list. The fix is just waiting for owners approval before it can land.
ap...@google.com
Project: chromium/src
Branch: main
Author: Charlie Reis <
Link:
Filter any URLs passed to the "redirect blocked" dialogs.
Expand for full commit details
Filter any URLs passed to the "redirect blocked" dialogs.
The framebusting mitigation from https://crbug.com/40084719 can block
subframes from navigating the main frame cross-origin without a user
gesture. However, the dialog allows the user to manually proceed to the
URL if desired.
This URL was not adequately filtered before, allowing chrome:// and
other privileged URLs to be used even if the renderer could not nomrally
navigate to them. This CL adds the necessary filtering, which should
apply to both the desktop and Android dialogs.
Bug: 375550814
Change-Id: Icd518a869a06ad982767386d5d7a1528e6179e6c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5973403
Reviewed-by: Patrick Monette <pmonette@chromium.org>
Reviewed-by: Nate Chapin <japhet@chromium.org>
Reviewed-by: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Liam Brady <lbrady@google.com>
Auto-Submit: Charlie Reis <creis@chromium.org>
Commit-Queue: Charlie Reis <creis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1377807}
Files:
- M
chrome/browser/ui/content_settings/framebust_block_browsertest.cc - M
content/browser/renderer_host/render_frame_host_impl.cc
Hash: 27dc50bbbf4264d20c2b42d0b2aafc9ebd63fbec
Date: Mon Nov 04 19:31:22 2024
cr...@chromium.org
Since
In terms of severity, I looked for examples of similar bugs that allowed navigation to chrome:// and file:// URLs. In general this type of navigation is disallowed because it can be used as a stepping stone for privilege escalation, though no direct harm is likely to happen as a result. In that sense, it's similar to
There are some other similar bugs with higher severity, but I think they had larger consequences. For example,
du...@gmail.com
In 2015, from a .PDF file, it has a link, it links to a chrome:// link, it needs users to click on the link, and it can open the chrome:// link in a new tab after users clicked on the link on the .PDF file, the same to my report: a website opened, it opens a redirect blocked notification, users click on a click on the notification, it opens the chrome:// link well.
And the report in 2015 is rewarded 4,000 (
du...@gmail.com
du...@gmail.com
du...@gmail.com
du...@gmail.com
ke...@chromium.org
cr...@chromium.org
Thanks for spotting
- I would say that clicking through a "Redirect Blocked" notification (which warns the user that something may be wrong) is more of a mitigation than clicking a normal link in a PDF. In the PDF case, there are no warnings to the user that something is wrong, and the chrome:// or file:// URL was opened directly.
- That bug was raised from Low to Medium when it was found it affected more cases than just the one reported (
here - The reward was actually $2000, and the total amount was only $4000 because it was donated to charity and so Google
matched it
Regarding
Regarding
Thanks!
du...@gmail.com
Base on it, the scenario in my report is that a user is familiar with the blocking redirect function and the notification as know it is as described as above. This user easily tend to click on to allow the redirect.
But I totally agree with all the things explained in the
The my own funny explaining in here for the maximum bounty I can have (^^) is:
Now in 2024 the chrome:// link complex is more complex than before so that there are many exploits if I can find one to prove, yeah, if there is a chrome:// link on the chrome:// link complex can do something harmful for users by just loading it successfully, yeah, it is the case that we can discuss about.
I will share details if there is one convinced and proved one can be shared ^^.
du...@gmail.com
Trick users click allow on the redirect blocked notification on the website's content.
Trick users click to config something on the opened well chrome:// link by content on the website, too.
Or quit the browser by opening chrome://quit (needs users click to allow on the redirect blocked notification).
I hope the reward will be 500 USD or 1,000 USD ^^.
du...@gmail.com
In the .PDF file case, users can see the URL via status bar or other functions and need to click on for the URL to be opened.
In my report, the website can automatically sends the URL (this is the key part) to the redirect blocked notification to show to users, users click on because the redirect blocked notification just tells the current website is moving to this URL.
du...@gmail.com
du...@gmail.com
I will find a way to mask the link in the redirect blocked notification, if so, users can't know the link and tend to click to allow the redirect to happen.
du...@gmail.com
du...@gmail.com
du...@gmail.com
du...@gmail.com
My report: Open website, click on the Redirect blocked notification one click to allow. Users can see the chrome;// link on the Redirect blocked notification.
du...@gmail.com
And my reports also is the stating point for the security team to figure out in #comment 14 in desktop version, the Redirect blocked notification has an additional function/option allows users to click on as a link to open the chrome:// link. So I hope, personally, in this time of the world's reality (many appears, that I need enough money to buy a new phone and a new laptop to nurture the knowledge for the bounty program ^^), I will have a maximum at your convenience for the bounty reward (even it's a 500 reward, but it's a maximum bounty reward decided for the report of mine, it's fine ^^).
sp...@google.com
Hello,
Congratulations! The Chrome Vulnerability Rewards Program (VRP) Panel has decided to award you $1000.00 for this report.
Rationale for this decision:
baseline quality report of web platform privilege escalation | exploitation mitigation bypass
Important: This payment will be issued by Bugcrowd. You will receive an email from Bugcrowd in the next 24 hours which contains a submission you must claim to be rewarded.
If you do not receive an email from them, please check your spam folder and then reach out to us via a comment here. For issues related to Bugcrowd itself, please contact them via
Thank you for your efforts and helping us make Chrome more secure for all users!
Cheers,
Chrome VRP Panel Bot
P.S. One other thing we'd like to mention:
* Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
Please contact security-vrp@chromium.org with any questions.
am...@chromium.org
Thank you for the report, Khiem. We appreciate your efforts and reporting this issue to us. In the future, it would much more helpful if your reports were clear and concise explanations of the security issue and impact to a user, following feedback we have conveyed in other bug reports and over email.
du...@gmail.com
deeply for more helpful and the important is, having valid reports security
bugs ^^, thank you, Any, thank you, again.
On Sat, Nov 23, 2024, 4:58 AM <buganizer-system@google.com> wrote:
pe...@google.com
This bug has been closed for more than 14 weeks. Removing issue access restrictions.
Description
Important: Please do not change the component of this bug manually.
Please READ THIS FAQ before filing a bug:
Please see the following link for instructions on filing security bugs:
Reports may be eligible for reward payments under the Chrome VRP:
NOTE: Security bugs are normally made public once a fix has been widely deployed.
-------------------------
VULNERABILITY DETAILS
On Chrome 130.0.6723.73 on Android: there is a way website A can automatically opens chrome://chrome-urls well via Redirect blocked function.
VERSION
Chrome Version: 130.0.6723.73 + [stable]
Operating System: [Android 14]
REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug, or any personal or confidential information.
Please attach files directly, not in zip or other archive formats, and if you've created a demonstration site please also attach the files needed to reproduce the demonstration locally.
Open the local .html file (attached), allow in the Redirect blocked notification, the URL chrome://chrome-urls can be opened well after that from the local .html file via Redirect blocked function.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace *with symbols*, registers, exception record]
Client ID (if relevant): [see link above]
CREDIT INFORMATION
Externally reported security bugs may appear in Chrome release notes. If this bug is included, how would you like to be credited?
Reporter credit: Khiem Tran