Repeat path canonicalization in ContentSettingsPattern::Builder

The fuzzer discovered an input that uncovers non-idempotency in ContentSettingsPattern::Builder::Canonicalize. First, the function changes |parts->path| from "/.//" to "//". On a second call, the "//" is changed to "/". This CL repeats the path canonicalization until we reach a fixed point. Bug: 1117622, 1132957, 1128999 Change-Id: I96da902e50a4a9b654a7d4184ef4ad2c0689e705 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2406332 Commit-Queue: Balazs Engedy <engedy@chromium.org> Reviewed-by: Balazs Engedy <engedy@chromium.org> Cr-Commit-Position: refs/heads/master@{#811717}

Repeat path canonicalization in ContentSettingsPattern::Builder
The fuzzer discovered an input that uncovers non-idempotency in ContentSettingsPattern::Builder::Canonicalize. First, the function changes |parts->path| from "/.//" to "//". On a second call, the "//" is changed to "/". This CL repeats the path canonicalization until we reach a fixed point. Bug: 1117622, 1132957, 1128999 Change-Id: I96da902e50a4a9b654a7d4184ef4ad2c0689e705 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2406332 Commit-Queue: Balazs Engedy <engedy@chromium.org> Reviewed-by: Balazs Engedy <engedy@chromium.org> Cr-Commit-Position: refs/heads/master@{#811717}
2d4e58ed · Dan McArdle · Commit Bot · 25668d0d · 2d4e58ed
Commit 2d4e58ed authored Sep 29, 2020 by Dan McArdle Committed by Commit Bot Sep 29, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 3 deletions

components/content_settings/core/common/content_settings_pattern.cc .../content_settings/core/common/content_settings_pattern.cc +14 -3

No files found.
--- a/components/content_settings/core/common/content_settings_pattern.cc
+++ b/components/content_settings/core/common/content_settings_pattern.cc
@@ -15,12 +15,14 @@
 #include "base/notreached.h"
 #include "base/optional.h"
 #include "base/stl_util.h"
+#include "base/strings/strcat.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
 #include "components/content_settings/core/common/content_settings_pattern_parser.h"
 #include "net/base/url_util.h"
 #include "url/gurl.h"
+#include "url/url_constants.h"

 namespace {

@@ -240,9 +242,18 @@ bool ContentSettingsPattern::Builder::Canonicalize(PatternParts* parts) {
  parts->scheme = base::ToLowerASCII(parts->scheme);

  if (parts->scheme == url::kFileScheme && !parts->is_path_wildcard) {
-    GURL url(std::string(url::kFileScheme) +
-             std::string(url::kStandardSchemeSeparator) + parts->path);
-    parts->path = url.path();
+    // TODO(crbug.com/1132957): Remove this loop once GURL canonicalization is
+    // idempotent (see crbug.com/1128999).
+    while (true) {
+      std::string url_spec = base::StrCat(
+          {url::kFileScheme, url::kStandardSchemeSeparator, parts->path});
+      GURL url(url_spec);
+      if (!url.is_valid())
+        return false;
+      if (parts->path == url.path_piece())
+        break;
+      parts->path = url.path();
+    }
  }

  // Canonicalize the host part.