ServiceWorker: Reject overly long scope/script URLs

IPC enforces a limit on receipt, but we should check on the sending side and reject the (un)registration promise too. BUG=386724 R=falken@chromium.org, michaeln@chromium.org Review URL: https://codereview.chromium.org/342163005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@278850 0039d316-1c4b-4281-b951-d872f2087c98

ServiceWorker: Reject overly long scope/script URLs
IPC enforces a limit on receipt, but we should check on the sending side and reject the (un)registration promise too. BUG=386724 R=falken@chromium.org, michaeln@chromium.org Review URL: https://codereview.chromium.org/342163005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@278850 0039d316-1c4b-4281-b951-d872f2087c98
37fde6a7 · jsbell@chromium.org · ca6b5d0f · 37fde6a7
Commit 37fde6a7 authored Jun 20, 2014 by jsbell@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 1 deletion

content/child/service_worker/service_worker_dispatcher.cc content/child/service_worker/service_worker_dispatcher.cc +23 -1

No files found.
--- a/content/child/service_worker/service_worker_dispatcher.cc
+++ b/content/child/service_worker/service_worker_dispatcher.cc
@@ -14,6 +14,7 @@
 #include "content/child/thread_safe_sender.h"
 #include "content/child/webmessageportchannel_impl.h"
 #include "content/common/service_worker/service_worker_messages.h"
+#include "content/public/common/url_utils.h"
 #include "third_party/WebKit/public/platform/WebServiceWorkerProviderClient.h"
 #include "third_party/WebKit/public/web/WebSecurityOrigin.h"

@@ -78,6 +79,17 @@ void ServiceWorkerDispatcher::RegisterServiceWorker(
    const GURL& script_url,
    WebServiceWorkerProvider::WebServiceWorkerCallbacks* callbacks) {
  DCHECK(callbacks);
+
+  if (pattern.possibly_invalid_spec().size() > GetMaxURLChars() ||
+      script_url.possibly_invalid_spec().size() > GetMaxURLChars()) {
+    scoped_ptr<WebServiceWorkerProvider::WebServiceWorkerCallbacks>
+        owned_callbacks(callbacks);
+    scoped_ptr<WebServiceWorkerError> error(new WebServiceWorkerError(
+        WebServiceWorkerError::ErrorTypeSecurity, "URL too long"));
+    callbacks->onError(error.release());
+    return;
+  }
+
  int request_id = pending_callbacks_.Add(callbacks);
  thread_safe_sender_->Send(new ServiceWorkerHostMsg_RegisterServiceWorker(
      CurrentWorkerId(), request_id, provider_id, pattern, script_url));
@@ -88,6 +100,16 @@ void ServiceWorkerDispatcher::UnregisterServiceWorker(
    const GURL& pattern,
    WebServiceWorkerProvider::WebServiceWorkerCallbacks* callbacks) {
  DCHECK(callbacks);
+
+  if (pattern.possibly_invalid_spec().size() > GetMaxURLChars()) {
+    scoped_ptr<WebServiceWorkerProvider::WebServiceWorkerCallbacks>
+        owned_callbacks(callbacks);
+    scoped_ptr<WebServiceWorkerError> error(new WebServiceWorkerError(
+        WebServiceWorkerError::ErrorTypeSecurity, "URL too long"));
+    callbacks->onError(error.release());
+    return;
+  }
+
  int request_id = pending_callbacks_.Add(callbacks);
  thread_safe_sender_->Send(new ServiceWorkerHostMsg_UnregisterServiceWorker(
      CurrentWorkerId(), request_id, provider_id, pattern));
@@ -215,7 +237,7 @@ void ServiceWorkerDispatcher::OnRegistrationError(
  if (!callbacks)
    return;

-  scoped_ptr<WebServiceWorkerError>  error(
+  scoped_ptr<WebServiceWorkerError> error(
      new WebServiceWorkerError(error_type, message));
  callbacks->onError(error.release());
  pending_callbacks_.Remove(request_id);