The Vulnerability History Project

Adds chrome.dial.fetchDeviceDecription API.

      This API fetches the device description for a DIAL device, given a label for a device already discovered.

The request is configured to not send/receive cookies, ignore proxies, and ignore redirects.

Requests are retried with backoff on 5XX responses.

The response is validated in multiple ways:
- Valid Application-URL: header value
- Response body is a valid UTF-8 string
- Response body is <= 256kb

Additional validations are possible by following the DIAL spec closely at the risk of ignoring some devices.  See comments in device_description_fetcher.cc for details.

Note: The API function implementation is complicated by thread hopping.  See comments in dial_api.h for how this may be improved in the future.

BUG=671932
TESTED=Manually, unit tests, API test

Review-Url: https://codereview.chromium.org/2583853004
Cr-Commit-Position: refs/heads/master@{#442713}

by Orville the Magellanic Penguin 2017-01-10 22:34:11 UTC

commit 90824416d3eeae5ec6013b250123df65e9d48032

Chromium Fix CVE-2017-5042

chrome/browser/extensions/BUILD.gn

-2

chrome/browser/extensions/api/dial/device_description_fetcher.cc

-150

chrome/browser/extensions/api/dial/device_description_fetcher.h

-73

chrome/browser/extensions/api/dial/device_description_fetcher_unittest.cc

-178

chrome/browser/extensions/api/dial/dial_api.cc