Don't intercept flash installer redirect on search engine pages

Fix #2603 Auditors: @bbondy
brave · Jul 21, 2016 · 4ffcfcb · 4ffcfcb · bbondy · Jul 21, 2016
1 parent 6432aca
commit 4ffcfcb
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 6 deletions.
diff --git a/js/components/frame.js b/js/components/frame.js
@@ -575,12 +575,9 @@ class Frame extends ImmutableComponent {
       // Instead of telling person to install Flash, ask them if they want to
       // run Flash if it's installed.
       if (e.isMainFrame && !e.isErrorPage && !e.isFrameSrcDoc) {
-        if (UrlUtil.isFlashInstallUrl(e.url)) {
-          const currentProvisionalUrl = urlParse(this.props.frame.get('provisionalLocation'))
-          if (['http:', 'https:'].includes(currentProvisionalUrl.protocol) &&
-              !currentProvisionalUrl.hostname.includes('.adobe.com')) {
-            interceptFlash(e.url)
-          }
+        if (UrlUtil.isFlashInstallUrl(e.url) &&
+            UrlUtil.shouldInterceptFlash(this.props.frame.get('provisionalLocation'))) {
+          interceptFlash(e.url)
         }
         windowActions.onWebviewLoadStart(this.props.frame, e.url)
         const isSecure = parsedUrl.protocol === 'https:' && !this.allowRunningInsecureContent()

diff --git a/js/lib/urlutil.js b/js/lib/urlutil.js
@@ -255,6 +255,24 @@ const UrlUtil = {
   isFlashInstallUrl: function (url) {
     const adobeRegex = new RegExp('//(get\\.adobe\\.com/([a-z_-]+/)*flashplayer|www\\.macromedia\\.com/go/getflash|www\\.adobe\\.com/go/getflash)', 'i')
     return adobeRegex.test(url)
+  },
+
+  /**
+   * Checks whether the first-party page is one that should have Flash install
+   * URL interception.
+   * @param {string} url
+   * @return {boolean}
+   */
+  shouldInterceptFlash: function (url) {
+    if (!url) {
+      return false
+    }
+    const parsed = urlParse(url)
+    const exemptHostPattern = new RegExp('(\\.adobe\\.com|\\.google(\\.\\w+){1,2}|^duckduckgo\\.com|^search\\.yahoo\\.com)$')
+    return parsed.hostname &&
+      ['http:', 'https:'].includes(parsed.protocol) &&
+      !exemptHostPattern.test(parsed.hostname) &&
+      !['/search', '/search/'].includes(parsed.pathname)
   }
 }
 

diff --git a/test/lib/urlutilTest.js b/test/lib/urlutilTest.js
@@ -117,4 +117,23 @@ describe('urlutil', function () {
       assert(!UrlUtil.isFlashInstallUrl('https://gettadobe.com/jp/flashplayer'))
     })
   })
+
+  describe('shouldInterceptFlash', function () {
+    it('intercepts flash', function () {
+      assert(UrlUtil.shouldInterceptFlash('http://adobe.com.abc/flashthing'))
+      assert(UrlUtil.shouldInterceptFlash('https://site.duckduckgo.com'))
+    })
+    it('does not intercept on search engine pages', function () {
+      assert(!UrlUtil.shouldInterceptFlash('https://www.google.com/#q=flash'))
+      assert(!UrlUtil.shouldInterceptFlash('https://www.google.jp/#q=flash'))
+      assert(!UrlUtil.shouldInterceptFlash('https://www.google.co.uk/#q=flash'))
+      assert(!UrlUtil.shouldInterceptFlash('https://duckduckgo.com/?q=flash+player&t=hd&ia=about'))
+      assert(!UrlUtil.shouldInterceptFlash('https://www.bing.com/search?q=flash&go=Submit&qs=n&form=QBLH'))
+      assert(!UrlUtil.shouldInterceptFlash('https://yandex.ru/search/?lr=21411&msid=1469118356.6242.22900.32200&text=flash%20player'))
+      assert(!UrlUtil.shouldInterceptFlash('https://search.yahoo.com/search;_ylt=AwrBT4at95BXs8sAdpdXNyoA;_ylc=X1MDMjc2NjY3OQRfcgMyBGZyA3lmcC1'))
+    })
+    it('does not intercept on adobe site', function () {
+      assert(!UrlUtil.shouldInterceptFlash('https://www.adobe.com/test'))
+    })
+  })
 })