### 关键信息 - **标题**: Security: Safe Browsing bypass via data URI, no warning if SB fails - **类型**: Vulnerability - **优先级**: P1 - **严重性**: S2 - **状态**: Fixed - **CVE**: 2023-1814 ### 漏洞细节 1. **Safe Browsing API限制**: Safe Browsing API (https://sb-ssl.google.com/safebrowsing/clientreport/download) 当数据URI超过约20MB时会返回413 (Payload Too Large)。AddEventUrlToReferrerChain函数不缩短URL中的数据URI,因此如果数据URI超过约8MB,下载检查可以被绕过。 2. **下载保护服务**: 即使下载类型为DOWNLOAD_DANGER_TYPE_MAYBE_DANGEROUS_CONTENT,如果Safe Browsing检查未执行或失败,DownloadCheckResult将被设置为UNKNOWN,下载类型将被重置为DOWNLOAD_DANGER_TYPE_NOT_DANGEROUS。因此,用户将不会收到警告,可能会产生虚假的安全感和不一致的体验。 ### 报告链接 - [Original Report](https://crbug.com/1416794#c8) ### 参考链接 - [download_protection_service.cc](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/safe_browsing/download_protection/download_protection_service.cc;l=72-84;drc=f37b11fe3cfd8d5f8294ef27d5c6c723a4028d89) - [ppapi_download_request.cc](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/safe_browsing/download_protection/ppapi_download_request.cc;l=197;drc=f37b11fe3cfd8d5f8294ef27d5c6c723a4028d89) - [check_client_download_request_base.cc](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/safe_browsing/download_protection/check_client_download_request_base.cc;l=478;drc=f37b11fe3cfd8d5f8294ef27d5c6c723a4028d89) - [chrome_download_manager_delegate.cc](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/download/chrome_download_manager_delegate.cc;l=1298;drc=f37b11fe3cfd8d5f8294ef27d5c6c723a4028d89)