content/browser/renderer_host/render_view_host_impl.cc - Issue 10302006: Check that the renderer can access files it claims are part of a drag.

Side by Side Diff: content/browser/renderer_host/render_view_host_impl.cc

Issue 10302006: Check that the renderer can access files it claims are part of a drag. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Better version Created 8 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "content/browser/renderer_host/render_view_host_impl.h"	5 #include "content/browser/renderer_host/render_view_host_impl.h"

6	6

7 #include <set>	7 #include <set>

8 #include <string>	8 #include <string>

9 #include <utility>	9 #include <utility>

10 #include <vector>	10 #include <vector>

(...skipping 1324 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1335 return;	1335 return;

1336	1336

1337 WebDropData filtered_data(drop_data);	1337 WebDropData filtered_data(drop_data);

1338 ChildProcessSecurityPolicyImpl* policy =	1338 ChildProcessSecurityPolicyImpl* policy =

1339 ChildProcessSecurityPolicyImpl::GetInstance();	1339 ChildProcessSecurityPolicyImpl::GetInstance();

1340	1340

1341 // Allow drag of Javascript URLs to enable bookmarklet drag to bookmark bar.	1341 // Allow drag of Javascript URLs to enable bookmarklet drag to bookmark bar.

1342 if (!filtered_data.url.SchemeIs(chrome::kJavaScriptScheme))	1342 if (!filtered_data.url.SchemeIs(chrome::kJavaScriptScheme))

1343 FilterURL(policy, GetProcess()->GetID(), true, &filtered_data.url);	1343 FilterURL(policy, GetProcess()->GetID(), true, &filtered_data.url);

1344 FilterURL(policy, GetProcess()->GetID(), false, &filtered_data.html_base_url);	1344 FilterURL(policy, GetProcess()->GetID(), false, &filtered_data.html_base_url);

	1345 // Filter out any paths that the renderer didn't have access to. This prevents

	1346 // the following attack on a malicious renderer:

	1347 // 1. StartDragging IPC sent with renderer-specified filesystem paths that it

	1348 // doesn't have read permissions for.

	1349 // 2. We initiate a native DnD operation.

	1350 // 3. DnD operation immediately ends since mouse is not held down. DnD events

	1351 // still fire though, which causes read permissions to be granted to the

	1352 // renderer for any file paths in the drop.

	1353 filtered_data.filenames.clear();

	1354 for (std::vector<string16>::const_iterator it = drop_data.filenames.begin();

	1355 it != drop_data.filenames.end(); ++it) {

	1356 FilePath path(FilePath::FromUTF8Unsafe(UTF16ToUTF8(*it)));

	1357 if (policy->CanReadFile(GetProcess()->GetID(), path))

	1358 filtered_data.filenames.push_back(*it);

	1359 }

1345 view->StartDragging(filtered_data, drag_operations_mask, image, image_offset);	1360 view->StartDragging(filtered_data, drag_operations_mask, image, image_offset);
	sky 2012/05/03 21:07:05 What happens if you end up here and everything was What happens if you end up here and everything was filtered? dcheng 2012/05/03 21:14:49 We'll start a drag but there won't be any data con Show quoted text On 2012/05/03 21:07:05, sky wrote: > What happens if you end up here and everything was filtered? We'll start a drag but there won't be any data contained in the drag. I think this is OK, as you could legitimately have a situation where this occurs.
1346 }	1361 }

1347	1362

1348 void RenderViewHostImpl::OnUpdateDragCursor(WebDragOperation current_op) {	1363 void RenderViewHostImpl::OnUpdateDragCursor(WebDragOperation current_op) {

1349 RenderViewHostDelegate::View* view = delegate_->GetViewDelegate();	1364 RenderViewHostDelegate::View* view = delegate_->GetViewDelegate();

1350 if (view)	1365 if (view)

1351 view->UpdateDragCursor(current_op);	1366 view->UpdateDragCursor(current_op);

1352 }	1367 }

1353	1368

1354 void RenderViewHostImpl::OnTargetDropACK() {	1369 void RenderViewHostImpl::OnTargetDropACK() {

1355 content::NotificationService::current()->Notify(	1370 content::NotificationService::current()->Notify(

(...skipping 468 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1824 is_waiting_for_beforeunload_ack_ = false;	1839 is_waiting_for_beforeunload_ack_ = false;

1825 is_waiting_for_unload_ack_ = false;	1840 is_waiting_for_unload_ack_ = false;

1826 has_timed_out_on_unload_ = false;	1841 has_timed_out_on_unload_ = false;

1827 }	1842 }

1828	1843

1829 void RenderViewHostImpl::ClearPowerSaveBlockers() {	1844 void RenderViewHostImpl::ClearPowerSaveBlockers() {

1830 STLDeleteValues(&power_save_blockers_);	1845 STLDeleteValues(&power_save_blockers_);

1831 }	1846 }

1832	1847

1833 } // namespace content	1848 } // namespace content

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »