Index: content/browser/renderer_host/render_view_host_impl.cc |
diff --git a/content/browser/renderer_host/render_view_host_impl.cc b/content/browser/renderer_host/render_view_host_impl.cc |
index 919aee0e996b8ac5ed85280e1dbd940ca10be62d..20891c8f74ed74448a24e7fc2443d73a576efd6e 100644 |
--- a/content/browser/renderer_host/render_view_host_impl.cc |
+++ b/content/browser/renderer_host/render_view_host_impl.cc |
@@ -1342,6 +1342,21 @@ void RenderViewHostImpl::OnMsgStartDragging( |
if (!filtered_data.url.SchemeIs(chrome::kJavaScriptScheme)) |
FilterURL(policy, GetProcess()->GetID(), true, &filtered_data.url); |
FilterURL(policy, GetProcess()->GetID(), false, &filtered_data.html_base_url); |
+ // Filter out any paths that the renderer didn't have access to. This prevents |
+ // the following attack on a malicious renderer: |
+ // 1. StartDragging IPC sent with renderer-specified filesystem paths that it |
+ // doesn't have read permissions for. |
+ // 2. We initiate a native DnD operation. |
+ // 3. DnD operation immediately ends since mouse is not held down. DnD events |
+ // still fire though, which causes read permissions to be granted to the |
+ // renderer for any file paths in the drop. |
+ filtered_data.filenames.clear(); |
+ for (std::vector<string16>::const_iterator it = drop_data.filenames.begin(); |
+ it != drop_data.filenames.end(); ++it) { |
+ FilePath path(FilePath::FromUTF8Unsafe(UTF16ToUTF8(*it))); |
+ if (policy->CanReadFile(GetProcess()->GetID(), path)) |
+ filtered_data.filenames.push_back(*it); |
+ } |
view->StartDragging(filtered_data, drag_operations_mask, image, image_offset); |
sky
2012/05/03 21:07:05
What happens if you end up here and everything was
dcheng
2012/05/03 21:14:49
We'll start a drag but there won't be any data con
|
} |