Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(338)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 7085005: Disallow links from being seen by the extensions via the fileapi. (Closed)

Created:
9 years, 7 months ago by rkc
Modified:
9 years, 6 months ago
CC:
chromium-reviews, darin-cc_chromium.org, kinuko+watch, pam+watch_chromium.org, brettw-cc_chromium.org
Visibility:
Public.

Description

Disallow links from being seen by the extensions via the fileapi. This change is more of a hack at the moment, ideally we need to refactor file_util (and maybe a bit of file_path) to provide better ways to handle symlinks. This fix prevents exploits reading arbitary files either through handled extension calls or our component extension. BUG=chromium-os:15826 TEST=Verified that links do not show up when reading a directory in the file browser UI. Tests that specifically check for this will follow in subsequent checkins.

Patch Set 1 #

Patch Set 2 : Comment fix. #

Total comments: 1

Patch Set 3 : Made IsLink posix-wide. #

Patch Set 4 : Change fileapi to use IsLink on all platforms. #

Total comments: 6

Patch Set 5 : Review comments incorporated. #

Total comments: 1

Patch Set 6 : Review comments incorporated. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+35 lines, -1 line) Patch
M base/file_util.h View 1 2 1 chunk +3 lines, -0 lines 0 comments Download
M base/file_util_posix.cc View 1 2 3 4 5 1 chunk +15 lines, -0 lines 0 comments Download
M base/file_util_win.cc View 1 2 3 4 1 chunk +6 lines, -0 lines 0 comments Download
M webkit/fileapi/file_system_file_util.cc View 1 2 3 4 2 chunks +11 lines, -1 line 0 comments Download

Messages

Total messages: 10 (0 generated)
rkc
9 years, 7 months ago (2011-05-27 19:02:33 UTC) #1
Evan Martin
Why check in hacks? Why not fix this properly?
9 years, 7 months ago (2011-05-27 19:04:37 UTC) #2
Evan Martin
On 2011/05/27 19:04:37, Evan Martin wrote: > Why check in hacks? Why not fix this ...
9 years, 7 months ago (2011-05-27 19:05:46 UTC) #3
Evan Martin
http://codereview.chromium.org/7085005/diff/5/webkit/fileapi/file_system_file_util.cc File webkit/fileapi/file_system_file_util.cc (right): http://codereview.chromium.org/7085005/diff/5/webkit/fileapi/file_system_file_util.cc#newcode87 webkit/fileapi/file_system_file_util.cc:87: if (file_util::IsLink(file_path)) Can you make this function local to ...
9 years, 7 months ago (2011-05-27 20:57:09 UTC) #4
Evan Martin
Or maybe better, just remove the OS_CHROMEOS bits? I think it'd be safer to just ...
9 years, 7 months ago (2011-05-27 21:02:53 UTC) #5
Evan Martin
On 2011/05/27 21:02:53, Evan Martin wrote: > Or maybe better, just remove the OS_CHROMEOS bits? ...
9 years, 7 months ago (2011-05-27 21:17:48 UTC) #6
rkc
Done. On 2011/05/27 21:17:48, Evan Martin wrote: > On 2011/05/27 21:02:53, Evan Martin wrote: > ...
9 years, 6 months ago (2011-05-31 21:20:14 UTC) #7
Evan Martin
I hate to be a stickler, but would you mind ending your comments with periods? ...
9 years, 6 months ago (2011-05-31 21:22:32 UTC) #8
rkc
Review comments incorporated. http://codereview.chromium.org/7085005/diff/5007/base/file_util_win.cc File base/file_util_win.cc (right): http://codereview.chromium.org/7085005/diff/5007/base/file_util_win.cc#newcode705 base/file_util_win.cc:705: // No symlinks on windows Done. ...
9 years, 6 months ago (2011-05-31 21:49:56 UTC) #9
Evan Martin
9 years, 6 months ago (2011-05-31 23:00:12 UTC) #10 
LGTM, thank you for putting up with my nit-picking!

http://codereview.chromium.org/7085005/diff/5009/base/file_util_posix.cc
File base/file_util_posix.cc (right):

http://codereview.chromium.org/7085005/diff/5009/base/file_util_posix.cc#newc...
base/file_util_posix.cc:530: // least be a 'followable' link
period

Powered by Google App Engine
This is Rietveld 408576698