Prevent webview tags from navigating outside web-safe schemes.

content/browser/renderer_host/render_view_host_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/renderer_host/render_view_host_impl.h"
 
 #include <set>
 #include <string>
 #include <utility>
 #include <vector>
@@ skipping 113 matching lines @@
     return NULL;
   return static_cast<RenderViewHostImpl*>(RenderWidgetHostImpl::From(widget));
 }
 
 // static
 RenderViewHost* RenderViewHost::From(RenderWidgetHost* rwh) {
   return static_cast<RenderViewHostImpl*>(RenderWidgetHostImpl::From(rwh));
 }
 
 // static
-void RenderViewHost::FilterURL(int renderer_id,
+void RenderViewHost::FilterURL(RenderProcessHost* process,
                                bool empty_allowed,
                                GURL* url) {
   RenderViewHostImpl::FilterURL(ChildProcessSecurityPolicyImpl::GetInstance(),
-                                renderer_id, empty_allowed, url);
+                                process, empty_allowed, url);
 }
 
 ///////////////////////////////////////////////////////////////////////////////
 // RenderViewHostImpl, public:
 
 // static
 RenderViewHostImpl* RenderViewHostImpl::FromID(int render_process_id,
                                                int render_view_id) {
   return static_cast<RenderViewHostImpl*>(
       RenderViewHost::FromID(render_process_id, render_view_id));
@@ skipping 112 matching lines @@
   params.next_page_id = next_page_id;
   GetWebScreenInfo(&params.screen_info);
 
   params.accessibility_mode =
       BrowserAccessibilityStateImpl::GetInstance()->GetAccessibilityMode();
 
   Send(new ViewMsg_New(params));
 
   // If it's enabled, tell the renderer to set up the Javascript bindings for
   // sending messages back to the browser.
+  if (GetProcess()->IsGuest())
+    DCHECK_EQ(0, enabled_bindings_);
   Send(new ViewMsg_AllowBindings(GetRoutingID(), enabled_bindings_));
   // Let our delegate know that we created a RenderView.
   delegate_->RenderViewCreated(this);
 
   FOR_EACH_OBSERVER(
       RenderViewHostObserver, observers_, RenderViewHostInitialized());
 
   return true;
 }
 
 bool RenderViewHostImpl::IsRenderViewLive() const {
   return GetProcess()->HasConnection() && renderer_initialized_;
 }
 
 void RenderViewHostImpl::SyncRendererPrefs() {
   Send(new ViewMsg_SetRendererPrefs(GetRoutingID(),
                                     delegate_->GetRendererPrefs(
                                         GetProcess()->GetBrowserContext())));
 }
 
 void RenderViewHostImpl::Navigate(const ViewMsg_Navigate_Params& params) {
-  ChildProcessSecurityPolicyImpl::GetInstance()->GrantRequestURL(
-      GetProcess()->GetID(), params.url);
-  if (params.url.SchemeIs(chrome::kDataScheme) &&
-      params.base_url_for_data_url.SchemeIs(chrome::kFileScheme)) {
-    // If 'data:' is used, and we have a 'file:' base url, grant access to
-    // local files.
+  // Browser plugin guests are not allowed to navigate outside web-safe schemes,
+  // so do not grant them the ability to request additional URLs.
+  if (!GetProcess()->IsGuest()) {
     ChildProcessSecurityPolicyImpl::GetInstance()->GrantRequestURL(
-        GetProcess()->GetID(), params.base_url_for_data_url);
+        GetProcess()->GetID(), params.url);
+    if (params.url.SchemeIs(chrome::kDataScheme) &&
+        params.base_url_for_data_url.SchemeIs(chrome::kFileScheme)) {
+      // If 'data:' is used, and we have a 'file:' base url, grant access to
+      // local files.
+      ChildProcessSecurityPolicyImpl::GetInstance()->GrantRequestURL(
+          GetProcess()->GetID(), params.base_url_for_data_url);
+    }
   }
 
   ViewMsg_Navigate* nav_message = new ViewMsg_Navigate(GetRoutingID(), params);
 
   // Only send the message if we aren't suspended at the start of a cross-site
   // request.
   if (navigations_suspended_) {
     // Shouldn't be possible to have a second navigation while suspended, since
     // navigations will only be suspended during a cross-site request.  If a
     // second navigation occurs, WebContentsImpl will cancel this pending RVH
@@ skipping 274 matching lines @@
     const gfx::Point& screen_pt,
     WebDragOperationsMask operations_allowed,
     int key_modifiers) {
   const int renderer_id = GetProcess()->GetID();
   ChildProcessSecurityPolicyImpl* policy =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   // The URL could have been cobbled together from any highlighted text string,
   // and can't be interpreted as a capability.
   WebDropData filtered_data(drop_data);
-  FilterURL(policy, renderer_id, true, &filtered_data.url);
+  FilterURL(policy, GetProcess(), true, &filtered_data.url);
 
   // The filenames vector, on the other hand, does represent a capability to
   // access the given files.
   fileapi::IsolatedContext::FileInfoSet files;
   for (std::vector<WebDropData::FileInfo>::iterator iter(
            filtered_data.filenames.begin());
        iter != filtered_data.filenames.end(); ++iter) {
     // A dragged file may wind up as the value of an input element, or it
     // may be used as the target of a navigation instead.  We don't know
     // which will happen at this point, so generously grant both access
@@ skipping 205 matching lines @@
       !ChildProcessSecurityPolicyImpl::GetInstance()->HasWebUIBindings(
           GetProcess()->GetID())) {
     // This process has no bindings yet. Make sure it does not have more
     // than this single active view.
     RenderProcessHostImpl* process =
         static_cast<RenderProcessHostImpl*>(GetProcess());
     if (process->GetActiveViewCount() > 1)
       return;
   }
 
+  // Never grant any bindings to browser plugin guests.
+  if (GetProcess()->IsGuest()) {
+    NOTREACHED() << "Never grant bindings to a guest process.";
+    return;
+  }
+
   if (bindings_flags & BINDINGS_POLICY_WEB_UI) {
     ChildProcessSecurityPolicyImpl::GetInstance()->GrantWebUIBindings(
         GetProcess()->GetID());
   }
 
   enabled_bindings_ |= bindings_flags;
   if (renderer_initialized_)
     Send(new ViewMsg_AllowBindings(GetRoutingID(), enabled_bindings_));
 }
 
@@ skipping 384 matching lines @@
   }
 
   // If we're waiting for an unload ack from this renderer and we receive a
   // Navigate message, then the renderer was navigating before it received the
   // unload request.  It will either respond to the unload request soon or our
   // timer will expire.  Either way, we should ignore this message, because we
   // have already committed to closing this renderer.
   if (is_waiting_for_unload_ack_)
     return;
 
-  const int renderer_id = GetProcess()->GetID();
   ChildProcessSecurityPolicyImpl* policy =
       ChildProcessSecurityPolicyImpl::GetInstance();
   // Without this check, an evil renderer can trick the browser into creating
   // a navigation entry for a banned URL.  If the user clicks the back button
   // followed by the forward button (or clicks reload, or round-trips through
   // session restore, etc), we'll think that the browser commanded the
   // renderer to load the URL and grant the renderer the privileges to request
   // the URL.  To prevent this attack, we block the renderer from inserting
   // banned URLs into the navigation controller in the first place.
-  FilterURL(policy, renderer_id, false, &validated_params.url);
-  FilterURL(policy, renderer_id, true, &validated_params.referrer.url);
+  FilterURL(policy, GetProcess(), false, &validated_params.url);

[Tom Sepez, 2012/10/29 17:59:08]

nit: are we sure the optimizer can remove the redundant calls to GetProcess
(presumably a virtual)?  Also below.

[Charlie Reis, 2012/10/29 18:18:31]

Good point.  Fixed.

+  FilterURL(policy, GetProcess(), true, &validated_params.referrer.url);
   for (std::vector<GURL>::iterator it(validated_params.redirects.begin());
       it != validated_params.redirects.end(); ++it) {
-    FilterURL(policy, renderer_id, false, &(*it));
+    FilterURL(policy, GetProcess(), false, &(*it));
   }
-  FilterURL(policy, renderer_id, true, &validated_params.searchable_form_url);
-  FilterURL(policy, renderer_id, true, &validated_params.password_form.origin);
-  FilterURL(policy, renderer_id, true, &validated_params.password_form.action);
+  FilterURL(policy, GetProcess(), true, &validated_params.searchable_form_url);
+  FilterURL(policy, GetProcess(), true, &validated_params.password_form.origin);
+  FilterURL(policy, GetProcess(), true, &validated_params.password_form.action);
 
   delegate_->DidNavigate(this, validated_params);
 
   // TODO(nasko): Send frame tree update for the top level frame, once
   // http://crbug.com/153701 is fixed.
 }
 
 void RenderViewHostImpl::OnMsgUpdateState(int32 page_id,
                                           const std::string& state) {
   delegate_->UpdateState(this, page_id, state);
@@ skipping 63 matching lines @@
 
 void RenderViewHostImpl::OnMsgDocumentOnLoadCompletedInMainFrame(
     int32 page_id) {
   delegate_->DocumentOnLoadCompletedInMainFrame(this, page_id);
 }
 
 void RenderViewHostImpl::OnMsgContextMenu(const ContextMenuParams& params) {
   // Validate the URLs in |params|.  If the renderer can't request the URLs
   // directly, don't show them in the context menu.
   ContextMenuParams validated_params(params);
-  int renderer_id = GetProcess()->GetID();
   ChildProcessSecurityPolicyImpl* policy =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   // We don't validate |unfiltered_link_url| so that this field can be used
   // when users want to copy the original link URL.
-  FilterURL(policy, renderer_id, true, &validated_params.link_url);
-  FilterURL(policy, renderer_id, true, &validated_params.src_url);
-  FilterURL(policy, renderer_id, false, &validated_params.page_url);
-  FilterURL(policy, renderer_id, true, &validated_params.frame_url);
+  FilterURL(policy, GetProcess(), true, &validated_params.link_url);
+  FilterURL(policy, GetProcess(), true, &validated_params.src_url);
+  FilterURL(policy, GetProcess(), false, &validated_params.page_url);
+  FilterURL(policy, GetProcess(), true, &validated_params.frame_url);
 
   ContextMenuSourceType type = CONTEXT_MENU_SOURCE_MOUSE;
   if (!in_process_event_types_.empty()) {
     WebKit::WebInputEvent::Type event_type = in_process_event_types_.front();
     if (WebKit::WebInputEvent::isGestureEventType(event_type))
       type = CONTEXT_MENU_SOURCE_TOUCH;
     else if (WebKit::WebInputEvent::isKeyboardEventType(event_type))
       type = CONTEXT_MENU_SOURCE_KEYBOARD;
   }
   delegate_->ShowContextMenu(validated_params, type);
 }
 
 void RenderViewHostImpl::OnMsgToggleFullscreen(bool enter_fullscreen) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   delegate_->ToggleFullscreenMode(enter_fullscreen);
   WasResized();
 }
 
 void RenderViewHostImpl::OnMsgOpenURL(const GURL& url,
                                       const Referrer& referrer,
                                       WindowOpenDisposition disposition,
                                       int64 source_frame_id) {
   GURL validated_url(url);
   FilterURL(ChildProcessSecurityPolicyImpl::GetInstance(),
-            GetProcess()->GetID(), false, &validated_url);
+            GetProcess(), false, &validated_url);
 
   delegate_->RequestOpenURL(
       this, validated_url, referrer, disposition, source_frame_id);
 }
 
 void RenderViewHostImpl::OnMsgDidContentsPreferredSizeChange(
     const gfx::Size& new_size) {
   delegate_->UpdatePreferredSize(new_size);
 }
 
@@ skipping 79 matching lines @@
   RenderViewHostDelegateView* view = delegate_->GetDelegateView();
   if (!view)
     return;
 
   WebDropData filtered_data(drop_data);
   ChildProcessSecurityPolicyImpl* policy =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   // Allow drag of Javascript URLs to enable bookmarklet drag to bookmark bar.
   if (!filtered_data.url.SchemeIs(chrome::kJavaScriptScheme))
-    FilterURL(policy, GetProcess()->GetID(), true, &filtered_data.url);
-  FilterURL(policy, GetProcess()->GetID(), false, &filtered_data.html_base_url);
+    FilterURL(policy, GetProcess(), true, &filtered_data.url);
+  FilterURL(policy, GetProcess(), false, &filtered_data.html_base_url);
   // Filter out any paths that the renderer didn't have access to. This prevents
   // the following attack on a malicious renderer:
   // 1. StartDragging IPC sent with renderer-specified filesystem paths that it
   //    doesn't have read permissions for.
   // 2. We initiate a native DnD operation.
   // 3. DnD operation immediately ends since mouse is not held down. DnD events
   //    still fire though, which causes read permissions to be granted to the
   //    renderer for any file paths in the drop.
   filtered_data.filenames.clear();
   for (std::vector<WebDropData::FileInfo>::const_iterator it =
@@ skipping 220 matching lines @@
 
 void RenderViewHostImpl::SendOrientationChangeEvent(int orientation) {
   Send(new ViewMsg_OrientationChangeEvent(GetRoutingID(), orientation));
 }
 
 void RenderViewHostImpl::ToggleSpeechInput() {
   Send(new InputTagSpeechMsg_ToggleSpeechInput(GetRoutingID()));
 }
 
 void RenderViewHostImpl::FilterURL(ChildProcessSecurityPolicyImpl* policy,
-                                   int renderer_id,
+                                   RenderProcessHost* process,
                                    bool empty_allowed,
                                    GURL* url) {
   if (empty_allowed && url->is_empty())
     return;
 
   if (!url->is_valid()) {
     // Have to use about:blank for the denied case, instead of an empty GURL.
     // This is because the browser treats navigation to an empty GURL as a
     // navigation to the home page. This is often a privileged page
     // (chrome://newtab/) which is exactly what we don't want.
     *url = GURL(chrome::kAboutBlankURL);
     return;
   }
 
   if (url->SchemeIs(chrome::kAboutScheme)) {
     // The renderer treats all URLs in the about: scheme as being about:blank.
     // Canonicalize about: URLs to about:blank.
     *url = GURL(chrome::kAboutBlankURL);
   }
 
-  if (!policy->CanRequestURL(renderer_id, *url)) {
+  // Do not allow browser plugin guests to navigate to non-web URLs, since they
+  // cannot swap processes or grant bindings.
+  bool non_web_url_in_guest = process->IsGuest() &&
+      !(url->is_valid() && policy->IsWebSafeScheme(url->scheme()));
+
+  if (!policy->CanRequestURL(process->GetID(), *url) || non_web_url_in_guest) {

[Tom Sepez, 2012/10/29 17:59:08]

nit: Might check non_web_url_in_guest first to avoid call to policy where
possible.

[Charlie Reis, 2012/10/29 18:18:31]

Done.

     // If this renderer is not permitted to request this URL, we invalidate the
     // URL.  This prevents us from storing the blocked URL and becoming confused
     // later.
     VLOG(1) << "Blocked URL " << url->spec();
     *url = GURL(chrome::kAboutBlankURL);
   }
 }
 
 void RenderViewHostImpl::SetAltErrorPageURL(const GURL& url) {
   Send(new ViewMsg_SetAltErrorPageURL(GetRoutingID(), url));
@@ skipping 277 matching lines @@
   is_waiting_for_beforeunload_ack_ = false;
   is_waiting_for_unload_ack_ = false;
   has_timed_out_on_unload_ = false;
 }
 
 void RenderViewHostImpl::ClearPowerSaveBlockers() {
   STLDeleteValues(&power_save_blockers_);
 }
 
 }  // namespace content