Index: content/browser/webui/url_data_manager_backend.cc |
diff --git a/content/browser/webui/url_data_manager_backend.cc b/content/browser/webui/url_data_manager_backend.cc |
index 3f24b6c5f0b24d84c1ee6dd21901ecd12f039e2a..22f275e55a23417d4da5613e15b87b780e6efd11 100644 |
--- a/content/browser/webui/url_data_manager_backend.cc |
+++ b/content/browser/webui/url_data_manager_backend.cc |
@@ -26,6 +26,7 @@ |
#include "content/browser/tcmalloc_internals_request_job.h" |
#include "content/browser/webui/shared_resources_data_source.h" |
#include "content/browser/webui/url_data_source_impl.h" |
+#include "content/public/browser/browser_context.h" |
#include "content/public/browser/browser_thread.h" |
#include "content/public/browser/content_browser_client.h" |
#include "content/public/browser/render_process_host.h" |
@@ -160,7 +161,13 @@ class URLRequestChromeJob : public net::URLRequestJob, |
// Helper for Start(), to let us start asynchronously. |
// (This pattern is shared by most net::URLRequestJob implementations.) |
- void StartAsync(); |
+ void StartAsync(bool allowed); |
+ |
+ // Called on the UI thread to check if this request is allowed. |
+ static void CheckStoragePartitionMatches( |
+ int render_process_id, |
+ const GURL& url, |
+ const base::WeakPtr<URLRequestChromeJob>& job); |
// Do the actual copy from data_ (the data we're serving) into |buf|. |
// Separate from ReadRawData so we can handle async I/O. |
@@ -229,12 +236,14 @@ URLRequestChromeJob::~URLRequestChromeJob() { |
} |
void URLRequestChromeJob::Start() { |
- // Start reading asynchronously so that all error reporting and data |
- // callbacks happen as they would for network requests. |
- base::MessageLoop::current()->PostTask( |
+ int render_process_id, unused; |
+ ResourceRequestInfo::GetRenderFrameForRequest( |
+ request_, &render_process_id, &unused); |
+ BrowserThread::PostTask( |
+ BrowserThread::UI, |
FROM_HERE, |
- base::Bind(&URLRequestChromeJob::StartAsync, weak_factory_.GetWeakPtr())); |
- |
+ base::Bind(&URLRequestChromeJob::CheckStoragePartitionMatches, |
+ render_process_id, request_->url(), AsWeakPtr())); |
TRACE_EVENT_ASYNC_BEGIN1("browser", "DataManager:Request", this, "URL", |
request_->url().possibly_invalid_spec()); |
} |
@@ -338,11 +347,47 @@ void URLRequestChromeJob::CompleteRead(net::IOBuffer* buf, int buf_size, |
*bytes_read = buf_size; |
} |
-void URLRequestChromeJob::StartAsync() { |
+void URLRequestChromeJob::CheckStoragePartitionMatches( |
+ int render_process_id, |
+ const GURL& url, |
+ const base::WeakPtr<URLRequestChromeJob>& job) { |
+ // The embedder could put some webui pages in separate storage partition. |
+ // RenderProcessHostImpl::IsSuitableHost would guard against top level pages |
+ // being in the same process. We do an extra check to guard against an |
+ // exploited renderer pretending to add them as a subframe. We skip this check |
+ // for resources. |
+ // TODO(guohui): move URL constants for favicon, theme, thumb, thumb and |
+ // thumbnails from chrome/common/url_constants.h to |
+ // content/public/common/url_constants.h, so that they could be reused here. |
+ bool allowed = false; |
+ if (url.SchemeIs(kChromeUIScheme) && |
+ (url.host() == kChromeUIResourcesHost || |
+ url.host() == "favicon" || |
+ url.host() == "theme" || |
+ url.host() == "thumb" || |
+ url.host() == "thumb2" || |
+ url.host() == "thumbnails")) { |
+ allowed = true; |
+ } else { |
+ RenderProcessHost* process = RenderProcessHost::FromID(render_process_id); |
+ if (process) { |
+ StoragePartition* partition = BrowserContext::GetStoragePartitionForSite( |
+ process->GetBrowserContext(), url); |
+ allowed = partition == process->GetStoragePartition(); |
+ } |
+ } |
+ |
+ BrowserThread::PostTask( |
+ BrowserThread::IO, |
+ FROM_HERE, |
+ base::Bind(&URLRequestChromeJob::StartAsync, job, allowed)); |
+} |
+ |
+void URLRequestChromeJob::StartAsync(bool allowed) { |
if (!request_) |
return; |
- if (!backend_->StartRequest(request_, this)) { |
+ if (!allowed || !backend_->StartRequest(request_, this)) { |
NotifyStartError(net::URLRequestStatus(net::URLRequestStatus::FAILED, |
net::ERR_INVALID_URL)); |
} |