OLD | NEW |
---|---|
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/win/src/named_pipe_dispatcher.h" | 5 #include "sandbox/win/src/named_pipe_dispatcher.h" |
6 | 6 |
7 #include "base/basictypes.h" | 7 #include "base/basictypes.h" |
8 #include "base/strings/string_split.h" | |
8 | 9 |
9 #include "sandbox/win/src/crosscall_client.h" | 10 #include "sandbox/win/src/crosscall_client.h" |
10 #include "sandbox/win/src/interception.h" | 11 #include "sandbox/win/src/interception.h" |
11 #include "sandbox/win/src/interceptors.h" | 12 #include "sandbox/win/src/interceptors.h" |
12 #include "sandbox/win/src/ipc_tags.h" | 13 #include "sandbox/win/src/ipc_tags.h" |
13 #include "sandbox/win/src/named_pipe_interception.h" | 14 #include "sandbox/win/src/named_pipe_interception.h" |
14 #include "sandbox/win/src/named_pipe_policy.h" | 15 #include "sandbox/win/src/named_pipe_policy.h" |
15 #include "sandbox/win/src/policy_broker.h" | 16 #include "sandbox/win/src/policy_broker.h" |
16 #include "sandbox/win/src/policy_params.h" | 17 #include "sandbox/win/src/policy_params.h" |
17 #include "sandbox/win/src/sandbox.h" | 18 #include "sandbox/win/src/sandbox.h" |
(...skipping 18 matching lines...) Expand all Loading... | |
36 return INTERCEPT_EAT(manager, kKerneldllName, CreateNamedPipeW, | 37 return INTERCEPT_EAT(manager, kKerneldllName, CreateNamedPipeW, |
37 CREATE_NAMED_PIPE_ID, 36); | 38 CREATE_NAMED_PIPE_ID, 36); |
38 | 39 |
39 return false; | 40 return false; |
40 } | 41 } |
41 | 42 |
42 bool NamedPipeDispatcher::CreateNamedPipe( | 43 bool NamedPipeDispatcher::CreateNamedPipe( |
43 IPCInfo* ipc, base::string16* name, DWORD open_mode, DWORD pipe_mode, | 44 IPCInfo* ipc, base::string16* name, DWORD open_mode, DWORD pipe_mode, |
44 DWORD max_instances, DWORD out_buffer_size, DWORD in_buffer_size, | 45 DWORD max_instances, DWORD out_buffer_size, DWORD in_buffer_size, |
45 DWORD default_timeout) { | 46 DWORD default_timeout) { |
47 ipc->return_info.win32_result = ERROR_ACCESS_DENIED; | |
48 ipc->return_info.handle = INVALID_HANDLE_VALUE; | |
jschuh
2014/01/27 20:29:47
Never put INVALID_HANDLE_VALUE in anything that ma
Will Harris
2014/01/27 23:47:18
Done.
| |
49 | |
50 std::vector<base::string16> paths; | |
51 base::SplitString(*name, '\\', &paths); | |
52 | |
53 for (std::vector<base::string16>::const_iterator iter = paths.begin(); | |
54 iter != paths.end(); ++iter) { | |
55 if (*iter == L"..") | |
56 return true; | |
57 } | |
58 | |
59 // Windows happily accepts / as well as \ once into the pipe namespace, so we | |
60 // check for this as well. | |
61 base::SplitString(*name, '/', &paths); | |
62 | |
63 for (std::vector<base::string16>::const_iterator iter = paths.begin(); | |
jschuh
2014/01/27 20:29:47
Don't you want to nest this inside the above loop,
Will Harris
2014/01/27 23:47:18
Done.
| |
64 iter != paths.end(); ++iter) { | |
65 if (*iter == L"..") | |
66 return true; | |
67 } | |
68 | |
46 const wchar_t* pipe_name = name->c_str(); | 69 const wchar_t* pipe_name = name->c_str(); |
47 CountedParameterSet<NameBased> params; | 70 CountedParameterSet<NameBased> params; |
48 params[NameBased::NAME] = ParamPickerMake(pipe_name); | 71 params[NameBased::NAME] = ParamPickerMake(pipe_name); |
49 | 72 |
50 EvalResult eval = policy_base_->EvalPolicy(IPC_CREATENAMEDPIPEW_TAG, | 73 EvalResult eval = policy_base_->EvalPolicy(IPC_CREATENAMEDPIPEW_TAG, |
51 params.GetBase()); | 74 params.GetBase()); |
52 | 75 |
76 // "For file I/O, the "\\?\" prefix to a path string tells the Windows APIs to | |
77 // disable all string parsing and to send the string that follows it straight | |
78 // to the file system." | |
79 // http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx | |
80 // This ensures even if there is a path traversal in the pipe name, and it is | |
81 // able to get past the checks above, it will still not be allowed to escape | |
82 // our whitelisted namespace. | |
83 if (name->compare(0, 4, L"\\\\.\\") == 0) | |
84 name->replace(0, 4, L"\\\\\?\\"); | |
85 | |
53 HANDLE pipe; | 86 HANDLE pipe; |
54 DWORD ret = NamedPipePolicy::CreateNamedPipeAction(eval, *ipc->client_info, | 87 DWORD ret = NamedPipePolicy::CreateNamedPipeAction(eval, *ipc->client_info, |
55 *name, open_mode, | 88 *name, open_mode, |
56 pipe_mode, max_instances, | 89 pipe_mode, max_instances, |
57 out_buffer_size, | 90 out_buffer_size, |
58 in_buffer_size, | 91 in_buffer_size, |
59 default_timeout, &pipe); | 92 default_timeout, &pipe); |
60 | 93 |
61 ipc->return_info.win32_result = ret; | 94 ipc->return_info.win32_result = ret; |
62 ipc->return_info.handle = pipe; | 95 ipc->return_info.handle = pipe; |
63 return true; | 96 return true; |
64 } | 97 } |
65 | 98 |
66 } // namespace sandbox | 99 } // namespace sandbox |
OLD | NEW |