Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(14)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/win/src/named_pipe_dispatcher.cc

Issue 145553007: Correctly test for canonicalized path in the CreateNamedPipe policy engine. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: fix license Created 6 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | sandbox/win/src/named_pipe_policy_test.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/win/src/named_pipe_dispatcher.h" 5 #include "sandbox/win/src/named_pipe_dispatcher.h"
6 6
7 #include "base/basictypes.h" 7 #include "base/basictypes.h"
8 #include "base/strings/string_split.h"
8 9
9 #include "sandbox/win/src/crosscall_client.h" 10 #include "sandbox/win/src/crosscall_client.h"
10 #include "sandbox/win/src/interception.h" 11 #include "sandbox/win/src/interception.h"
11 #include "sandbox/win/src/interceptors.h" 12 #include "sandbox/win/src/interceptors.h"
12 #include "sandbox/win/src/ipc_tags.h" 13 #include "sandbox/win/src/ipc_tags.h"
13 #include "sandbox/win/src/named_pipe_interception.h" 14 #include "sandbox/win/src/named_pipe_interception.h"
14 #include "sandbox/win/src/named_pipe_policy.h" 15 #include "sandbox/win/src/named_pipe_policy.h"
15 #include "sandbox/win/src/policy_broker.h" 16 #include "sandbox/win/src/policy_broker.h"
16 #include "sandbox/win/src/policy_params.h" 17 #include "sandbox/win/src/policy_params.h"
17 #include "sandbox/win/src/sandbox.h" 18 #include "sandbox/win/src/sandbox.h"
(...skipping 18 matching lines...) Expand all
36 return INTERCEPT_EAT(manager, kKerneldllName, CreateNamedPipeW, 37 return INTERCEPT_EAT(manager, kKerneldllName, CreateNamedPipeW,
37 CREATE_NAMED_PIPE_ID, 36); 38 CREATE_NAMED_PIPE_ID, 36);
38 39
39 return false; 40 return false;
40 } 41 }
41 42
42 bool NamedPipeDispatcher::CreateNamedPipe( 43 bool NamedPipeDispatcher::CreateNamedPipe(
43 IPCInfo* ipc, base::string16* name, DWORD open_mode, DWORD pipe_mode, 44 IPCInfo* ipc, base::string16* name, DWORD open_mode, DWORD pipe_mode,
44 DWORD max_instances, DWORD out_buffer_size, DWORD in_buffer_size, 45 DWORD max_instances, DWORD out_buffer_size, DWORD in_buffer_size,
45 DWORD default_timeout) { 46 DWORD default_timeout) {
47 ipc->return_info.win32_result = ERROR_ACCESS_DENIED;
48 ipc->return_info.handle = INVALID_HANDLE_VALUE;
49
50 std::vector<base::string16> paths;
51 std::vector<base::string16> innerpaths;
52 base::SplitString(*name, '/', &paths);
53
54 for (std::vector<base::string16>::const_iterator iter = paths.begin();
rvargas (doing something else) 2014/01/28 22:26:46 why not search ".." and fail right away if that is
55 iter != paths.end(); ++iter) {
56 base::SplitString(*iter, '\\', &innerpaths);
57 for (std::vector<base::string16>::const_iterator iter2 = innerpaths.begin();
58 iter2 != innerpaths.end(); ++iter2) {
rvargas (doing something else) 2014/01/28 22:26:46 nit: indent one space less
59 if (*iter2 == L"..")
60 return true;
61 }
62 }
63
46 const wchar_t* pipe_name = name->c_str(); 64 const wchar_t* pipe_name = name->c_str();
47 CountedParameterSet<NameBased> params; 65 CountedParameterSet<NameBased> params;
48 params[NameBased::NAME] = ParamPickerMake(pipe_name); 66 params[NameBased::NAME] = ParamPickerMake(pipe_name);
49 67
50 EvalResult eval = policy_base_->EvalPolicy(IPC_CREATENAMEDPIPEW_TAG, 68 EvalResult eval = policy_base_->EvalPolicy(IPC_CREATENAMEDPIPEW_TAG,
51 params.GetBase()); 69 params.GetBase());
52 70
71 // "For file I/O, the "\\?\" prefix to a path string tells the Windows APIs to
72 // disable all string parsing and to send the string that follows it straight
73 // to the file system."
74 // http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx
75 // This ensures even if there is a path traversal in the pipe name, and it is
76 // able to get past the checks above, it will still not be allowed to escape
77 // our whitelisted namespace.
78 if (name->compare(0, 4, L"\\\\.\\") == 0)
79 name->replace(0, 4, L"\\\\\?\\");
rvargas (doing something else) 2014/01/28 22:26:46 we should not be fixing names. If we don't like it
80
53 HANDLE pipe; 81 HANDLE pipe;
54 DWORD ret = NamedPipePolicy::CreateNamedPipeAction(eval, *ipc->client_info, 82 DWORD ret = NamedPipePolicy::CreateNamedPipeAction(eval, *ipc->client_info,
55 *name, open_mode, 83 *name, open_mode,
56 pipe_mode, max_instances, 84 pipe_mode, max_instances,
57 out_buffer_size, 85 out_buffer_size,
58 in_buffer_size, 86 in_buffer_size,
59 default_timeout, &pipe); 87 default_timeout, &pipe);
60 88
61 ipc->return_info.win32_result = ret; 89 ipc->return_info.win32_result = ret;
62 ipc->return_info.handle = pipe; 90 ipc->return_info.handle = pipe;
63 return true; 91 return true;
64 } 92 }
65 93
66 } // namespace sandbox 94 } // namespace sandbox
OLDNEW
« no previous file with comments | « no previous file | sandbox/win/src/named_pipe_policy_test.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698