Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1747)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: sandbox/win/src/named_pipe_dispatcher.cc

Issue 145553007: Correctly test for canonicalized path in the CreateNamedPipe policy engine. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: fix license Created 6 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | sandbox/win/src/named_pipe_policy_test.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: sandbox/win/src/named_pipe_dispatcher.cc
diff --git a/sandbox/win/src/named_pipe_dispatcher.cc b/sandbox/win/src/named_pipe_dispatcher.cc
index 54b3162bfa57fa13baa27b003b17fb03fa3f1b7a..da4045c274547d4beed6c6db7b2dff3df83deca4 100644
--- a/sandbox/win/src/named_pipe_dispatcher.cc
+++ b/sandbox/win/src/named_pipe_dispatcher.cc
@@ -5,6 +5,7 @@
#include "sandbox/win/src/named_pipe_dispatcher.h"
#include "base/basictypes.h"
+#include "base/strings/string_split.h"
#include "sandbox/win/src/crosscall_client.h"
#include "sandbox/win/src/interception.h"
@@ -43,6 +44,23 @@ bool NamedPipeDispatcher::CreateNamedPipe(
IPCInfo* ipc, base::string16* name, DWORD open_mode, DWORD pipe_mode,
DWORD max_instances, DWORD out_buffer_size, DWORD in_buffer_size,
DWORD default_timeout) {
+ ipc->return_info.win32_result = ERROR_ACCESS_DENIED;
+ ipc->return_info.handle = INVALID_HANDLE_VALUE;
+
+ std::vector<base::string16> paths;
+ std::vector<base::string16> innerpaths;
+ base::SplitString(*name, '/', &paths);
+
+ for (std::vector<base::string16>::const_iterator iter = paths.begin();
rvargas (doing something else) 2014/01/28 22:26:46 why not search ".." and fail right away if that is
+ iter != paths.end(); ++iter) {
+ base::SplitString(*iter, '\\', &innerpaths);
+ for (std::vector<base::string16>::const_iterator iter2 = innerpaths.begin();
+ iter2 != innerpaths.end(); ++iter2) {
rvargas (doing something else) 2014/01/28 22:26:46 nit: indent one space less
+ if (*iter2 == L"..")
+ return true;
+ }
+ }
+
const wchar_t* pipe_name = name->c_str();
CountedParameterSet<NameBased> params;
params[NameBased::NAME] = ParamPickerMake(pipe_name);
@@ -50,6 +68,16 @@ bool NamedPipeDispatcher::CreateNamedPipe(
EvalResult eval = policy_base_->EvalPolicy(IPC_CREATENAMEDPIPEW_TAG,
params.GetBase());
+ // "For file I/O, the "\\?\" prefix to a path string tells the Windows APIs to
+ // disable all string parsing and to send the string that follows it straight
+ // to the file system."
+ // http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx
+ // This ensures even if there is a path traversal in the pipe name, and it is
+ // able to get past the checks above, it will still not be allowed to escape
+ // our whitelisted namespace.
+ if (name->compare(0, 4, L"\\\\.\\") == 0)
+ name->replace(0, 4, L"\\\\\?\\");
rvargas (doing something else) 2014/01/28 22:26:46 we should not be fixing names. If we don't like it
+
HANDLE pipe;
DWORD ret = NamedPipePolicy::CreateNamedPipeAction(eval, *ipc->client_info,
*name, open_mode,
« no previous file with comments | « no previous file | sandbox/win/src/named_pipe_policy_test.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698