Index: sandbox/win/src/named_pipe_dispatcher.cc |
diff --git a/sandbox/win/src/named_pipe_dispatcher.cc b/sandbox/win/src/named_pipe_dispatcher.cc |
index 54b3162bfa57fa13baa27b003b17fb03fa3f1b7a..da4045c274547d4beed6c6db7b2dff3df83deca4 100644 |
--- a/sandbox/win/src/named_pipe_dispatcher.cc |
+++ b/sandbox/win/src/named_pipe_dispatcher.cc |
@@ -5,6 +5,7 @@ |
#include "sandbox/win/src/named_pipe_dispatcher.h" |
#include "base/basictypes.h" |
+#include "base/strings/string_split.h" |
#include "sandbox/win/src/crosscall_client.h" |
#include "sandbox/win/src/interception.h" |
@@ -43,6 +44,23 @@ bool NamedPipeDispatcher::CreateNamedPipe( |
IPCInfo* ipc, base::string16* name, DWORD open_mode, DWORD pipe_mode, |
DWORD max_instances, DWORD out_buffer_size, DWORD in_buffer_size, |
DWORD default_timeout) { |
+ ipc->return_info.win32_result = ERROR_ACCESS_DENIED; |
+ ipc->return_info.handle = INVALID_HANDLE_VALUE; |
+ |
+ std::vector<base::string16> paths; |
+ std::vector<base::string16> innerpaths; |
+ base::SplitString(*name, '/', &paths); |
+ |
+ for (std::vector<base::string16>::const_iterator iter = paths.begin(); |
rvargas (doing something else)
2014/01/28 22:26:46
why not search ".." and fail right away if that is
|
+ iter != paths.end(); ++iter) { |
+ base::SplitString(*iter, '\\', &innerpaths); |
+ for (std::vector<base::string16>::const_iterator iter2 = innerpaths.begin(); |
+ iter2 != innerpaths.end(); ++iter2) { |
rvargas (doing something else)
2014/01/28 22:26:46
nit: indent one space less
|
+ if (*iter2 == L"..") |
+ return true; |
+ } |
+ } |
+ |
const wchar_t* pipe_name = name->c_str(); |
CountedParameterSet<NameBased> params; |
params[NameBased::NAME] = ParamPickerMake(pipe_name); |
@@ -50,6 +68,16 @@ bool NamedPipeDispatcher::CreateNamedPipe( |
EvalResult eval = policy_base_->EvalPolicy(IPC_CREATENAMEDPIPEW_TAG, |
params.GetBase()); |
+ // "For file I/O, the "\\?\" prefix to a path string tells the Windows APIs to |
+ // disable all string parsing and to send the string that follows it straight |
+ // to the file system." |
+ // http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx |
+ // This ensures even if there is a path traversal in the pipe name, and it is |
+ // able to get past the checks above, it will still not be allowed to escape |
+ // our whitelisted namespace. |
+ if (name->compare(0, 4, L"\\\\.\\") == 0) |
+ name->replace(0, 4, L"\\\\\?\\"); |
rvargas (doing something else)
2014/01/28 22:26:46
we should not be fixing names. If we don't like it
|
+ |
HANDLE pipe; |
DWORD ret = NamedPipePolicy::CreateNamedPipeAction(eval, *ipc->client_info, |
*name, open_mode, |