Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(199)

Side by Side Diff: content/browser/renderer_host/render_view_host_impl.cc

Issue 14727006: Check that the files the renderer wants to preserve as part of a session restore are already availa… (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: . not -> Created 7 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/browser/renderer_host/render_view_host_impl.h" 5 #include "content/browser/renderer_host/render_view_host_impl.h"
6 6
7 #include <set> 7 #include <set>
8 #include <string> 8 #include <string>
9 #include <utility> 9 #include <utility>
10 #include <vector> 10 #include <vector>
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after
60 #include "content/public/common/result_codes.h" 60 #include "content/public/common/result_codes.h"
61 #include "content/public/common/url_constants.h" 61 #include "content/public/common/url_constants.h"
62 #include "net/base/net_util.h" 62 #include "net/base/net_util.h"
63 #include "net/url_request/url_request_context_getter.h" 63 #include "net/url_request/url_request_context_getter.h"
64 #include "third_party/skia/include/core/SkBitmap.h" 64 #include "third_party/skia/include/core/SkBitmap.h"
65 #include "ui/gfx/image/image_skia.h" 65 #include "ui/gfx/image/image_skia.h"
66 #include "ui/gfx/native_widget_types.h" 66 #include "ui/gfx/native_widget_types.h"
67 #include "ui/shell_dialogs/selected_file_info.h" 67 #include "ui/shell_dialogs/selected_file_info.h"
68 #include "ui/snapshot/snapshot.h" 68 #include "ui/snapshot/snapshot.h"
69 #include "webkit/fileapi/isolated_context.h" 69 #include "webkit/fileapi/isolated_context.h"
70 #include "webkit/glue/glue_serialize.h"
70 #include "webkit/glue/webdropdata.h" 71 #include "webkit/glue/webdropdata.h"
71 #include "webkit/glue/webkit_glue.h" 72 #include "webkit/glue/webkit_glue.h"
72 73
73 #if defined(OS_WIN) 74 #if defined(OS_WIN)
74 #include "base/win/windows_version.h" 75 #include "base/win/windows_version.h"
75 #include "third_party/WebKit/Source/WebKit/chromium/public/win/WebScreenInfoFact ory.h" 76 #include "third_party/WebKit/Source/WebKit/chromium/public/win/WebScreenInfoFact ory.h"
76 #elif defined(OS_MACOSX) 77 #elif defined(OS_MACOSX)
77 #include "content/browser/renderer_host/popup_menu_helper_mac.h" 78 #include "content/browser/renderer_host/popup_menu_helper_mac.h"
78 #elif defined(OS_ANDROID) 79 #elif defined(OS_ANDROID)
79 #include "content/browser/android/media_player_manager_impl.h" 80 #include "content/browser/android/media_player_manager_impl.h"
(...skipping 1137 matching lines...) Expand 10 before | Expand all | Expand 10 after
1217 FilterURL(policy, process, false, &validated_params.url); 1218 FilterURL(policy, process, false, &validated_params.url);
1218 FilterURL(policy, process, true, &validated_params.referrer.url); 1219 FilterURL(policy, process, true, &validated_params.referrer.url);
1219 for (std::vector<GURL>::iterator it(validated_params.redirects.begin()); 1220 for (std::vector<GURL>::iterator it(validated_params.redirects.begin());
1220 it != validated_params.redirects.end(); ++it) { 1221 it != validated_params.redirects.end(); ++it) {
1221 FilterURL(policy, process, false, &(*it)); 1222 FilterURL(policy, process, false, &(*it));
1222 } 1223 }
1223 FilterURL(policy, process, true, &validated_params.searchable_form_url); 1224 FilterURL(policy, process, true, &validated_params.searchable_form_url);
1224 FilterURL(policy, process, true, &validated_params.password_form.origin); 1225 FilterURL(policy, process, true, &validated_params.password_form.origin);
1225 FilterURL(policy, process, true, &validated_params.password_form.action); 1226 FilterURL(policy, process, true, &validated_params.password_form.action);
1226 1227
1228 // Without this check, the renderer can trick the browser into using
1229 // filenames it can't access in a future session restore.
1230 if (!CanAccessFilesOfSerializedState(validated_params.content_state)) {
1231 GetProcess()->ReceivedBadMessage();
1232 return;
1233 }
1234
1227 delegate_->DidNavigate(this, validated_params); 1235 delegate_->DidNavigate(this, validated_params);
1228 } 1236 }
1229 1237
1230 void RenderViewHostImpl::OnUpdateState(int32 page_id, 1238 void RenderViewHostImpl::OnUpdateState(int32 page_id,
1231 const std::string& state) { 1239 const std::string& state) {
1240 // Without this check, the renderer can trick the browser into using
1241 // filenames it can't access in a future session restore.
1242 if (!CanAccessFilesOfSerializedState(state)) {
1243 GetProcess()->ReceivedBadMessage();
1244 return;
1245 }
1246
1232 delegate_->UpdateState(this, page_id, state); 1247 delegate_->UpdateState(this, page_id, state);
1233 } 1248 }
1234 1249
1235 void RenderViewHostImpl::OnUpdateTitle( 1250 void RenderViewHostImpl::OnUpdateTitle(
1236 int32 page_id, 1251 int32 page_id,
1237 const string16& title, 1252 const string16& title,
1238 WebKit::WebTextDirection title_direction) { 1253 WebKit::WebTextDirection title_direction) {
1239 if (title.length() > kMaxTitleChars) { 1254 if (title.length() > kMaxTitleChars) {
1240 NOTREACHED() << "Renderer sent too many characters in title."; 1255 NOTREACHED() << "Renderer sent too many characters in title.";
1241 return; 1256 return;
(...skipping 793 matching lines...) Expand 10 before | Expand all | Expand 10 after
2035 // can cause navigations to be ignored in OnNavigate. 2050 // can cause navigations to be ignored in OnNavigate.
2036 is_waiting_for_beforeunload_ack_ = false; 2051 is_waiting_for_beforeunload_ack_ = false;
2037 is_waiting_for_unload_ack_ = false; 2052 is_waiting_for_unload_ack_ = false;
2038 has_timed_out_on_unload_ = false; 2053 has_timed_out_on_unload_ = false;
2039 } 2054 }
2040 2055
2041 void RenderViewHostImpl::ClearPowerSaveBlockers() { 2056 void RenderViewHostImpl::ClearPowerSaveBlockers() {
2042 STLDeleteValues(&power_save_blockers_); 2057 STLDeleteValues(&power_save_blockers_);
2043 } 2058 }
2044 2059
2060 bool RenderViewHostImpl::CanAccessFilesOfSerializedState(
2061 const std::string& state) const {
2062 ChildProcessSecurityPolicyImpl* policy =
2063 ChildProcessSecurityPolicyImpl::GetInstance();
2064 const std::vector<base::FilePath>& file_paths =
2065 webkit_glue::FilePathsFromHistoryState(state);
2066 for (std::vector<base::FilePath>::const_iterator file = file_paths.begin();
2067 file != file_paths.end(); ++file) {
2068 if (!policy->CanReadFile(GetProcess()->GetID(), *file))
2069 return false;
2070 }
2071 return true;
2072 }
2073
2045 } // namespace content 2074 } // namespace content
OLDNEW
« no previous file with comments | « content/browser/renderer_host/render_view_host_impl.h ('k') | content/browser/renderer_host/render_view_host_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698