OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/browser/renderer_host/render_view_host_impl.h" | 5 #include "content/browser/renderer_host/render_view_host_impl.h" |
6 | 6 |
7 #include <set> | 7 #include <set> |
8 #include <string> | 8 #include <string> |
9 #include <utility> | 9 #include <utility> |
10 #include <vector> | 10 #include <vector> |
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
60 #include "content/public/common/result_codes.h" | 60 #include "content/public/common/result_codes.h" |
61 #include "content/public/common/url_constants.h" | 61 #include "content/public/common/url_constants.h" |
62 #include "net/base/net_util.h" | 62 #include "net/base/net_util.h" |
63 #include "net/url_request/url_request_context_getter.h" | 63 #include "net/url_request/url_request_context_getter.h" |
64 #include "third_party/skia/include/core/SkBitmap.h" | 64 #include "third_party/skia/include/core/SkBitmap.h" |
65 #include "ui/gfx/image/image_skia.h" | 65 #include "ui/gfx/image/image_skia.h" |
66 #include "ui/gfx/native_widget_types.h" | 66 #include "ui/gfx/native_widget_types.h" |
67 #include "ui/shell_dialogs/selected_file_info.h" | 67 #include "ui/shell_dialogs/selected_file_info.h" |
68 #include "ui/snapshot/snapshot.h" | 68 #include "ui/snapshot/snapshot.h" |
69 #include "webkit/fileapi/isolated_context.h" | 69 #include "webkit/fileapi/isolated_context.h" |
| 70 #include "webkit/glue/glue_serialize.h" |
70 #include "webkit/glue/webdropdata.h" | 71 #include "webkit/glue/webdropdata.h" |
71 #include "webkit/glue/webkit_glue.h" | 72 #include "webkit/glue/webkit_glue.h" |
72 | 73 |
73 #if defined(OS_WIN) | 74 #if defined(OS_WIN) |
74 #include "base/win/windows_version.h" | 75 #include "base/win/windows_version.h" |
75 #include "third_party/WebKit/Source/WebKit/chromium/public/win/WebScreenInfoFact
ory.h" | 76 #include "third_party/WebKit/Source/WebKit/chromium/public/win/WebScreenInfoFact
ory.h" |
76 #elif defined(OS_MACOSX) | 77 #elif defined(OS_MACOSX) |
77 #include "content/browser/renderer_host/popup_menu_helper_mac.h" | 78 #include "content/browser/renderer_host/popup_menu_helper_mac.h" |
78 #elif defined(OS_ANDROID) | 79 #elif defined(OS_ANDROID) |
79 #include "content/browser/android/media_player_manager_impl.h" | 80 #include "content/browser/android/media_player_manager_impl.h" |
(...skipping 1137 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1217 FilterURL(policy, process, false, &validated_params.url); | 1218 FilterURL(policy, process, false, &validated_params.url); |
1218 FilterURL(policy, process, true, &validated_params.referrer.url); | 1219 FilterURL(policy, process, true, &validated_params.referrer.url); |
1219 for (std::vector<GURL>::iterator it(validated_params.redirects.begin()); | 1220 for (std::vector<GURL>::iterator it(validated_params.redirects.begin()); |
1220 it != validated_params.redirects.end(); ++it) { | 1221 it != validated_params.redirects.end(); ++it) { |
1221 FilterURL(policy, process, false, &(*it)); | 1222 FilterURL(policy, process, false, &(*it)); |
1222 } | 1223 } |
1223 FilterURL(policy, process, true, &validated_params.searchable_form_url); | 1224 FilterURL(policy, process, true, &validated_params.searchable_form_url); |
1224 FilterURL(policy, process, true, &validated_params.password_form.origin); | 1225 FilterURL(policy, process, true, &validated_params.password_form.origin); |
1225 FilterURL(policy, process, true, &validated_params.password_form.action); | 1226 FilterURL(policy, process, true, &validated_params.password_form.action); |
1226 | 1227 |
| 1228 // Without this check, the renderer can trick the browser into using |
| 1229 // filenames it can't access in a future session restore. |
| 1230 if (!CanAccessFilesOfSerializedState(validated_params.content_state)) { |
| 1231 GetProcess()->ReceivedBadMessage(); |
| 1232 return; |
| 1233 } |
| 1234 |
1227 delegate_->DidNavigate(this, validated_params); | 1235 delegate_->DidNavigate(this, validated_params); |
1228 } | 1236 } |
1229 | 1237 |
1230 void RenderViewHostImpl::OnUpdateState(int32 page_id, | 1238 void RenderViewHostImpl::OnUpdateState(int32 page_id, |
1231 const std::string& state) { | 1239 const std::string& state) { |
| 1240 // Without this check, the renderer can trick the browser into using |
| 1241 // filenames it can't access in a future session restore. |
| 1242 if (!CanAccessFilesOfSerializedState(state)) { |
| 1243 GetProcess()->ReceivedBadMessage(); |
| 1244 return; |
| 1245 } |
| 1246 |
1232 delegate_->UpdateState(this, page_id, state); | 1247 delegate_->UpdateState(this, page_id, state); |
1233 } | 1248 } |
1234 | 1249 |
1235 void RenderViewHostImpl::OnUpdateTitle( | 1250 void RenderViewHostImpl::OnUpdateTitle( |
1236 int32 page_id, | 1251 int32 page_id, |
1237 const string16& title, | 1252 const string16& title, |
1238 WebKit::WebTextDirection title_direction) { | 1253 WebKit::WebTextDirection title_direction) { |
1239 if (title.length() > kMaxTitleChars) { | 1254 if (title.length() > kMaxTitleChars) { |
1240 NOTREACHED() << "Renderer sent too many characters in title."; | 1255 NOTREACHED() << "Renderer sent too many characters in title."; |
1241 return; | 1256 return; |
(...skipping 793 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2035 // can cause navigations to be ignored in OnNavigate. | 2050 // can cause navigations to be ignored in OnNavigate. |
2036 is_waiting_for_beforeunload_ack_ = false; | 2051 is_waiting_for_beforeunload_ack_ = false; |
2037 is_waiting_for_unload_ack_ = false; | 2052 is_waiting_for_unload_ack_ = false; |
2038 has_timed_out_on_unload_ = false; | 2053 has_timed_out_on_unload_ = false; |
2039 } | 2054 } |
2040 | 2055 |
2041 void RenderViewHostImpl::ClearPowerSaveBlockers() { | 2056 void RenderViewHostImpl::ClearPowerSaveBlockers() { |
2042 STLDeleteValues(&power_save_blockers_); | 2057 STLDeleteValues(&power_save_blockers_); |
2043 } | 2058 } |
2044 | 2059 |
| 2060 bool RenderViewHostImpl::CanAccessFilesOfSerializedState( |
| 2061 const std::string& state) const { |
| 2062 ChildProcessSecurityPolicyImpl* policy = |
| 2063 ChildProcessSecurityPolicyImpl::GetInstance(); |
| 2064 const std::vector<base::FilePath>& file_paths = |
| 2065 webkit_glue::FilePathsFromHistoryState(state); |
| 2066 for (std::vector<base::FilePath>::const_iterator file = file_paths.begin(); |
| 2067 file != file_paths.end(); ++file) { |
| 2068 if (!policy->CanReadFile(GetProcess()->GetID(), *file)) |
| 2069 return false; |
| 2070 } |
| 2071 return true; |
| 2072 } |
| 2073 |
2045 } // namespace content | 2074 } // namespace content |
OLD | NEW |