Check that the files the renderer wants to preserve as part of a session restore are already availa…

content/browser/renderer_host/render_view_host_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/renderer_host/render_view_host_impl.h"
 
 #include <set>
 #include <string>
 #include <utility>
 #include <vector>
@@ skipping 49 matching lines @@
 #include "content/public/common/result_codes.h"
 #include "content/public/common/url_constants.h"
 #include "net/base/net_util.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "third_party/skia/include/core/SkBitmap.h"
 #include "ui/gfx/image/image_skia.h"
 #include "ui/gfx/native_widget_types.h"
 #include "ui/shell_dialogs/selected_file_info.h"
 #include "ui/snapshot/snapshot.h"
 #include "webkit/fileapi/isolated_context.h"
+#include "webkit/glue/glue_serialize.h"
 #include "webkit/glue/webdropdata.h"
 #include "webkit/glue/webkit_glue.h"
 
 #if defined(OS_WIN)
 #include "base/win/windows_version.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/win/WebScreenInfoFactory.h"
 #elif defined(OS_MACOSX)
 #include "content/browser/renderer_host/popup_menu_helper_mac.h"
 #elif defined(OS_ANDROID)
 #include "content/browser/android/media_player_manager_impl.h"
@@ skipping 1137 matching lines @@
   FilterURL(policy, process, false, &validated_params.url);
   FilterURL(policy, process, true, &validated_params.referrer.url);
   for (std::vector<GURL>::iterator it(validated_params.redirects.begin());
       it != validated_params.redirects.end(); ++it) {
     FilterURL(policy, process, false, &(*it));
   }
   FilterURL(policy, process, true, &validated_params.searchable_form_url);
   FilterURL(policy, process, true, &validated_params.password_form.origin);
   FilterURL(policy, process, true, &validated_params.password_form.action);
 
+  // Without this check, the renderer can trick the browser into using
+  // filenames it can't access in a future session restore.
+  if (!CanAccessFilesOfSerializedState(validated_params.content_state)) {
+    GetProcess()->ReceivedBadMessage();
+    return;
+  }
+
   delegate_->DidNavigate(this, validated_params);
 }
 
 void RenderViewHostImpl::OnUpdateState(int32 page_id,
                                        const std::string& state) {
+  // Without this check, the renderer can trick the browser into using
+  // filenames it can't access in a future session restore.
+  if (!CanAccessFilesOfSerializedState(state)) {
+    GetProcess()->ReceivedBadMessage();
+    return;
+  }
+
   delegate_->UpdateState(this, page_id, state);
 }
 
 void RenderViewHostImpl::OnUpdateTitle(
     int32 page_id,
     const string16& title,
     WebKit::WebTextDirection title_direction) {
   if (title.length() > kMaxTitleChars) {
     NOTREACHED() << "Renderer sent too many characters in title.";
     return;
@@ skipping 793 matching lines @@
   // can cause navigations to be ignored in OnNavigate.
   is_waiting_for_beforeunload_ack_ = false;
   is_waiting_for_unload_ack_ = false;
   has_timed_out_on_unload_ = false;
 }
 
 void RenderViewHostImpl::ClearPowerSaveBlockers() {
   STLDeleteValues(&power_save_blockers_);
 }
 
+bool RenderViewHostImpl::CanAccessFilesOfSerializedState(
+    const std::string& state) const {
+  ChildProcessSecurityPolicyImpl* policy =
+      ChildProcessSecurityPolicyImpl::GetInstance();
+  const std::vector<base::FilePath>& file_paths =
+      webkit_glue::FilePathsFromHistoryState(state);
+  for (std::vector<base::FilePath>::const_iterator file = file_paths.begin();
+       file != file_paths.end(); ++file) {
+    if (!policy->CanReadFile(GetProcess()->GetID(), *file))
+      return false;
+  }
+  return true;
+}
+
 }  // namespace content