Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(229)

Issue 1608573002: RDH: Block a compromised renderer from reusing request ids (Closed)

Created:
4 years, 11 months ago by gzobqq
Modified:
4 years, 10 months ago
Reviewers:
Charlie Reis, Mark P, mmenke
CC:
loading-reviews_chromium.org, darin-cc_chromium.org, jam, asvitkine+watch_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Block a compromised renderer from reusing request ids. BUG=578882 Committed: https://crrev.com/1af4fada49c4f3890f16daac31d38379a9d782b2 Cr-Commit-Position: refs/heads/master@{#372547}

Patch Set 1 #

Patch Set 2 : Fix resource_loader_unittest.cc #

Total comments: 1

Patch Set 3 : Check pending_loaders_ and blocked_loaders_map_ instead #

Patch Set 4 : Declaration order #

Patch Set 5 : Add a test #

Total comments: 8

Patch Set 6 : Address comments #

Total comments: 12

Patch Set 7 : Rebase #

Patch Set 8 : Address comments #

Patch Set 9 : Rebase #

Unified diffs Side-by-side diffs Delta from patch set Stats (+100 lines, -8 lines) Patch
M content/browser/bad_message.h View 1 2 3 4 5 6 7 8 1 chunk +1 line, -0 lines 0 comments Download
M content/browser/loader/resource_dispatcher_host_impl.h View 1 2 3 4 5 6 7 8 1 chunk +2 lines, -0 lines 0 comments Download
M content/browser/loader/resource_dispatcher_host_impl.cc View 1 2 3 4 5 6 7 8 2 chunks +21 lines, -0 lines 0 comments Download
M content/browser/security_exploit_browsertest.cc View 1 2 3 4 5 6 7 10 chunks +75 lines, -8 lines 0 comments Download
M tools/metrics/histograms/histograms.xml View 1 2 3 4 5 6 7 8 1 chunk +1 line, -0 lines 0 comments Download

Messages

Total messages: 38 (11 generated)
gzobqq
mmenke, PTAL. This adds a request_ids_in_use_ set to RDH. It is used to validate that ...
4 years, 11 months ago (2016-01-19 14:11:16 UTC) #3
mmenke
On 2016/01/19 14:11:16, gzobqq wrote: > mmenke, PTAL. > > This adds a request_ids_in_use_ set ...
4 years, 11 months ago (2016-01-19 16:29:47 UTC) #4
mmenke
https://codereview.chromium.org/1608573002/diff/20001/content/browser/loader/resource_dispatcher_host_impl.cc File content/browser/loader/resource_dispatcher_host_impl.cc (right): https://codereview.chromium.org/1608573002/diff/20001/content/browser/loader/resource_dispatcher_host_impl.cc#newcode1177 content/browser/loader/resource_dispatcher_host_impl.cc:1177: void ResourceDispatcherHostImpl::UpdateRequestForTransfer( BUG: This changes the id of a ...
4 years, 11 months ago (2016-01-19 20:30:31 UTC) #5
mmenke
So here's my suggestion: Check blocked_loaders_map_ and pending_loaders_. blocked_loaders_map_ should generally be empty, anyways, so ...
4 years, 11 months ago (2016-01-19 22:18:23 UTC) #6
gzobqq
On 2016/01/19 20:30:31, mmenke wrote: > https://codereview.chromium.org/1608573002/diff/20001/content/browser/loader/resource_dispatcher_host_impl.cc > File content/browser/loader/resource_dispatcher_host_impl.cc (right): > > https://codereview.chromium.org/1608573002/diff/20001/content/browser/loader/resource_dispatcher_host_impl.cc#newcode1177 > ...
4 years, 11 months ago (2016-01-20 05:51:01 UTC) #7
mmenke
On 2016/01/20 05:51:01, gzobqq wrote: > On 2016/01/19 20:30:31, mmenke wrote: > > > https://codereview.chromium.org/1608573002/diff/20001/content/browser/loader/resource_dispatcher_host_impl.cc ...
4 years, 11 months ago (2016-01-20 15:38:23 UTC) #8
mmenke
On 2016/01/20 15:38:23, mmenke wrote: > On 2016/01/20 05:51:01, gzobqq wrote: > > On 2016/01/19 ...
4 years, 11 months ago (2016-01-20 15:41:44 UTC) #9
gzobqq
On 2016/01/20 15:41:44, mmenke wrote: > On 2016/01/20 15:38:23, mmenke wrote: > > On 2016/01/20 ...
4 years, 11 months ago (2016-01-20 18:57:48 UTC) #10
mmenke
On 2016/01/20 18:57:48, gzobqq wrote: > On 2016/01/20 15:41:44, mmenke wrote: > > On 2016/01/20 ...
4 years, 11 months ago (2016-01-21 16:32:34 UTC) #11
gzobqq
On 2016/01/21 16:32:34, mmenke wrote: > On 2016/01/20 18:57:48, gzobqq wrote: > > On 2016/01/20 ...
4 years, 11 months ago (2016-01-21 17:34:33 UTC) #12
mmenke
On 2016/01/21 17:34:33, gzobqq wrote: > On 2016/01/21 16:32:34, mmenke wrote: > > On 2016/01/20 ...
4 years, 11 months ago (2016-01-25 20:08:31 UTC) #13
gzobqq
On 2016/01/25 20:08:31, mmenke wrote: > On 2016/01/21 17:34:33, gzobqq wrote: > > On 2016/01/21 ...
4 years, 11 months ago (2016-01-26 10:07:46 UTC) #14
gzobqq
On 2016/01/26 10:07:46, gzobqq wrote: > On 2016/01/25 20:08:31, mmenke wrote: > > On 2016/01/21 ...
4 years, 10 months ago (2016-01-28 14:35:37 UTC) #15
mmenke
Thanks for the test! The looks good, just a few minor things. To reduce round-trips, ...
4 years, 10 months ago (2016-01-28 16:20:08 UTC) #16
gzobqq
mmenke, PTAL creis, PTAL at security_exploit_browsertest.cc and bad_message.h mpearson, PTAL at histograms.xml Thanks. https://codereview.chromium.org/1608573002/diff/80001/content/browser/security_exploit_browsertest.cc File ...
4 years, 10 months ago (2016-01-28 20:21:17 UTC) #18
Mark P
histograms.xml lgtm
4 years, 10 months ago (2016-01-28 21:09:35 UTC) #19
mmenke
LGTM, just two nits. Thanks again both for catching this, and for the fix! https://codereview.chromium.org/1608573002/diff/100001/content/browser/security_exploit_browsertest.cc ...
4 years, 10 months ago (2016-01-28 21:12:33 UTC) #20
Charlie Reis
Thanks! content/ LGTM with nits. https://codereview.chromium.org/1608573002/diff/100001/content/browser/loader/resource_dispatcher_host_impl.cc File content/browser/loader/resource_dispatcher_host_impl.cc (right): https://codereview.chromium.org/1608573002/diff/100001/content/browser/loader/resource_dispatcher_host_impl.cc#newcode1177 content/browser/loader/resource_dispatcher_host_impl.cc:1177: for (BlockedLoadersMap::const_iterator iter = ...
4 years, 10 months ago (2016-01-28 22:05:17 UTC) #21
gzobqq
https://codereview.chromium.org/1608573002/diff/100001/content/browser/loader/resource_dispatcher_host_impl.cc File content/browser/loader/resource_dispatcher_host_impl.cc (right): https://codereview.chromium.org/1608573002/diff/100001/content/browser/loader/resource_dispatcher_host_impl.cc#newcode1177 content/browser/loader/resource_dispatcher_host_impl.cc:1177: for (BlockedLoadersMap::const_iterator iter = blocked_loaders_map_.begin(); On 2016/01/28 22:05:16, Charlie ...
4 years, 10 months ago (2016-01-30 07:18:58 UTC) #22
commit-bot: I haz the power
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1608573002/140001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1608573002/140001
4 years, 10 months ago (2016-01-30 07:24:22 UTC) #24
commit-bot: I haz the power
Dry run: Try jobs failed on following builders: mac_chromium_compile_dbg_ng on tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_compile_dbg_ng/builds/152629) mac_chromium_gn_rel on ...
4 years, 10 months ago (2016-01-30 07:26:34 UTC) #26
gzobqq
bad_message.h is moving faster than I can manage to rebase and recompile :)
4 years, 10 months ago (2016-01-30 07:38:48 UTC) #27
commit-bot: I haz the power
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1608573002/160001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1608573002/160001
4 years, 10 months ago (2016-01-30 07:52:55 UTC) #29
commit-bot: I haz the power
Dry run: This issue passed the CQ dry run.
4 years, 10 months ago (2016-01-30 09:08:49 UTC) #31
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1608573002/160001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1608573002/160001
4 years, 10 months ago (2016-01-30 13:02:53 UTC) #34
commit-bot: I haz the power
Committed patchset #9 (id:160001)
4 years, 10 months ago (2016-01-30 13:07:18 UTC) #36
commit-bot: I haz the power
4 years, 10 months ago (2016-01-30 13:08:10 UTC) #38
Message was sent while issue was closed.
Patchset 9 (id:??) landed as
https://crrev.com/1af4fada49c4f3890f16daac31d38379a9d782b2
Cr-Commit-Position: refs/heads/master@{#372547}

Powered by Google App Engine
This is Rietveld 408576698