Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(818)

Unified Diff: content/browser/security_exploit_browsertest.cc

Issue 1608573002: RDH: Block a compromised renderer from reusing request ids (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Rebase Created 4 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « content/browser/loader/resource_dispatcher_host_impl.cc ('k') | tools/metrics/histograms/histograms.xml » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/browser/security_exploit_browsertest.cc
diff --git a/content/browser/security_exploit_browsertest.cc b/content/browser/security_exploit_browsertest.cc
index c515609c576f74cf8fbc60f1a6e8de11c3a19e90..6714e9a086a737607f6947d6fdf8d1608742ee9e 100644
--- a/content/browser/security_exploit_browsertest.cc
+++ b/content/browser/security_exploit_browsertest.cc
@@ -23,6 +23,7 @@
#include "content/public/browser/content_browser_client.h"
#include "content/public/browser/interstitial_page.h"
#include "content/public/browser/interstitial_page_delegate.h"
+#include "content/public/browser/resource_dispatcher_host.h"
#include "content/public/browser/storage_partition.h"
#include "content/public/common/appcache_info.h"
#include "content/public/common/browser_side_navigation_policy.h"
@@ -37,6 +38,7 @@
#include "ipc/ipc_security_test_util.h"
#include "net/dns/mock_host_resolver.h"
#include "net/test/embedded_test_server/embedded_test_server.h"
+#include "net/test/url_request/url_request_slow_download_job.h"
using IPC::IpcSecurityTestUtil;
@@ -44,6 +46,11 @@ namespace content {
namespace {
+// This request id is used by tests that craft a
+// ResourceHostMsg_RequestResource. The id is sufficiently large that it doesn't
+// collide with ids used by previous navigation requests.
+const int kRequestIdNotPreviouslyUsed = 10000;
+
// This is a helper function for the tests which attempt to create a
// duplicate RenderViewHost or RenderWidgetHost. It tries to create two objects
// with the same process and routing ids, which causes a collision.
@@ -98,13 +105,11 @@ RenderViewHostImpl* PrepareToDuplicateHosts(Shell* shell,
return next_rfh->render_view_host();
}
-ResourceHostMsg_Request CreateXHRRequestWithOrigin(const char* origin) {
+ResourceHostMsg_Request CreateXHRRequest(const char* url) {
ResourceHostMsg_Request request;
request.method = "GET";
- request.url = GURL("http://bar.com/simple_page.html");
- request.first_party_for_cookies = GURL(origin);
+ request.url = GURL(url);
request.referrer_policy = blink::WebReferrerPolicyDefault;
- request.headers = base::StringPrintf("Origin: %s\r\n", origin);
request.load_flags = 0;
request.origin_pid = 0;
request.resource_type = RESOURCE_TYPE_XHR;
@@ -120,6 +125,49 @@ ResourceHostMsg_Request CreateXHRRequestWithOrigin(const char* origin) {
return request;
}
+ResourceHostMsg_Request CreateXHRRequestWithOrigin(const char* origin) {
+ ResourceHostMsg_Request request =
+ CreateXHRRequest("http://bar.com/simple_page.html");
+ request.first_party_for_cookies = GURL(origin);
+ request.headers = base::StringPrintf("Origin: %s\r\n", origin);
+ return request;
+}
+
+void TryCreateDuplicateRequestIds(Shell* shell, bool block_loaders) {
+ NavigateToURL(shell, GURL("http://foo.com/simple_page.html"));
+ RenderFrameHost* rfh = shell->web_contents()->GetMainFrame();
+
+ if (block_loaders) {
+ // Test the case where loaders are placed into blocked_loaders_map_.
+ int child_id = rfh->GetProcess()->GetID();
+ BrowserThread::PostTask(
+ BrowserThread::IO, FROM_HERE,
+ base::Bind(&ResourceDispatcherHost::BlockRequestsForRoute,
+ base::Unretained(ResourceDispatcherHost::Get()), child_id,
+ rfh->GetRoutingID()));
+ }
+
+ // URLRequestSlowDownloadJob waits for another request to kFinishDownloadUrl
+ // to finish all pending requests. It is never sent, so the following URL
+ // blocks indefinitely, which is good because the request stays alive and the
+ // test can try to reuse the request id without a race.
+ const char* blocking_url = net::URLRequestSlowDownloadJob::kUnknownSizeUrl;
+ ResourceHostMsg_Request request(CreateXHRRequest(blocking_url));
+
+ // Use the same request id twice.
+ RenderProcessHostWatcher process_killed(
+ rfh->GetProcess(), RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
+ IPC::IpcSecurityTestUtil::PwnMessageReceived(
+ rfh->GetProcess()->GetChannel(),
+ ResourceHostMsg_RequestResource(rfh->GetRoutingID(),
+ kRequestIdNotPreviouslyUsed, request));
+ IPC::IpcSecurityTestUtil::PwnMessageReceived(
+ rfh->GetProcess()->GetChannel(),
+ ResourceHostMsg_RequestResource(rfh->GetRoutingID(),
+ kRequestIdNotPreviouslyUsed, request));
+ process_killed.Wait();
+}
+
} // namespace
@@ -145,6 +193,12 @@ class SecurityExploitBrowserTest : public ContentBrowserTest {
",EXCLUDE localhost");
}
+ void SetUpOnMainThread() override {
+ BrowserThread::PostTask(
+ BrowserThread::IO, FROM_HERE,
+ base::Bind(&net::URLRequestSlowDownloadJob::AddUrlHandler));
+ }
+
protected:
// Tests that a given file path sent in a ViewHostMsg_RunFileChooser will
// cause renderer to be killed.
@@ -384,7 +438,8 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, InvalidOriginHeaders) {
RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
IPC::IpcSecurityTestUtil::PwnMessageReceived(
web_rfh->GetProcess()->GetChannel(),
- ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
+ ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(),
+ kRequestIdNotPreviouslyUsed,
chrome_origin_msg));
web_process_killed.Wait();
}
@@ -404,7 +459,8 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, InvalidOriginHeaders) {
RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
IPC::IpcSecurityTestUtil::PwnMessageReceived(
web_rfh->GetProcess()->GetChannel(),
- ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
+ ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(),
+ kRequestIdNotPreviouslyUsed,
embedder_isolated_origin_msg));
web_process_killed.Wait();
SetBrowserClientForTesting(old_client);
@@ -418,7 +474,8 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, InvalidOriginHeaders) {
RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
IPC::IpcSecurityTestUtil::PwnMessageReceived(
web_rfh->GetProcess()->GetChannel(),
- ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
+ ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(),
+ kRequestIdNotPreviouslyUsed,
invalid_origin_msg));
web_process_killed.Wait();
}
@@ -431,10 +488,20 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, InvalidOriginHeaders) {
RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
IPC::IpcSecurityTestUtil::PwnMessageReceived(
web_rfh->GetProcess()->GetChannel(),
- ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
+ ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(),
+ kRequestIdNotPreviouslyUsed,
invalid_scheme_origin_msg));
web_process_killed.Wait();
}
}
+// Renderer process should not be able to create multiple requests with the same
+// id.
+IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, InvalidRequestId) {
+ // Existing loader in pending_loaders_.
+ TryCreateDuplicateRequestIds(shell(), false);
+ // Existing loader in blocked_loaders_map_.
+ TryCreateDuplicateRequestIds(shell(), true);
+}
+
} // namespace content
« no previous file with comments | « content/browser/loader/resource_dispatcher_host_impl.cc ('k') | tools/metrics/histograms/histograms.xml » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698