Chromium Code Reviews Chromium Code Reviews
Issue 1775543002:
Validate params.origin in the browser process at commit time. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/frame_host/render_frame_host_impl.h" | 5 #include "content/browser/frame_host/render_frame_host_impl.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/command_line.h" | |
| 10 #include "base/containers/hash_tables.h" | 11 #include "base/containers/hash_tables.h" |
| 11 #include "base/lazy_instance.h" | 12 #include "base/lazy_instance.h" |
| 12 #include "base/metrics/histogram.h" | 13 #include "base/metrics/histogram.h" |
| 13 #include "base/process/kill.h" | 14 #include "base/process/kill.h" |
| 14 #include "base/time/time.h" | 15 #include "base/time/time.h" |
| 15 #include "build/build_config.h" | 16 #include "build/build_config.h" |
| 16 #include "content/browser/accessibility/accessibility_mode_helper.h" | 17 #include "content/browser/accessibility/accessibility_mode_helper.h" |
| 17 #include "content/browser/accessibility/ax_tree_id_registry.h" | 18 #include "content/browser/accessibility/ax_tree_id_registry.h" |
| 18 #include "content/browser/accessibility/browser_accessibility_manager.h" | 19 #include "content/browser/accessibility/browser_accessibility_manager.h" |
| 19 #include "content/browser/accessibility/browser_accessibility_state_impl.h" | 20 #include "content/browser/accessibility/browser_accessibility_state_impl.h" |
| (...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 64 #include "content/public/browser/browser_thread.h" | 65 #include "content/public/browser/browser_thread.h" |
| 65 #include "content/public/browser/content_browser_client.h" | 66 #include "content/public/browser/content_browser_client.h" |
| 66 #include "content/public/browser/permission_manager.h" | 67 #include "content/public/browser/permission_manager.h" |
| 67 #include "content/public/browser/permission_type.h" | 68 #include "content/public/browser/permission_type.h" |
| 68 #include "content/public/browser/render_process_host.h" | 69 #include "content/public/browser/render_process_host.h" |
| 69 #include "content/public/browser/render_widget_host_view.h" | 70 #include "content/public/browser/render_widget_host_view.h" |
| 70 #include "content/public/browser/stream_handle.h" | 71 #include "content/public/browser/stream_handle.h" |
| 71 #include "content/public/browser/user_metrics.h" | 72 #include "content/public/browser/user_metrics.h" |
| 72 #include "content/public/common/browser_side_navigation_policy.h" | 73 #include "content/public/common/browser_side_navigation_policy.h" |
| 73 #include "content/public/common/content_constants.h" | 74 #include "content/public/common/content_constants.h" |
| 75 #include "content/public/common/content_switches.h" | |
| 74 #include "content/public/common/isolated_world_ids.h" | 76 #include "content/public/common/isolated_world_ids.h" |
| 75 #include "content/public/common/url_constants.h" | 77 #include "content/public/common/url_constants.h" |
| 76 #include "content/public/common/url_utils.h" | 78 #include "content/public/common/url_utils.h" |
| 77 #include "ui/accessibility/ax_tree.h" | 79 #include "ui/accessibility/ax_tree.h" |
| 78 #include "ui/accessibility/ax_tree_update.h" | 80 #include "ui/accessibility/ax_tree_update.h" |
| 79 #include "url/gurl.h" | 81 #include "url/gurl.h" |
| 80 | 82 |
| 81 #if defined(OS_ANDROID) | 83 #if defined(OS_ANDROID) |
| 82 #include "content/browser/mojo/service_registrar_android.h" | 84 #include "content/browser/mojo/service_registrar_android.h" |
| 83 #endif | 85 #endif |
| (...skipping 901 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 985 | 987 |
| 986 // Attempts to commit certain off-limits URL should be caught more strictly | 988 // Attempts to commit certain off-limits URL should be caught more strictly |
| 987 // than our FilterURL checks below. If a renderer violates this policy, it | 989 // than our FilterURL checks below. If a renderer violates this policy, it |
| 988 // should be killed. | 990 // should be killed. |
| 989 if (!CanCommitURL(validated_params.url)) { | 991 if (!CanCommitURL(validated_params.url)) { |
| 990 VLOG(1) << "Blocked URL " << validated_params.url.spec(); | 992 VLOG(1) << "Blocked URL " << validated_params.url.spec(); |
| 991 validated_params.url = GURL(url::kAboutBlankURL); | 993 validated_params.url = GURL(url::kAboutBlankURL); |
| 992 // Kills the process. | 994 // Kills the process. |
| 993 bad_message::ReceivedBadMessage(process, | 995 bad_message::ReceivedBadMessage(process, |
| 994 bad_message::RFH_CAN_COMMIT_URL_BLOCKED); | 996 bad_message::RFH_CAN_COMMIT_URL_BLOCKED); |
| 997 return; | |
| 998 } | |
| 999 | |
| 1000 // Verify that the origin passed from the renderer process is valid and can | |
| 1001 // be allowed to commit in this RenderFrameHost. | |
| 1002 if (!CanCommitOrigin(validated_params.url, validated_params.origin)) { | |
| 1003 bad_message::ReceivedBadMessage(GetProcess(), | |
| 1004 bad_message::RFH_INVALID_ORIGIN_ON_COMMIT); | |
| 1005 return; | |
| 995 } | 1006 } |
| 996 | 1007 |
| 997 // Without this check, an evil renderer can trick the browser into creating | 1008 // Without this check, an evil renderer can trick the browser into creating |
| 998 // a navigation entry for a banned URL. If the user clicks the back button | 1009 // a navigation entry for a banned URL. If the user clicks the back button |
| 999 // followed by the forward button (or clicks reload, or round-trips through | 1010 // followed by the forward button (or clicks reload, or round-trips through |
| 1000 // session restore, etc), we'll think that the browser commanded the | 1011 // session restore, etc), we'll think that the browser commanded the |
| 1001 // renderer to load the URL and grant the renderer the privileges to request | 1012 // renderer to load the URL and grant the renderer the privileges to request |
| 1002 // the URL. To prevent this attack, we block the renderer from inserting | 1013 // the URL. To prevent this attack, we block the renderer from inserting |
| 1003 // banned URLs into the navigation controller in the first place. | 1014 // banned URLs into the navigation controller in the first place. |
| 1004 process->FilterURL(false, &validated_params.url); | 1015 process->FilterURL(false, &validated_params.url); |
| (...skipping 918 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1923 | 1934 |
| 1924 bool RenderFrameHostImpl::CanCommitURL(const GURL& url) { | 1935 bool RenderFrameHostImpl::CanCommitURL(const GURL& url) { |
| 1925 // TODO(creis): We should also check for WebUI pages here. Also, when the | 1936 // TODO(creis): We should also check for WebUI pages here. Also, when the |
| 1926 // out-of-process iframes implementation is ready, we should check for | 1937 // out-of-process iframes implementation is ready, we should check for |
| 1927 // cross-site URLs that are not allowed to commit in this process. | 1938 // cross-site URLs that are not allowed to commit in this process. |
| 1928 | 1939 |
| 1929 // Give the client a chance to disallow URLs from committing. | 1940 // Give the client a chance to disallow URLs from committing. |
| 1930 return GetContentClient()->browser()->CanCommitURL(GetProcess(), url); | 1941 return GetContentClient()->browser()->CanCommitURL(GetProcess(), url); |
| 1931 } | 1942 } |
| 1932 | 1943 |
| 1944 bool RenderFrameHostImpl::CanCommitOrigin( | |
| 1945 const GURL& url, | |
| 1946 const url::Origin& origin) { | |
| 1947 // If the --disable-web-security flag is specified, all bets are off and the | |
| 1948 // renderer process can send any origin it wishes. | |
| 1949 if (base::CommandLine::ForCurrentProcess()->HasSwitch( | |
| 1950 switches::kDisableWebSecurity)) { | |
| 1951 return true; | |
| 1952 } | |
| 1953 | |
| 1954 // file: URLs can be allowed to access any other origin, based on settings. | |
| 1955 if (origin.scheme() == url::kFileScheme) { | |
| 1956 WebPreferences prefs = render_view_host_->GetWebkitPreferences(); | |
| 1957 if (prefs.allow_universal_access_from_file_urls) | |
| 1958 return true; | |
| 1959 } | |
| 1960 | |
| 1961 // It is safe to commit into a unique origin, regardless of the URL, as it is | |
| 1962 // restricted from accessing other origins. | |
| 1963 if (origin.unique()) | |
| 1964 return true; | |
| 1965 | |
| 1966 // Non-unique origin must be a valid URL, which allows us to safely do a | |
|
Charlie Reis
2016/03/10 22:28:02
nit: A non-unique origin
nasko
2016/03/11 00:19:37
Done.
| |
| 1967 // conversion to GURL. | |
| 1968 GURL origin_url(origin.Serialize()); | |
| 1969 | |
| 1970 // Standard URLs can be safely converted to an origin, but not vice-versa. | |
| 1971 // If the actual URL is not standard, check the origin URL whether it is | |
| 1972 // allowed to commit. | |
| 1973 // Note: This handles cases such as 'about:blank', data and blob URLs. | |
| 1974 if (!url.IsStandard()) | |
| 1975 return CanCommitURL(origin_url); | |
| 1976 | |
| 1977 // Standard URLs must match the reported origin. | |
| 1978 if (!origin.IsSameOriginWith(url::Origin(url))) | |
| 1979 return false; | |
| 1980 | |
| 1981 return CanCommitURL(origin_url); | |
|
Charlie Reis
2016/03/10 22:28:02
Feels weird to call CanCommitURL twice. Maybe we
nasko
2016/03/11 00:19:37
Done.
| |
| 1982 } | |
| 1983 | |
| 1933 void RenderFrameHostImpl::Navigate( | 1984 void RenderFrameHostImpl::Navigate( |
| 1934 const CommonNavigationParams& common_params, | 1985 const CommonNavigationParams& common_params, |
| 1935 const StartNavigationParams& start_params, | 1986 const StartNavigationParams& start_params, |
| 1936 const RequestNavigationParams& request_params) { | 1987 const RequestNavigationParams& request_params) { |
| 1937 TRACE_EVENT0("navigation", "RenderFrameHostImpl::Navigate"); | 1988 TRACE_EVENT0("navigation", "RenderFrameHostImpl::Navigate"); |
| 1938 DCHECK(!IsBrowserSideNavigationEnabled()); | 1989 DCHECK(!IsBrowserSideNavigationEnabled()); |
| 1939 | 1990 |
| 1940 UpdatePermissionsForNavigation(common_params, request_params); | 1991 UpdatePermissionsForNavigation(common_params, request_params); |
| 1941 | 1992 |
| 1942 // Only send the message if we aren't suspended at the start of a cross-site | 1993 // Only send the message if we aren't suspended at the start of a cross-site |
| (...skipping 688 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2631 *dst = src; | 2682 *dst = src; |
| 2632 | 2683 |
| 2633 if (src.routing_id != -1) | 2684 if (src.routing_id != -1) |
| 2634 dst->tree_id = RoutingIDToAXTreeID(src.routing_id); | 2685 dst->tree_id = RoutingIDToAXTreeID(src.routing_id); |
| 2635 | 2686 |
| 2636 if (src.parent_routing_id != -1) | 2687 if (src.parent_routing_id != -1) |
| 2637 dst->parent_tree_id = RoutingIDToAXTreeID(src.parent_routing_id); | 2688 dst->parent_tree_id = RoutingIDToAXTreeID(src.parent_routing_id); |
| 2638 } | 2689 } |
| 2639 | 2690 |
| 2640 } // namespace content | 2691 } // namespace content |
| OLD | NEW |
