Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(778)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/browser/security_exploit_browsertest.cc

Issue 1775543002: Validate params.origin in the browser process at commit time. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Fixes based on Charlie's review. Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« content/browser/frame_host/render_frame_host_manager_unittest.cc ('K') | « content/browser/frame_host/render_frame_host_manager_unittest.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <stdint.h> 5 #include <stdint.h>
6 6
7 #include "base/command_line.h" 7 #include "base/command_line.h"
8 #include "base/containers/hash_tables.h" 8 #include "base/containers/hash_tables.h"
9 #include "base/macros.h" 9 #include "base/macros.h"
10 #include "base/strings/utf_string_conversions.h" 10 #include "base/strings/utf_string_conversions.h"
(...skipping 16 matching lines...) Expand all
27 #include "content/public/browser/storage_partition.h" 27 #include "content/public/browser/storage_partition.h"
28 #include "content/public/common/appcache_info.h" 28 #include "content/public/common/appcache_info.h"
29 #include "content/public/common/browser_side_navigation_policy.h" 29 #include "content/public/common/browser_side_navigation_policy.h"
30 #include "content/public/common/content_switches.h" 30 #include "content/public/common/content_switches.h"
31 #include "content/public/common/file_chooser_params.h" 31 #include "content/public/common/file_chooser_params.h"
32 #include "content/public/test/browser_test_utils.h" 32 #include "content/public/test/browser_test_utils.h"
33 #include "content/public/test/content_browser_test.h" 33 #include "content/public/test/content_browser_test.h"
34 #include "content/public/test/content_browser_test_utils.h" 34 #include "content/public/test/content_browser_test_utils.h"
35 #include "content/public/test/test_utils.h" 35 #include "content/public/test/test_utils.h"
36 #include "content/shell/browser/shell.h" 36 #include "content/shell/browser/shell.h"
37 #include "content/test/content_browser_test_utils_internal.h"
37 #include "content/test/test_content_browser_client.h" 38 #include "content/test/test_content_browser_client.h"
38 #include "ipc/ipc_security_test_util.h" 39 #include "ipc/ipc_security_test_util.h"
39 #include "net/dns/mock_host_resolver.h" 40 #include "net/dns/mock_host_resolver.h"
40 #include "net/test/embedded_test_server/embedded_test_server.h" 41 #include "net/test/embedded_test_server/embedded_test_server.h"
41 #include "net/test/url_request/url_request_slow_download_job.h" 42 #include "net/test/url_request/url_request_slow_download_job.h"
42 43
43 using IPC::IpcSecurityTestUtil; 44 using IPC::IpcSecurityTestUtil;
44 45
45 namespace content { 46 namespace content {
46 47
(...skipping 445 matching lines...) Expand 10 before | Expand all | Expand 10 after
492 493
493 // Renderer process should not be able to create multiple requests with the same 494 // Renderer process should not be able to create multiple requests with the same
494 // id. 495 // id.
495 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, InvalidRequestId) { 496 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, InvalidRequestId) {
496 // Existing loader in pending_loaders_. 497 // Existing loader in pending_loaders_.
497 TryCreateDuplicateRequestIds(shell(), false); 498 TryCreateDuplicateRequestIds(shell(), false);
498 // Existing loader in blocked_loaders_map_. 499 // Existing loader in blocked_loaders_map_.
499 TryCreateDuplicateRequestIds(shell(), true); 500 TryCreateDuplicateRequestIds(shell(), true);
500 } 501 }
501 502
503 // Test that receiving a commit with incorrect origin properly terminates the
504 // renderer process.
505 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, MismatchedOriginOnCommit) {
506 GURL start_url(embedded_test_server()->GetURL("/title1.html"));
507 EXPECT_TRUE(NavigateToURL(shell(), start_url));
508
509 FrameTreeNode* root = static_cast<WebContentsImpl*>(shell()->web_contents())
510 ->GetFrameTree()
511 ->root();
512
513 // Setup an URL which will never commit, allowing this test to send its own,
514 // malformed, commit message.
515 GURL url(embedded_test_server()->GetURL("/title2.html"));
516 NavigationStallDelegate stall_delegate(url);
517 ResourceDispatcherHost::Get()->SetDelegate(&stall_delegate);
518
519 // Use LoadURL, as the test shouldn't wait for navigation commit.
520 NavigationController& controller = shell()->web_contents()->GetController();
521 controller.LoadURL(url, Referrer(), ui::PAGE_TRANSITION_LINK, std::string());
522 EXPECT_NE(nullptr, controller.GetPendingEntry());
523 EXPECT_EQ(url, controller.GetPendingEntry()->GetURL());
524
525 RenderProcessHostWatcher exit_observer(
526 root->current_frame_host()->GetProcess(),
527 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
528
529 // Create commit params with different origins in params.url and
530 // params.origin.
531 FrameHostMsg_DidCommitProvisionalLoad_Params params;
532 params.page_id = 0;
533 params.nav_entry_id = 0;
534 params.did_create_new_entry = false;
535 params.url = url;
536 params.transition = ui::PAGE_TRANSITION_LINK;
537 params.should_update_history = false;
538 params.gesture = NavigationGestureAuto;
539 params.was_within_same_page = false;
540 params.is_post = false;
541 params.page_state = PageState::CreateFromURL(url);
542 params.origin = url::Origin(GURL("http://bar.com/"));
543
544 FrameHostMsg_DidCommitProvisionalLoad msg(
545 root->current_frame_host()->routing_id(), params);
546 IPC::IpcSecurityTestUtil::PwnMessageReceived(
547 root->current_frame_host()->GetProcess()->GetChannel(), msg);
548
549 // When the IPC message is received and validation fails, the process is
550 // terminated. However, the notification for that should be processed in a
551 // separate task of the message loop, so ensure that the process is still
552 // considered alive.
553 EXPECT_TRUE(root->current_frame_host()->GetProcess()->HasConnection());
554
555 exit_observer.Wait();
556 EXPECT_FALSE(exit_observer.did_exit_normally());
557 }
558
502 } // namespace content 559 } // namespace content
OLDNEW
« content/browser/frame_host/render_frame_host_manager_unittest.cc ('K') | « content/browser/frame_host/render_frame_host_manager_unittest.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698