OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <stdint.h> | 5 #include <stdint.h> |
6 | 6 |
7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
8 #include "base/containers/hash_tables.h" | 8 #include "base/containers/hash_tables.h" |
9 #include "base/macros.h" | 9 #include "base/macros.h" |
10 #include "base/strings/utf_string_conversions.h" | 10 #include "base/strings/utf_string_conversions.h" |
(...skipping 177 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
188 ",EXCLUDE localhost"); | 188 ",EXCLUDE localhost"); |
189 } | 189 } |
190 | 190 |
191 void SetUpOnMainThread() override { | 191 void SetUpOnMainThread() override { |
192 BrowserThread::PostTask( | 192 BrowserThread::PostTask( |
193 BrowserThread::IO, FROM_HERE, | 193 BrowserThread::IO, FROM_HERE, |
194 base::Bind(&net::URLRequestSlowDownloadJob::AddUrlHandler)); | 194 base::Bind(&net::URLRequestSlowDownloadJob::AddUrlHandler)); |
195 } | 195 } |
196 | 196 |
197 protected: | 197 protected: |
198 // Tests that a given file path sent in a ViewHostMsg_RunFileChooser will | 198 // Tests that a given file path sent in a FrameHostMsg_RunFileChooser will |
199 // cause renderer to be killed. | 199 // cause renderer to be killed. |
200 void TestFileChooserWithPath(const base::FilePath& path); | 200 void TestFileChooserWithPath(const base::FilePath& path); |
201 }; | 201 }; |
202 | 202 |
203 void SecurityExploitBrowserTest::TestFileChooserWithPath( | 203 void SecurityExploitBrowserTest::TestFileChooserWithPath( |
204 const base::FilePath& path) { | 204 const base::FilePath& path) { |
205 GURL foo("http://foo.com/simple_page.html"); | 205 GURL foo("http://foo.com/simple_page.html"); |
206 NavigateToURL(shell(), foo); | 206 NavigateToURL(shell(), foo); |
207 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle()); | 207 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle()); |
208 | 208 |
209 RenderViewHost* compromised_renderer = | 209 RenderFrameHost* compromised_renderer = |
210 shell()->web_contents()->GetRenderViewHost(); | 210 shell()->web_contents()->GetMainFrame(); |
211 RenderProcessHostWatcher terminated( | 211 RenderProcessHostWatcher terminated( |
212 shell()->web_contents(), | 212 shell()->web_contents(), |
213 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); | 213 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); |
214 | 214 |
215 FileChooserParams params; | 215 FileChooserParams params; |
216 params.default_file_name = path; | 216 params.default_file_name = path; |
217 | 217 |
218 ViewHostMsg_RunFileChooser evil(compromised_renderer->GetRoutingID(), params); | 218 FrameHostMsg_RunFileChooser evil(compromised_renderer->GetRoutingID(), |
| 219 params); |
219 | 220 |
220 IpcSecurityTestUtil::PwnMessageReceived( | 221 IpcSecurityTestUtil::PwnMessageReceived( |
221 compromised_renderer->GetProcess()->GetChannel(), evil); | 222 compromised_renderer->GetProcess()->GetChannel(), evil); |
222 terminated.Wait(); | 223 terminated.Wait(); |
223 } | 224 } |
224 | 225 |
225 // Ensure that we kill the renderer process if we try to give it WebUI | 226 // Ensure that we kill the renderer process if we try to give it WebUI |
226 // properties and it doesn't have enabled WebUI bindings. | 227 // properties and it doesn't have enabled WebUI bindings. |
227 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) { | 228 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) { |
228 GURL foo("http://foo.com/simple_page.html"); | 229 GURL foo("http://foo.com/simple_page.html"); |
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
288 // Since this test executes on the UI thread and hopping threads might cause | 289 // Since this test executes on the UI thread and hopping threads might cause |
289 // different timing in the test, let's simulate a CreateNewWidget call coming | 290 // different timing in the test, let's simulate a CreateNewWidget call coming |
290 // from the IO thread. Use the existing window routing id to cause a | 291 // from the IO thread. Use the existing window routing id to cause a |
291 // deliberate collision. | 292 // deliberate collision. |
292 pending_rvh->CreateNewWidget(duplicate_routing_id, blink::WebPopupTypePage); | 293 pending_rvh->CreateNewWidget(duplicate_routing_id, blink::WebPopupTypePage); |
293 | 294 |
294 // If the above operation doesn't crash, the test has succeeded! | 295 // If the above operation doesn't crash, the test has succeeded! |
295 } | 296 } |
296 | 297 |
297 // This is a test for crbug.com/444198. It tries to send a | 298 // This is a test for crbug.com/444198. It tries to send a |
298 // ViewHostMsg_RunFileChooser containing an invalid path. The browser should | 299 // FrameHostMsg_RunFileChooser containing an invalid path. The browser should |
299 // correctly terminate the renderer in these cases. | 300 // correctly terminate the renderer in these cases. |
300 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, AttemptRunFileChoosers) { | 301 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, AttemptRunFileChoosers) { |
301 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("../../*.txt"))); | 302 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("../../*.txt"))); |
302 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("/etc/*.conf"))); | 303 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("/etc/*.conf"))); |
303 #if defined(OS_WIN) | 304 #if defined(OS_WIN) |
304 TestFileChooserWithPath( | 305 TestFileChooserWithPath( |
305 base::FilePath(FILE_PATH_LITERAL("\\\\evilserver\\evilshare\\*.txt"))); | 306 base::FilePath(FILE_PATH_LITERAL("\\\\evilserver\\evilshare\\*.txt"))); |
306 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("c:\\*.txt"))); | 307 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("c:\\*.txt"))); |
307 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("..\\..\\*.txt"))); | 308 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("..\\..\\*.txt"))); |
308 #endif | 309 #endif |
(...skipping 240 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
549 // separate task of the message loop, so ensure that the process is still | 550 // separate task of the message loop, so ensure that the process is still |
550 // considered alive. | 551 // considered alive. |
551 EXPECT_TRUE(root->current_frame_host()->GetProcess()->HasConnection()); | 552 EXPECT_TRUE(root->current_frame_host()->GetProcess()->HasConnection()); |
552 | 553 |
553 exit_observer.Wait(); | 554 exit_observer.Wait(); |
554 EXPECT_FALSE(exit_observer.did_exit_normally()); | 555 EXPECT_FALSE(exit_observer.did_exit_normally()); |
555 ResourceDispatcherHost::Get()->SetDelegate(nullptr); | 556 ResourceDispatcherHost::Get()->SetDelegate(nullptr); |
556 } | 557 } |
557 | 558 |
558 } // namespace content | 559 } // namespace content |
OLD | NEW |