Index: content/browser/frame_host/render_frame_host_impl.cc |
diff --git a/content/browser/frame_host/render_frame_host_impl.cc b/content/browser/frame_host/render_frame_host_impl.cc |
index 7277881884ce4e4c0de2efdce2e64a7cff8bd09b..75086e878234442c32f6f002e6ce8d79432d4298 100644 |
--- a/content/browser/frame_host/render_frame_host_impl.cc |
+++ b/content/browser/frame_host/render_frame_host_impl.cc |
@@ -71,6 +71,7 @@ |
#include "content/public/browser/permission_type.h" |
#include "content/public/browser/render_process_host.h" |
#include "content/public/browser/render_widget_host_view.h" |
+#include "content/public/browser/storage_partition.h" |
#include "content/public/browser/stream_handle.h" |
#include "content/public/browser/user_metrics.h" |
#include "content/public/common/browser_side_navigation_policy.h" |
@@ -548,6 +549,7 @@ bool RenderFrameHostImpl::OnMessageReceived(const IPC::Message &msg) { |
OnRunJavaScriptMessage) |
IPC_MESSAGE_HANDLER_DELAY_REPLY(FrameHostMsg_RunBeforeUnloadConfirm, |
OnRunBeforeUnloadConfirm) |
+ IPC_MESSAGE_HANDLER(FrameHostMsg_RunFileChooser, OnRunFileChooser) |
IPC_MESSAGE_HANDLER(FrameHostMsg_DidAccessInitialDocument, |
OnDidAccessInitialDocument) |
IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeOpener, OnDidChangeOpener) |
@@ -1525,6 +1527,19 @@ void RenderFrameHostImpl::OnRunBeforeUnloadConfirm( |
delegate_->RunBeforeUnloadConfirm(this, is_reload, reply_msg); |
} |
+void RenderFrameHostImpl::OnRunFileChooser(const FileChooserParams& params) { |
+ // Do not allow messages with absolute paths in them as this can permit a |
+ // renderer to coerce the browser to perform I/O on a renderer controlled |
+ // path. |
+ if (params.default_file_name != params.default_file_name.BaseName()) { |
+ bad_message::ReceivedBadMessage(GetProcess(), |
+ bad_message::RVH_FILE_CHOOSER_PATH); |
Avi (use Gerrit)
2016/06/10 21:52:54
Have we renamed bad messages that we move from RVH
nasko
2016/06/10 22:07:49
I don't know, but it is a good thing to fix. Done.
|
+ return; |
+ } |
+ |
+ delegate_->RunFileChooser(this, params); |
+} |
+ |
void RenderFrameHostImpl::OnTextSurroundingSelectionResponse( |
const base::string16& content, |
uint32_t start_offset, |
@@ -2627,7 +2642,29 @@ int RenderFrameHostImpl::GetProxyCount() { |
void RenderFrameHostImpl::FilesSelectedInChooser( |
const std::vector<content::FileChooserFileInfo>& files, |
FileChooserParams::Mode permissions) { |
- render_view_host_->FilesSelectedInChooser(files, permissions); |
+ storage::FileSystemContext* const file_system_context = |
+ BrowserContext::GetStoragePartition(GetProcess()->GetBrowserContext(), |
+ GetSiteInstance()) |
+ ->GetFileSystemContext(); |
+ // Grant the security access requested to the given files. |
+ for (size_t i = 0; i < files.size(); ++i) { |
Avi (use Gerrit)
2016/06/10 21:52:54
for (const auto& file : files)
nasko
2016/06/10 22:07:49
Done.
|
+ const content::FileChooserFileInfo& file = files[i]; |
+ if (permissions == FileChooserParams::Save) { |
+ ChildProcessSecurityPolicyImpl::GetInstance()->GrantCreateReadWriteFile( |
+ GetProcess()->GetID(), file.file_path); |
+ } else { |
+ ChildProcessSecurityPolicyImpl::GetInstance()->GrantReadFile( |
+ GetProcess()->GetID(), file.file_path); |
+ } |
+ if (file.file_system_url.is_valid()) { |
+ ChildProcessSecurityPolicyImpl::GetInstance()->GrantReadFileSystem( |
+ GetProcess()->GetID(), |
+ file_system_context->CrackURL(file.file_system_url) |
+ .mount_filesystem_id()); |
+ } |
+ } |
+ |
+ Send(new FrameMsg_RunFileChooserResponse(routing_id_, files)); |
} |
#if defined(USE_EXTERNAL_POPUP_MENU) |