| Index: content/browser/loader/resource_dispatcher_host_impl.cc
|
| diff --git a/content/browser/loader/resource_dispatcher_host_impl.cc b/content/browser/loader/resource_dispatcher_host_impl.cc
|
| index 50153c6706bfa0951f8506161aa063702a7069b1..c14e80893b79a3f44d4995af6aad04b17a36b897 100644
|
| --- a/content/browser/loader/resource_dispatcher_host_impl.cc
|
| +++ b/content/browser/loader/resource_dispatcher_host_impl.cc
|
| @@ -518,6 +518,16 @@ void NotifyForEachFrameFromUI(
|
| base::Passed(std::move(routing_ids))));
|
| }
|
|
|
| +bool CanAccessFilesOfResourceRequestBody(
|
| + int child_id,
|
| + const scoped_refptr<ResourceRequestBody>& body) {
|
| + if (!body)
|
| + return true;
|
| +
|
| + return ChildProcessSecurityPolicyImpl::GetInstance()->CanReadAllFiles(
|
| + child_id, body->GetReferencedFiles());
|
| +}
|
| +
|
| } // namespace
|
|
|
| LoaderIOThreadNotifier::LoaderIOThreadNotifier(WebContents* web_contents)
|
| @@ -1380,6 +1390,16 @@ void ResourceDispatcherHostImpl::BeginRequest(
|
| return;
|
| }
|
|
|
| + // Reject requests attempting to refer to unauthorized files. This is
|
| + // important, because after a cross-site transfer, the new renderer process is
|
| + // unconditionally granted access to files from ResourceRequestBody.
|
| + if (!CanAccessFilesOfResourceRequestBody(child_id,
|
| + request_data.request_body)) {
|
| + bad_message::ReceivedBadMessage(
|
| + filter_, bad_message::RDH_CAN_ACCESS_FILES_OF_REQUEST_BODY);
|
| + return;
|
| + }
|
| +
|
| // PlzNavigate: reject invalid renderer main resource request.
|
| bool is_navigation_stream_request =
|
| IsBrowserSideNavigationEnabled() &&
|
|
|
Chromium Code Reviews
Issue 2062523002:
Fixing renderer's access to a file from HTTP POST (after a xsite transfer). (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master