Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(21)

Issue 207013003: Mark drags starting in web content as tainted to avoid file path forgery (Closed)

Created:
6 years, 9 months ago by dcheng
Modified:
6 years, 9 months ago
CC:
chromium-reviews, joi+watch-content_chromium.org, darin-cc_chromium.org, jam, jochen+watch_chromium.org
Visibility:
Public.

Description

Mark drags starting in web content as tainted to avoid file path forgery This patch takes the simplest possible approach and simply clears any filename data when the browser-side dragenter handler notices that a drag originated from a Chrome renderer. This breaks file:// URL dragging within Chrome, but it turns out this is already mostly broken anyway. Dragging file:// URLs is filtered out by FilterURL, since we don't GrantRequestSpecificFileURL to the renderer, so it generally ends up loading about:blank anyway. The ChromeOS bits are left unimplemented for the moment. The specific security issues fixed by this patch don't presently affect Aura because it doesn't implement the DownloadURL protocol at all, and it doesn't get confused between URLs and filenames like Linux. While it would be nice to implement this for ChromeOS, doing so breaks drags from the File Manager app. BUG=346135 R=creis@chromium.org, erg@chromium.org, sky@chromium.org, tony@chromium.org, tsepez@chromium.org Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=259353

Patch Set 1 #

Patch Set 2 : Initial patches for aura X11 #

Patch Set 3 : Blind implementations for other platforms #

Patch Set 4 : EventSender implementation. #

Patch Set 5 : Fix Aura crash. #

Patch Set 6 : Make the patch simpler #

Patch Set 7 : #

Patch Set 8 : More fixes and comment #

Total comments: 9

Patch Set 9 : Address comments. #

Patch Set 10 : Cleanup #

Total comments: 1
Unified diffs Side-by-side diffs Delta from patch set Stats (+119 lines, -8 lines) Patch
M content/browser/renderer_host/render_view_host_impl.cc View 1 2 3 4 5 6 7 8 1 chunk +3 lines, -0 lines 1 comment Download
M content/browser/web_contents/web_contents_view_aura.cc View 1 2 3 4 5 6 7 8 2 chunks +3 lines, -0 lines 0 comments Download
M content/browser/web_contents/web_drag_dest_gtk.cc View 1 2 3 4 5 6 7 8 9 2 chunks +6 lines, -1 line 0 comments Download
M content/browser/web_contents/web_drag_dest_mac.mm View 1 2 3 4 5 6 7 8 1 chunk +3 lines, -0 lines 0 comments Download
M content/browser/web_contents/web_drag_source_gtk.cc View 1 2 2 chunks +12 lines, -1 line 0 comments Download
M content/public/common/drop_data.h View 1 2 3 4 5 6 7 8 2 chunks +6 lines, -1 line 0 comments Download
M content/public/common/drop_data.cc View 1 2 3 4 5 6 7 8 1 chunk +2 lines, -2 lines 0 comments Download
M ui/base/clipboard/clipboard_aurax11.cc View 1 2 3 4 1 chunk +5 lines, -2 lines 0 comments Download
M ui/base/dragdrop/gtk_dnd_util.h View 1 2 1 chunk +5 lines, -1 line 0 comments Download
M ui/base/dragdrop/gtk_dnd_util.cc View 1 2 2 chunks +10 lines, -0 lines 0 comments Download
M ui/base/dragdrop/os_exchange_data.h View 1 2 3 4 5 6 7 8 2 chunks +9 lines, -0 lines 0 comments Download
M ui/base/dragdrop/os_exchange_data.cc View 1 2 3 4 5 6 7 8 1 chunk +8 lines, -0 lines 0 comments Download
M ui/base/dragdrop/os_exchange_data_provider_aura.h View 1 2 3 4 5 6 7 8 1 chunk +2 lines, -0 lines 0 comments Download
M ui/base/dragdrop/os_exchange_data_provider_aura.cc View 1 2 3 4 5 6 7 8 1 chunk +9 lines, -0 lines 0 comments Download
M ui/base/dragdrop/os_exchange_data_provider_aurax11.h View 1 2 3 4 5 6 7 8 1 chunk +2 lines, -0 lines 0 comments Download
M ui/base/dragdrop/os_exchange_data_provider_aurax11.cc View 1 2 3 4 5 6 7 8 3 chunks +14 lines, -0 lines 0 comments Download
M ui/base/dragdrop/os_exchange_data_provider_win.h View 1 2 3 4 5 6 7 8 1 chunk +2 lines, -0 lines 0 comments Download
M ui/base/dragdrop/os_exchange_data_provider_win.cc View 1 2 3 4 5 6 7 8 2 chunks +18 lines, -0 lines 0 comments Download

Messages

Total messages: 20 (0 generated)
dcheng
creis: security perspective and content OWNER. tony: overall patch erg: *aura*, *gtk*, and *x11* bits. ...
6 years, 9 months ago (2014-03-21 22:48:08 UTC) #1
tony
What are your test plans? If we can't do an automated test, can we check ...
6 years, 9 months ago (2014-03-21 23:08:59 UTC) #2
Charlie Reis
Hmm, I'm not sure I'm a good reviewer for this. Certainly not for the security ...
6 years, 9 months ago (2014-03-21 23:30:03 UTC) #3
dcheng
creis: Unfortunately, there's not a lot of people familiar with this portion of the code. ...
6 years, 9 months ago (2014-03-21 23:57:06 UTC) #4
Tom Sepez
I'll take a more thorough look on monday. I didn't see any obvious problem with ...
6 years, 9 months ago (2014-03-22 00:07:49 UTC) #5
tony
LGTM with tom's review and with some testing plan (at a minimum "see bug for ...
6 years, 9 months ago (2014-03-22 00:15:05 UTC) #6
Elliot Glaysher
lgtm. this looks fairly sane. You mentioned over IM that this caused some issues with ...
6 years, 9 months ago (2014-03-22 00:29:59 UTC) #7
dcheng
On 2014/03/22 00:29:59, Elliot Glaysher wrote: > lgtm. this looks fairly sane. > > You ...
6 years, 9 months ago (2014-03-22 00:32:46 UTC) #8
Charlie Reis
On 2014/03/22 00:32:46, dcheng wrote: > On 2014/03/22 00:29:59, Elliot Glaysher wrote: > > lgtm. ...
6 years, 9 months ago (2014-03-22 00:36:11 UTC) #9
dcheng
I experimented with some different approaches for ChromeOS, but I was unable to find a ...
6 years, 9 months ago (2014-03-24 18:01:29 UTC) #10
Tom Sepez
lgtm
6 years, 9 months ago (2014-03-24 20:55:19 UTC) #11
dcheng
On 2014/03/24 20:55:19, Tom Sepez wrote: > lgtm I'm going to land this as is ...
6 years, 9 months ago (2014-03-24 21:09:49 UTC) #12
dcheng
+sky for OWNERS approval for ui/
6 years, 9 months ago (2014-03-24 21:10:04 UTC) #13
Charlie Reis
Rubber stamp LGTM for content/. https://codereview.chromium.org/207013003/diff/90022/content/browser/renderer_host/render_view_host_impl.cc File content/browser/renderer_host/render_view_host_impl.cc (right): https://codereview.chromium.org/207013003/diff/90022/content/browser/renderer_host/render_view_host_impl.cc#newcode752 content/browser/renderer_host/render_view_host_impl.cc:752: if (drop_data.did_originate_from_renderer) { nit: ...
6 years, 9 months ago (2014-03-24 21:19:09 UTC) #14
sky
LGTM
6 years, 9 months ago (2014-03-25 16:31:01 UTC) #15
dcheng
The CQ bit was checked by dcheng@chromium.org
6 years, 9 months ago (2014-03-25 18:11:15 UTC) #16
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/dcheng@chromium.org/207013003/90022
6 years, 9 months ago (2014-03-25 18:11:29 UTC) #17
commit-bot: I haz the power
The CQ bit was unchecked by commit-bot@chromium.org
6 years, 9 months ago (2014-03-25 18:19:30 UTC) #18
commit-bot: I haz the power
Try jobs failed on following builders: tryserver.chromium on win_chromium_compile_dbg
6 years, 9 months ago (2014-03-25 18:19:32 UTC) #19
dcheng
6 years, 9 months ago (2014-03-25 22:04:11 UTC) #20
Message was sent while issue was closed.
Committed patchset #10 manually as r259353 (presubmit successful).

Powered by Google App Engine
This is Rietveld 408576698