Mark drags starting in web content as tainted to avoid file path forgery

content/browser/web_contents/web_drag_dest_gtk.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/web_contents/web_drag_dest_gtk.h"
 
 #include <string>
 
 #include "base/bind.h"
 #include "base/files/file_path.h"
@@ skipping 35 matching lines @@
   return modifier_state;
 }
 
 }  // namespace
 
 WebDragDestGtk::WebDragDestGtk(WebContents* web_contents, GtkWidget* widget)
     : web_contents_(web_contents),
       widget_(widget),
       context_(NULL),
       data_requests_(0),
+      renderer_tainted_(false),
       delegate_(NULL),
       canceled_(false),
       method_factory_(this) {
   gtk_drag_dest_set(widget, static_cast<GtkDestDefaults>(0),
                     NULL, 0,
                     static_cast<GdkDragAction>(GDK_ACTION_COPY |
                                                GDK_ACTION_LINK |
                                                GDK_ACTION_MOVE));
 
   // If adding a handler, make sure to update kNumGtkHandlers and add it to the
@@ skipping 48 matching lines @@
     is_drop_target_ = false;
 
     if (delegate())
       delegate()->DragInitialize(web_contents_);
 
     // text/plain must come before text/uri-list. This is a hack that works in
     // conjunction with OnDragDataReceived. Since some file managers populate
     // text/plain with file URLs when dragging files, we want to handle
     // text/uri-list after text/plain so that the plain text can be cleared if
     // it's a file drag.
+    // Similarly, renderer taint must occur before anything else so we can
+    // ignore potentially forged filenames when handling text/uri-list.
     static int supported_targets[] = {
+      ui::RENDERER_TAINT,
       ui::TEXT_PLAIN,
       ui::TEXT_URI_LIST,
       ui::TEXT_HTML,
       ui::NETSCAPE_URL,
       ui::CHROME_NAMED_URL,
       // TODO(estade): support image drags?
       ui::CUSTOM_DATA,
     };
 
+    renderer_tainted_ = false;
     // Add the delegate's requested target if applicable. Need to do this here
     // since gtk_drag_get_data will dispatch to our drag-data-received.
     data_requests_ = arraysize(supported_targets) + (delegate() ? 1 : 0);
     for (size_t i = 0; i < arraysize(supported_targets); ++i) {
       gtk_drag_get_data(widget_, context,
                         ui::GetAtomForTarget(supported_targets[i]),
                         time);
     }
 
     if (delegate()) {
@@ skipping 31 matching lines @@
 
   data_requests_--;
 
   // Decode the data.
   gint data_length = gtk_selection_data_get_length(data);
   const guchar* raw_data = gtk_selection_data_get_data(data);
   GdkAtom target = gtk_selection_data_get_target(data);
   if (raw_data && data_length > 0) {
     // If the source can't provide us with valid data for a requested target,
     // raw_data will be NULL.
-    if (target == ui::GetAtomForTarget(ui::TEXT_PLAIN)) {
+    if (target == ui::GetAtomForTarget(ui::RENDERER_TAINT)) {
+      renderer_tainted_ = true;
+    } else if (target == ui::GetAtomForTarget(ui::TEXT_PLAIN)) {
       guchar* text = gtk_selection_data_get_text(data);
       if (text) {
         drop_data_->text = base::NullableString16(
             base::UTF8ToUTF16(std::string(reinterpret_cast<const char*>(text))),
             false);
         g_free(text);
       }
     } else if (target == ui::GetAtomForTarget(ui::TEXT_URI_LIST)) {
       gchar** uris = gtk_selection_data_get_uris(data);
       if (uris) {
         drop_data_->url = GURL();
         for (gchar** uri_iter = uris; *uri_iter; uri_iter++) {
           // Most file managers populate text/uri-list with file URLs when
           // dragging files. To avoid exposing file system paths to web content,
           // file URLs are never set as the URL content for the drop.
           // TODO(estade): Can the filenames have a non-UTF8 encoding?
           GURL url(*uri_iter);
           base::FilePath file_path;
-          if (url.SchemeIs(kFileScheme) &&
+          if (!renderer_tainted_ &&
+              url.SchemeIs(kFileScheme) &&
               net::FileURLToFilePath(url, &file_path)) {
-            drop_data_->filenames.push_back(
-                DropData::FileInfo(base::UTF8ToUTF16(file_path.value()),
-                                   base::string16()));
+            drop_data_->filenames.push_back(DropData::FileInfo(
+                base::UTF8ToUTF16(file_path.value()), base::string16()));
             // This is a hack. Some file managers also populate text/plain with
             // a file URL when dragging files, so we clear it to avoid exposing
             // it to the web content.
             drop_data_->text = base::NullableString16();
           } else if (!drop_data_->url.is_valid()) {
             // Also set the first non-file URL as the URL content for the drop.
             drop_data_->url = url;
           }
         }
         g_strfreev(uris);
@@ skipping 113 matching lines @@
   gtk_drag_finish(context, is_drop_target_, FALSE, time);
 
   return TRUE;
 }
 
 RenderViewHostImpl* WebDragDestGtk::GetRenderViewHost() const {
   return static_cast<RenderViewHostImpl*>(web_contents_->GetRenderViewHost());
 }
 
 }  // namespace content