Mark drags starting in web content as tainted to avoid file path forgery

content/browser/web_contents/web_drag_dest_mac.mm

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #import "content/browser/web_contents/web_drag_dest_mac.h"
 
 #import <Carbon/Carbon.h>
 
 #include "base/strings/sys_string_conversions.h"
 #include "content/browser/renderer_host/render_view_host_impl.h"
@@ skipping 235 matching lines @@
 
 // Given |data|, which should not be nil, fill it in using the contents of the
 // given pasteboard. The types handled by this method should be kept in sync
 // with [WebContentsViewCocoa registerDragTypes].
 - (void)populateDropData:(DropData*)data
           fromPasteboard:(NSPasteboard*)pboard {
   DCHECK(data);
   DCHECK(pboard);
   NSArray* types = [pboard types];
 
+  const bool renderer_tainted =
+      [types containsObject:ui::kChromeDragDummyPboardType];
+
   // Get URL if possible. To avoid exposing file system paths to web content,
   // filenames in the drag are not converted to file URLs.
   ui::PopulateURLAndTitleFromPasteboard(&data->url,
                                         &data->url_title,
                                         pboard,
                                         NO);
 
   // Get plain text.
   if ([types containsObject:NSStringPboardType]) {
     data->text = base::NullableString16(
         base::SysNSStringToUTF16([pboard stringForType:NSStringPboardType]),
         false);
   }
 
   // Get HTML. If there's no HTML, try RTF.
   if ([types containsObject:NSHTMLPboardType]) {
     NSString* html = [pboard stringForType:NSHTMLPboardType];
     data->html = base::NullableString16(base::SysNSStringToUTF16(html), false);
   } else if ([types containsObject:ui::kChromeDragImageHTMLPboardType]) {
     NSString* html = [pboard stringForType:ui::kChromeDragImageHTMLPboardType];
     data->html = base::NullableString16(base::SysNSStringToUTF16(html), false);
   } else if ([types containsObject:NSRTFPboardType]) {
     NSString* html = [pboard htmlFromRtf];
     data->html = base::NullableString16(base::SysNSStringToUTF16(html), false);
   }
 
   // Get files.
-  if ([types containsObject:NSFilenamesPboardType]) {
+  if ([types containsObject:NSFilenamesPboardType] && !renderer_tainted) {
     NSArray* files = [pboard propertyListForType:NSFilenamesPboardType];
     if ([files isKindOfClass:[NSArray class]] && [files count]) {
       for (NSUInteger i = 0; i < [files count]; i++) {
         NSString* filename = [files objectAtIndex:i];
         BOOL exists = [[NSFileManager defaultManager]
                            fileExistsAtPath:filename];
         if (exists) {
           data->filenames.push_back(
               DropData::FileInfo(
                   base::SysNSStringToUTF16(filename), base::string16()));
         }
       }
     }
   }
 
   // TODO(pinkerton): Get file contents. http://crbug.com/34661
 
   // Get custom MIME data.
   if ([types containsObject:ui::kWebCustomDataPboardType]) {
     NSData* customData = [pboard dataForType:ui::kWebCustomDataPboardType];
     ui::ReadCustomDataIntoMap([customData bytes],
                               [customData length],
                               &data->custom_data);
   }
 }
 
 @end