Mark drags starting in web content as tainted to avoid file path forgery

ui/base/dragdrop/os_exchange_data_provider_aurax11.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "ui/base/dragdrop/os_exchange_data_provider_aurax11.h"
 
 #include "base/logging.h"
 #include "base/memory/ref_counted_memory.h"
 #include "base/message_loop/message_pump_x11.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "net/base/net_util.h"
 #include "ui/base/clipboard/clipboard.h"
 #include "ui/base/clipboard/scoped_clipboard_writer.h"
 #include "ui/base/x/selection_utils.h"
 #include "ui/base/x/x11_util.h"
 
 // Note: the GetBlah() methods are used immediately by the
 // web_contents_view_aura.cc:PrepareDropData(), while the omnibox is a
 // little more discriminating and calls HasBlah() before trying to get the
 // information.
 
 namespace ui {
 
 namespace {
 
 const char kDndSelection[] = "XdndSelection";
+const char kRendererTaint[] = "chromium/x-renderer-taint";
 
 const char* kAtomsToCache[] = {
   kString,
   kText,
   kUtf8String,
   kDndSelection,
   Clipboard::kMimeTypeURIList,
   kMimeTypeMozillaURL,
   Clipboard::kMimeTypeText,
+  kRendererTaint,
   NULL
 };
 
 }  // namespace
 
 OSExchangeDataProviderAuraX11::OSExchangeDataProviderAuraX11(
     ::Window x_window,
     const SelectionFormatMap& selection)
     : x_display_(gfx::GetXDisplay()),
       x_root_window_(DefaultRootWindow(x_display_)),
@@ skipping 54 matching lines @@
   // ours has been modified since TakeOwnershipOfSelection() was called.
   return selection_owner_.selection_format_map();
 }
 
 OSExchangeData::Provider* OSExchangeDataProviderAuraX11::Clone() const {
   OSExchangeDataProviderAuraX11* ret = new OSExchangeDataProviderAuraX11();
   ret->format_map_ = format_map_;
   return ret;
 }
 
+void OSExchangeDataProviderAuraX11::MarkRendererTainted() {
+  std::string empty;
+  format_map_.Insert(atom_cache_.GetAtom(kRendererTaint),
+                     scoped_refptr<base::RefCountedMemory>(
+                         base::RefCountedString::TakeString(&empty)));
+}
+
+bool OSExchangeDataProviderAuraX11::IsRendererTainted() const {
+  return format_map_.find(atom_cache_.GetAtom(kRendererTaint)) !=
+         format_map_.end();

[tony, 2014/03/21 23:09:00]

Nit: Is this the correct indent?  I thought it was always 4 spaces.

[dcheng, 2014/03/21 23:57:07]

This is what clang-format said. I didn't clang format the entire CL though, as
it results in some more radical changes that would be better to avoid for ease
of merges.

+}
+
 void OSExchangeDataProviderAuraX11::SetString(const base::string16& text_data) {
   std::string utf8 = base::UTF16ToUTF8(text_data);
   scoped_refptr<base::RefCountedMemory> mem(
       base::RefCountedString::TakeString(&utf8));
 
   format_map_.Insert(atom_cache_.GetAtom(Clipboard::kMimeTypeText), mem);
   format_map_.Insert(atom_cache_.GetAtom(kText), mem);
   format_map_.Insert(atom_cache_.GetAtom(kString), mem);
   format_map_.Insert(atom_cache_.GetAtom(kUtf8String), mem);
 }
@@ skipping 340 matching lines @@
 
 ///////////////////////////////////////////////////////////////////////////////
 // OSExchangeData, public:
 
 // static
 OSExchangeData::Provider* OSExchangeData::CreateProvider() {
   return new OSExchangeDataProviderAuraX11();
 }
 
 }  // namespace ui