Chromium Code Reviews Chromium Code Reviews
Issue 207013003:
Mark drags starting in web content as tainted to avoid file path forgery (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/renderer_host/render_view_host_impl.h" | 5 #include "content/browser/renderer_host/render_view_host_impl.h" |
| 6 | 6 |
| 7 #include <set> | 7 #include <set> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <utility> | 9 #include <utility> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 731 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 742 WebDragOperationsMask operations_allowed, | 742 WebDragOperationsMask operations_allowed, |
| 743 int key_modifiers) { | 743 int key_modifiers) { |
| 744 const int renderer_id = GetProcess()->GetID(); | 744 const int renderer_id = GetProcess()->GetID(); |
| 745 ChildProcessSecurityPolicyImpl* policy = | 745 ChildProcessSecurityPolicyImpl* policy = |
| 746 ChildProcessSecurityPolicyImpl::GetInstance(); | 746 ChildProcessSecurityPolicyImpl::GetInstance(); |
| 747 | 747 |
| 748 // The URL could have been cobbled together from any highlighted text string, | 748 // The URL could have been cobbled together from any highlighted text string, |
| 749 // and can't be interpreted as a capability. | 749 // and can't be interpreted as a capability. |
| 750 DropData filtered_data(drop_data); | 750 DropData filtered_data(drop_data); |
| 751 GetProcess()->FilterURL(true, &filtered_data.url); | 751 GetProcess()->FilterURL(true, &filtered_data.url); |
| 752 if (drop_data.did_originate_from_renderer) { | |
|
Charlie Reis
2014/03/24 21:19:10
nit: No need for braces here.
| |
| 753 filtered_data.filenames.clear(); | |
| 754 } | |
| 752 | 755 |
| 753 // The filenames vector, on the other hand, does represent a capability to | 756 // The filenames vector, on the other hand, does represent a capability to |
| 754 // access the given files. | 757 // access the given files. |
| 755 fileapi::IsolatedContext::FileInfoSet files; | 758 fileapi::IsolatedContext::FileInfoSet files; |
| 756 for (std::vector<DropData::FileInfo>::iterator iter( | 759 for (std::vector<DropData::FileInfo>::iterator iter( |
| 757 filtered_data.filenames.begin()); | 760 filtered_data.filenames.begin()); |
| 758 iter != filtered_data.filenames.end(); ++iter) { | 761 iter != filtered_data.filenames.end(); ++iter) { |
| 759 // A dragged file may wind up as the value of an input element, or it | 762 // A dragged file may wind up as the value of an input element, or it |
| 760 // may be used as the target of a navigation instead. We don't know | 763 // may be used as the target of a navigation instead. We don't know |
| 761 // which will happen at this point, so generously grant both access | 764 // which will happen at this point, so generously grant both access |
| (...skipping 1168 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1930 return true; | 1933 return true; |
| 1931 } | 1934 } |
| 1932 | 1935 |
| 1933 void RenderViewHostImpl::AttachToFrameTree() { | 1936 void RenderViewHostImpl::AttachToFrameTree() { |
| 1934 FrameTree* frame_tree = delegate_->GetFrameTree(); | 1937 FrameTree* frame_tree = delegate_->GetFrameTree(); |
| 1935 | 1938 |
| 1936 frame_tree->ResetForMainFrameSwap(); | 1939 frame_tree->ResetForMainFrameSwap(); |
| 1937 } | 1940 } |
| 1938 | 1941 |
| 1939 } // namespace content | 1942 } // namespace content |
| OLD | NEW |
