content/browser/web_contents/web_drag_dest_gtk.cc - Issue 207013003: Mark drags starting in web content as tainted to avoid file path forgery

Unified Diff: content/browser/web_contents/web_drag_dest_gtk.cc

Issue 207013003: Mark drags starting in web content as tainted to avoid file path forgery (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: More fixes and comment Created 6 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « content/browser/web_contents/web_drag_dest_gtk.h ('k') | content/browser/web_contents/web_drag_dest_mac.mm » ('j') | ui/base/clipboard/clipboard_aurax11.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: content/browser/web_contents/web_drag_dest_gtk.cc

diff --git a/content/browser/web_contents/web_drag_dest_gtk.cc b/content/browser/web_contents/web_drag_dest_gtk.cc

index d3b9ff89171518ec48c4d0249d9e3a20a02bfa5b..a623510c6051562af55cb3eb840a705ca5118907 100644

--- a/content/browser/web_contents/web_drag_dest_gtk.cc

+++ b/content/browser/web_contents/web_drag_dest_gtk.cc

@@ -53,6 +53,7 @@ WebDragDestGtk::WebDragDestGtk(WebContents* web_contents, GtkWidget* widget)

widget_(widget),

context_(NULL),

data_requests_(0),

+ renderer_tainted_(false),

delegate_(NULL),

canceled_(false),

method_factory_(this) {

@@ -121,7 +122,10 @@ gboolean WebDragDestGtk::OnDragMotion(GtkWidget* sender,

// text/plain with file URLs when dragging files, we want to handle

// text/uri-list after text/plain so that the plain text can be cleared if

// it's a file drag.

+ // Similarly, renderer taint must occur before anything else so we can

+ // ignore potentially forged filenames when handling text/uri-list.

static int supported_targets[] = {

+ ui::RENDERER_TAINT,

ui::TEXT_PLAIN,

ui::TEXT_URI_LIST,

ui::TEXT_HTML,

@@ -131,6 +135,7 @@ gboolean WebDragDestGtk::OnDragMotion(GtkWidget* sender,

ui::CUSTOM_DATA,

};

+ renderer_tainted_ = false;

// Add the delegate's requested target if applicable. Need to do this here

// since gtk_drag_get_data will dispatch to our drag-data-received.

data_requests_ = arraysize(supported_targets) + (delegate() ? 1 : 0);

@@ -182,7 +187,9 @@ void WebDragDestGtk::OnDragDataReceived(

if (raw_data && data_length > 0) {

// If the source can't provide us with valid data for a requested target,

// raw_data will be NULL.

- if (target == ui::GetAtomForTarget(ui::TEXT_PLAIN)) {

+ if (target == ui::GetAtomForTarget(ui::RENDERER_TAINT)) {

+ renderer_tainted_ = true;

+ } else if (target == ui::GetAtomForTarget(ui::TEXT_PLAIN)) {

guchar* text = gtk_selection_data_get_text(data);

if (text) {

drop_data_->text = base::NullableString16(

@@ -201,11 +208,11 @@ void WebDragDestGtk::OnDragDataReceived(

// TODO(estade): Can the filenames have a non-UTF8 encoding?

GURL url(*uri_iter);

base::FilePath file_path;

- if (url.SchemeIs(kFileScheme) &&

+ if (!renderer_tainted_ &&

+ url.SchemeIs(kFileScheme) &&

net::FileURLToFilePath(url, &file_path)) {

- drop_data_->filenames.push_back(

- DropData::FileInfo(base::UTF8ToUTF16(file_path.value()),

- base::string16()));

+ drop_data_->filenames.push_back(DropData::FileInfo(

+ base::UTF8ToUTF16(file_path.value()), base::string16()));

// This is a hack. Some file managers also populate text/plain with

// a file URL when dragging files, so we clear it to avoid exposing

// it to the web content.