Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(928)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/browser/renderer_host/java/java_bound_object.cc

Issue 213693005: [Android] Block access to java.lang.Object.getClass in injected Java objects (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Fixed tests Created 6 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « content/browser/renderer_host/java/java_bound_object.h ('k') | content/public/android/javatests/src/org/chromium/content/browser/JavaBridgeBasicsTest.java » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/browser/renderer_host/java/java_bound_object.cc
diff --git a/content/browser/renderer_host/java/java_bound_object.cc b/content/browser/renderer_host/java/java_bound_object.cc
index 6c7c8246a5791fd65014ebe4ed7a8f7c6691f9be..b8a36373f4efa12a2a63ce28d49ef7643864f9df 100644
--- a/content/browser/renderer_host/java/java_bound_object.cc
+++ b/content/browser/renderer_host/java/java_bound_object.cc
@@ -39,6 +39,7 @@ namespace {
const char kJavaLangClass[] = "java/lang/Class";
const char kJavaLangObject[] = "java/lang/Object";
const char kJavaLangReflectMethod[] = "java/lang/reflect/Method";
+const char kJavaLangSecurityExceptionClass[] = "java/lang/SecurityException";
const char kGetClass[] = "getClass";
const char kGetMethods[] = "getMethods";
const char kIsAnnotationPresent[] = "isAnnotationPresent";
@@ -46,6 +47,9 @@ const char kReturningJavaLangClass[] = "()Ljava/lang/Class;";
const char kReturningJavaLangReflectMethodArray[] =
"()[Ljava/lang/reflect/Method;";
const char kTakesJavaLangClassReturningBoolean[] = "(Ljava/lang/Class;)Z";
+// This is an exception message, so no need to localize.
+const char kAccessToObjectGetClassIsBlocked[] =
+ "Access to java.lang.Object.getClass is blocked";
// Our special NPObject type. We extend an NPObject with a pointer to a
// JavaBoundObject. We also add static methods for each of the NPObject
@@ -820,6 +824,7 @@ JavaBoundObject::JavaBoundObject(
: java_object_(AttachCurrentThread(), object.obj()),
manager_(manager),
are_methods_set_up_(false),
+ object_get_class_method_id_(NULL),
can_enumerate_methods_(can_enumerate_methods),
safe_annotation_clazz_(safe_annotation_clazz) {
BrowserThread::PostTask(
@@ -896,7 +901,18 @@ bool JavaBoundObject::Invoke(const std::string& name, const NPVariant* args,
true);
}
- ScopedJavaLocalRef<jobject> obj = java_object_.get(AttachCurrentThread());
+ JNIEnv* env = AttachCurrentThread();
+ ScopedJavaLocalRef<jobject> obj = java_object_.get(env);
+
+ // Block access to java.lang.Object.getClass.
+ // As it is declared to be final, it is sufficient to compare methodIDs.
+ if (method->id() == object_get_class_method_id_) {
+ BrowserThread::PostTask(
+ BrowserThread::UI, FROM_HERE,
+ base::Bind(&JavaBoundObject::ThrowSecurityException,
+ kAccessToObjectGetClassIsBlocked));
+ return false;
+ }
bool ok = false;
if (!obj.is_null()) {
@@ -910,7 +926,6 @@ bool JavaBoundObject::Invoke(const std::string& name, const NPVariant* args,
// Now that we're done with the jvalue, release any local references created
// by CoerceJavaScriptValueToJavaValue().
- JNIEnv* env = AttachCurrentThread();
for (size_t i = 0; i < arg_count; ++i) {
ReleaseJavaValueIfRequired(env, &parameters[i], method->parameter_type(i));
}
@@ -924,6 +939,13 @@ void JavaBoundObject::EnsureMethodsAreSetUp() const {
are_methods_set_up_ = true;
JNIEnv* env = AttachCurrentThread();
+
+ object_get_class_method_id_ = GetMethodIDFromClassName(
+ env,
+ kJavaLangObject,
+ kGetClass,
+ kReturningJavaLangClass);
+
ScopedJavaLocalRef<jobject> obj = java_object_.get(env);
if (obj.is_null()) {
@@ -931,11 +953,7 @@ void JavaBoundObject::EnsureMethodsAreSetUp() const {
}
ScopedJavaLocalRef<jclass> clazz(env, static_cast<jclass>(
- env->CallObjectMethod(obj.obj(), GetMethodIDFromClassName(
- env,
- kJavaLangObject,
- kGetClass,
- kReturningJavaLangClass))));
+ env->CallObjectMethod(obj.obj(), object_get_class_method_id_)));
ScopedJavaLocalRef<jobjectArray> methods(env, static_cast<jobjectArray>(
env->CallObjectMethod(clazz.obj(), GetMethodIDFromClassName(
@@ -971,4 +989,13 @@ void JavaBoundObject::EnsureMethodsAreSetUp() const {
}
}
+// static
+void JavaBoundObject::ThrowSecurityException(const char* message) {
+ DCHECK_CURRENTLY_ON(BrowserThread::UI);
+ JNIEnv* env = AttachCurrentThread();
+ base::android::ScopedJavaLocalRef<jclass> clazz(
+ env, env->FindClass(kJavaLangSecurityExceptionClass));
+ env->ThrowNew(clazz.obj(), message);
+}
+
} // namespace content
« no previous file with comments | « content/browser/renderer_host/java/java_bound_object.h ('k') | content/public/android/javatests/src/org/chromium/content/browser/JavaBridgeBasicsTest.java » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698