Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(147)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: extensions/browser/extension_message_filter.cc

Issue 2254383002: Signal extension API schema corruption to the browser process. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Tweak comments Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « extensions/browser/extension_message_filter.h ('k') | extensions/common/extension_api.h » ('j') | extensions/common/extension_api.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: extensions/browser/extension_message_filter.cc
diff --git a/extensions/browser/extension_message_filter.cc b/extensions/browser/extension_message_filter.cc
index 6bdfac024e5f755f20880373371f1b489ddc93e1..608d425d2045e78990e517383c54f3ce9411b2cb 100644
--- a/extensions/browser/extension_message_filter.cc
+++ b/extensions/browser/extension_message_filter.cc
@@ -18,6 +18,7 @@
#include "extensions/browser/process_manager_factory.h"
#include "extensions/browser/process_map.h"
#include "extensions/common/extension.h"
+#include "extensions/common/extension_api.h"
#include "extensions/common/extension_messages.h"
#include "extensions/common/manifest_handlers/background_info.h"
#include "ipc/ipc_message_macros.h"
@@ -134,6 +135,8 @@ bool ExtensionMessageFilter::OnMessageReceived(const IPC::Message& message) {
OnExtensionTransferBlobsAck)
IPC_MESSAGE_HANDLER(ExtensionHostMsg_WakeEventPage,
OnExtensionWakeEventPage)
+ IPC_MESSAGE_HANDLER(ExtensionHostMsg_NotifyBadExtensionApiSchema,
+ OnExtensionNotifyBadExtensionApiSchema)
IPC_MESSAGE_UNHANDLED(handled = false)
IPC_END_MESSAGE_MAP()
return handled;
@@ -318,4 +321,26 @@ void ExtensionMessageFilter::SendWakeEventPageResponse(int request_id,
Send(new ExtensionMsg_WakeEventPageResponse(request_id, success));
}
+void ExtensionMessageFilter::OnExtensionNotifyBadExtensionApiSchema(
+ const std::string& full_name) {
+ ExtensionAPI* extension_api = ExtensionAPI::GetSharedInstance();
+
+ // Try to resolve the full name; if we can't then the renderer sent a
+ // bogus name.
+ std::string api_name =
+ extension_api->GetAPINameFromFullName(full_name, nullptr);
+ if (api_name.empty()) {
+ ShutdownForBadMessage();
+ return;
+ }
+
+ // Since the renderer indicated that the schema for |api_name| was
+ // bad, we expect getting the schema to fail, and crash the browser.
+ CHECK(extension_api->GetSchema(api_name));
+
+ // If we reach here then the schema looked valid, indicating that
+ // the renderer must be at fault, so kill it.
+ ShutdownForBadMessage();
+}
+
} // namespace extensions
« no previous file with comments | « extensions/browser/extension_message_filter.h ('k') | extensions/common/extension_api.h » ('j') | extensions/common/extension_api.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698