content/browser/child_process_security_policy_impl.cc - Issue 2347163004: Disallow navigations to blob URLs with non-canonical origins.

Side by Side Diff: content/browser/child_process_security_policy_impl.cc

Issue 2347163004: Disallow navigations to blob URLs with non-canonical origins. (Closed)

Patch Set: Add tests. Created 4 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "content/browser/child_process_security_policy_impl.h"	5 #include "content/browser/child_process_security_policy_impl.h"

6	6

7 #include <algorithm>	7 #include <algorithm>

8 #include <utility>	8 #include <utility>

9	9

10 #include "base/command_line.h"	10 #include "base/command_line.h"

(...skipping 545 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
556 void ChildProcessSecurityPolicyImpl::RevokeReadRawCookies(int child_id) {	556 void ChildProcessSecurityPolicyImpl::RevokeReadRawCookies(int child_id) {

557 base::AutoLock lock(lock_);	557 base::AutoLock lock(lock_);

558	558

559 SecurityStateMap::iterator state = security_state_.find(child_id);	559 SecurityStateMap::iterator state = security_state_.find(child_id);

560 if (state == security_state_.end())	560 if (state == security_state_.end())

561 return;	561 return;

562	562

563 state->second->RevokeReadRawCookies();	563 state->second->RevokeReadRawCookies();

564 }	564 }

565	565

566 bool ChildProcessSecurityPolicyImpl::CanRequestURL(	566 bool ChildProcessSecurityPolicyImpl::CanRequestURL(
	Charlie Reis 2016/09/20 16:28:55 We have pretty extensive unit tests for this in ch We have pretty extensive unit tests for this in child_process_security_policy_unittest.cc. Can you toss one in for the spoof case for completeness? ncarter (slow) 2016/09/20 23:01:43 Thanks for suggesting this! It uncovered the fact Show quoted text On 2016/09/20 16:28:55, Charlie Reis (slow) wrote: > We have pretty extensive unit tests for this in > child_process_security_policy_unittest.cc. Can you toss one in for the spoof > case for completeness? Thanks for suggesting this! It uncovered the fact that I meant to fix up CanCommitURL too. I copypasted that clause there too. Charlie Reis 2016/09/20 23:19:06 Great! I agree that having the check in CanCommit Show quoted text On 2016/09/20 23:01:43, ncarter wrote: > On 2016/09/20 16:28:55, Charlie Reis (slow) wrote: > > We have pretty extensive unit tests for this in > > child_process_security_policy_unittest.cc. Can you toss one in for the spoof > > case for completeness? > > Thanks for suggesting this! It uncovered the fact that I meant to fix up > CanCommitURL too. I copypasted that clause there too. Great! I agree that having the check in CanCommitURL as well seems better.
567 int child_id, const GURL& url) {	567 int child_id, const GURL& url) {

568 if (!url.is_valid())	568 if (!url.is_valid())

569 return false; // Can't request invalid URLs.	569 return false; // Can't request invalid URLs.

570	570

571 if (IsPseudoScheme(url.scheme())) {	571 if (IsPseudoScheme(url.scheme())) {

572 // Every child process can request <about:blank>.	572 // Every child process can request <about:blank>.

573 if (base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL))	573 if (base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL))

574 return true;	574 return true;

575 // URLs like <about:version>, <about:crash>, <view-source:...> shouldn't be	575 // URLs like <about:version>, <about:crash>, <view-source:...> shouldn't be

576 // requestable by any child process. Also, this case covers	576 // requestable by any child process. Also, this case covers

577 // <javascript:...>, which should be handled internally by the process and	577 // <javascript:...>, which should be handled internally by the process and

578 // not kicked up to the browser.	578 // not kicked up to the browser.

579 return false;	579 return false;

580 }	580 }

581	581

	582 // https://crbug.com/646278 Valid blob URLs should contain canonically

	583 // serialized origins.

	584 if (url.SchemeIsBlob() &&
	Charlie Reis 2016/09/20 16:28:55 Sanity check: Do we have the same problem for file Sanity check: Do we have the same problem for filesystem URLs? ncarter (slow) 2016/09/20 17:46:55 Potentially but the spoof doesn't directly transla Show quoted text On 2016/09/20 16:28:55, Charlie Reis (slow) wrote: > Sanity check: Do we have the same problem for filesystem URLs? Potentially but the spoof doesn't directly translate; since for filesystem URLs, GURL actually parses past the scheme. The behavior I see is that authorities are preserved in inner URLs of filesystem URLs, but the inner URL is parsed and canonicalized, so spaces get escaped to %20. We probably should not allow authorities inside of filesystem URLs, but it may be a spec question. Charlie Reis 2016/09/20 23:19:06 Acknowledged. Show quoted text On 2016/09/20 17:46:55, ncarter wrote: > On 2016/09/20 16:28:55, Charlie Reis (slow) wrote: > > Sanity check: Do we have the same problem for filesystem URLs? > > Potentially but the spoof doesn't directly translate; since for filesystem URLs, > GURL actually parses past the scheme. > > The behavior I see is that authorities are preserved in inner URLs of filesystem > URLs, but the inner URL is parsed and canonicalized, so spaces get escaped to > %20. We probably should not allow authorities inside of filesystem URLs, but it > may be a spec question. Acknowledged.
	585 !base::StartsWith(url.GetContent(), url::Origin(url).Serialize() + "/",

	586 base::CompareCase::INSENSITIVE_ASCII)) {

	587 return false;

	588 }

	589

582 // If the process can commit the URL, it can request it.	590 // If the process can commit the URL, it can request it.

583 if (CanCommitURL(child_id, url))	591 if (CanCommitURL(child_id, url))

584 return true;	592 return true;

585	593

586 // Also allow URLs destined for ShellExecute and not the browser itself.	594 // Also allow URLs destined for ShellExecute and not the browser itself.

587 return !GetContentClient()->browser()->IsHandledURL(url) &&	595 return !GetContentClient()->browser()->IsHandledURL(url) &&

588 !net::URLRequest::IsHandledURL(url);	596 !net::URLRequest::IsHandledURL(url);

589 }	597 }

590	598

591 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,	599 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,

(...skipping 259 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
851 base::AutoLock lock(lock_);	859 base::AutoLock lock(lock_);

852	860

853 SecurityStateMap::iterator state = security_state_.find(child_id);	861 SecurityStateMap::iterator state = security_state_.find(child_id);

854 if (state == security_state_.end())	862 if (state == security_state_.end())

855 return false;	863 return false;

856	864

857 return state->second->can_send_midi_sysex();	865 return state->second->can_send_midi_sysex();

858 }	866 }

859	867

860 } // namespace content	868 } // namespace content

OLD	NEW

« content/browser/blob_storage/blob_url_browsertest.cc ('K') | « content/browser/blob_storage/blob_url_browsertest.cc ('k') | content/test/BUILD.gn » ('j') | no next file with comments »