content/browser/renderer_host/pepper/pepper_security_helper.cc - Issue 23760004: ChildProcessSecurityPolicy: Port FileAPIMessageFilter to use new checks

Unified Diff: content/browser/renderer_host/pepper/pepper_security_helper.cc

Issue 23760004: ChildProcessSecurityPolicy: Port FileAPIMessageFilter to use new checks (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 7 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« content/browser/renderer_host/pepper/pepper_security_helper.h ('K') | « content/browser/renderer_host/pepper/pepper_security_helper.h ('k') | content/child/fileapi/file_system_dispatcher.h » ('j') | content/renderer/pepper/pepper_file_io_host.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: content/browser/renderer_host/pepper/pepper_security_helper.cc

diff --git a/content/browser/renderer_host/pepper/pepper_security_helper.cc b/content/browser/renderer_host/pepper/pepper_security_helper.cc

index 5402823f01e56f68d815fc2a3bd1238e2518f07f..617f75787e08d50a8013ce628ece095646ef35c8 100644

--- a/content/browser/renderer_host/pepper/pepper_security_helper.cc

+++ b/content/browser/renderer_host/pepper/pepper_security_helper.cc

@@ -28,11 +28,9 @@ bool CanOpenWithPepperFlags(int pp_open_flags, int child_id,

if (pp_write && !policy->CanWriteFile(child_id, file))

return false;

- if (pp_append) {

- // Given ChildSecurityPolicyImpl's current definition of permissions,

- // APPEND is never supported.

+ // TODO(tommycli): Maybe tighten up required permission. crbug.com/284792

+ if (pp_append && !policy->CanCreateWriteFile(child_id, file))

return false;

- }

if (pp_truncate && !pp_write)

return false;

@@ -51,4 +49,43 @@ bool CanOpenWithPepperFlags(int pp_open_flags, int child_id,

return true;

}

+bool CanOpenFileSystemURLWithPepperFlags(int pp_open_flags, int child_id,

+ const fileapi::FileSystemURL& url) {

+ ChildProcessSecurityPolicyImpl* policy =

+ ChildProcessSecurityPolicyImpl::GetInstance();

+ bool pp_read = !!(pp_open_flags & PP_FILEOPENFLAG_READ);

Tom Sepez 2013/09/04 22:22:45 Seems a shame to have this same logic here and abo

tommycli 2013/09/04 23:21:27 I agree it's a shame. The only obvious way I saw t

kinuko 2013/09/05 03:49:43 Could we make the common logic a template? I thin

Could we make the common logic a template? I think something like following code would work: namespace { template <typename CanRead, typename CanWrite, typename CanCreate, typename CanCreateWrite, typename FileID> bool CanOpenFileWithPepperFlags(CanRead can_read, CanWrite can_write, CanCreate can_create, CanCreateWrite can_create_write, int pp_open_flags, int child_id, const FileID& file) { ChildProcessSecurityPolicyImpl* policy = ... bool pp_read = !!(...); ... if (pp_read && !(policy->*can_read)(child_id, file)) return false; if (pp_write && !(policy->*can_write)(child_id, file)) return false; ... } } // namespace bool CanOpenWithPepperFlags(int pp_open_flags, int child_id, const base::FilePath& file) { return CanOpenFileWithPepperFlags( &ChildProcessSecurityPolicyImpl::CanReadFile, &ChildProcessSecurityPolicyImpl::CanWriteFile, &ChildProcessSecurityPolicyImpl::CanCreateFile, &ChildProcessSecurityPolicyImpl::CanCreateWriteFile, pp_open_flags, child_id, file); } bool CanOpenFileSystemURLWithPepperFlags(int pp_open_flags, int child_id, const fileapi::FileSystemURL& url) { return CanOpenFileWithPepperFlags( &ChildProcessSecurityPolicyImpl::CanReadFileSystemFile, &ChildProcessSecurityPolicyImpl::CanWriteFileSystemFile, &ChildProcessSecurityPolicyImpl::CanCreateFileSystemFile, &ChildProcessSecurityPolicyImpl::CanCreateWriteFileSystemFile, pp_open_flags, child_id, url); } Other than SLOC bloat I'm afraid having duplicated logic makes the code error-prone. (We likely tend to change only one method and forget the other)

tommycli 2013/09/06 01:41:43 Done. I had no idea you could do this with templat

On 2013/09/05 03:49:43, kinuko wrote: > On 2013/09/04 23:21:27, tommycli wrote: > > On 2013/09/04 22:22:45, Tom Sepez wrote: > > > Seems a shame to have this same logic here and above. It would be nice if > one > > of > > > these called into the other or some common routines. > > > > I agree it's a shame. The only obvious way I saw to combine these a bit would > be > > to do something like: > > > > // (Create|Write != CreateWrite) See crbug.com/263150 > > struct PermissionsSet { > > bool can_read; > > bool can_write; > > bool can_create; > > bool can_create_write; > > } > > > > PermissionSet GetPermissionSetForFile(...); > > PermissionSet GetPermissionSetForFileSystemFile(...); > > > > But that didn't seem to save any lines of code. > > Could we make the common logic a template? I think something like following > code would work: > > namespace { > > template <typename CanRead, typename CanWrite, > typename CanCreate, typename CanCreateWrite, > typename FileID> > bool CanOpenFileWithPepperFlags(CanRead can_read, > CanWrite can_write, > CanCreate can_create, > CanCreateWrite can_create_write, > int pp_open_flags, > int child_id, > const FileID& file) { > ChildProcessSecurityPolicyImpl* policy = ... > bool pp_read = !!(...); > ... > > if (pp_read && !(policy->*can_read)(child_id, file)) > return false; > if (pp_write && !(policy->*can_write)(child_id, file)) > return false; > ... > } > > } // namespace > > bool CanOpenWithPepperFlags(int pp_open_flags, int child_id, > const base::FilePath& file) { > return CanOpenFileWithPepperFlags( > &ChildProcessSecurityPolicyImpl::CanReadFile, > &ChildProcessSecurityPolicyImpl::CanWriteFile, > &ChildProcessSecurityPolicyImpl::CanCreateFile, > &ChildProcessSecurityPolicyImpl::CanCreateWriteFile, > pp_open_flags, child_id, file); > } > > bool CanOpenFileSystemURLWithPepperFlags(int pp_open_flags, int child_id, > const fileapi::FileSystemURL& url) { > return CanOpenFileWithPepperFlags( > &ChildProcessSecurityPolicyImpl::CanReadFileSystemFile, > &ChildProcessSecurityPolicyImpl::CanWriteFileSystemFile, > &ChildProcessSecurityPolicyImpl::CanCreateFileSystemFile, > &ChildProcessSecurityPolicyImpl::CanCreateWriteFileSystemFile, > pp_open_flags, child_id, url); > } > > Other than SLOC bloat I'm afraid having duplicated logic makes the code > error-prone. (We likely tend to change only one method and forget the other)

Done. I had no idea you could do this with templates. Great idea!

+ bool pp_write = !!(pp_open_flags & PP_FILEOPENFLAG_WRITE);

+ bool pp_create = !!(pp_open_flags & PP_FILEOPENFLAG_CREATE);

+ bool pp_truncate = !!(pp_open_flags & PP_FILEOPENFLAG_TRUNCATE);

+ bool pp_exclusive = !!(pp_open_flags & PP_FILEOPENFLAG_EXCLUSIVE);

+ bool pp_append = !!(pp_open_flags & PP_FILEOPENFLAG_APPEND);

+ if (pp_read && !policy->CanReadFileSystemFile(child_id, url))

+ return false;

+ if (pp_write && !policy->CanWriteFileSystemFile(child_id, url))

+ return false;

+ // TODO(tommycli): Maybe tighten up required permission. crbug.com/284792

+ if (pp_append && !policy->CanCreateWriteFileSystemFile(child_id, url))

+ return false;

+ if (pp_truncate && !pp_write)

+ return false;

+ if (pp_create) {

+ if (pp_exclusive) {

+ return policy->CanCreateFileSystemFile(child_id, url);

+ } else {

+ // Asks for too much, but this is the only grant that allows overwrite.

+ return policy->CanCreateWriteFileSystemFile(child_id, url);

+ }

+ } else if (pp_truncate) {

+ return policy->CanCreateWriteFileSystemFile(child_id, url);

+ }

+ return true;

} // namespace content