chrome/browser/ui/webui/extensions/extension_error_handler.cc - Issue 23875013: Handle invalid input for SourceHighlighter, Don't Allow Relative Paths in ErrorHandler

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: chrome/browser/ui/webui/extensions/extension_error_handler.cc

Issue 23875013: Handle invalid input for SourceHighlighter, Don't Allow Relative Paths in ErrorHandler (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Remove comment + address security risk in ErrorHandler Created 7 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: chrome/browser/ui/webui/extensions/extension_error_handler.cc

diff --git a/chrome/browser/ui/webui/extensions/extension_error_handler.cc b/chrome/browser/ui/webui/extensions/extension_error_handler.cc

index 45bd71f99cbc1141ac5ede960ef9abddde2edea7..f89feb4bdcf84f3d004c0a3fa069b2a3e39fe0d7 100644

--- a/chrome/browser/ui/webui/extensions/extension_error_handler.cc

+++ b/chrome/browser/ui/webui/extensions/extension_error_handler.cc

@@ -90,11 +90,11 @@ void ExtensionErrorHandler::HandleRequestFileSource(

// Three required arguments: extension_id, path_suffix, and error_message.

std::string extension_id;

- base::FilePath::StringType path_suffix;

+ base::FilePath::StringType path_suffix_string;

base::string16 error_message;

if (!args->GetDictionary(0, &dict) ||

- !dict->GetString(kPathSuffixKey, &path_suffix) ||

+ !dict->GetString(kPathSuffixKey, &path_suffix_string) ||

!dict->GetString(ExtensionError::kExtensionIdKey, &extension_id) ||

!dict->GetString(ExtensionError::kMessageKey, &error_message)) {

NOTREACHED();

@@ -105,6 +105,13 @@ void ExtensionErrorHandler::HandleRequestFileSource(

ExtensionSystem::Get(Profile::FromWebUI(web_ui()))->

extension_service()->GetExtensionById(extension_id,

true /* include disabled */ );

+ // Under no circumstances should we ever need to reference a file outside of

+ // the extension's directory. If it tries to, abort.

+ base::FilePath path_suffix(path_suffix_string);

+ if (path_suffix.ReferencesParent())

+ return;

base::FilePath path = extension->path().Append(path_suffix);

// Setting the title and the error message is the same for all file types.

@@ -118,7 +125,7 @@ void ExtensionErrorHandler::HandleRequestFileSource(

base::Closure closure;

std::string* contents = NULL;

- if (path_suffix == kManifestFilename) {

+ if (path_suffix_string == kManifestFilename) {

std::string manifest_key;

if (!dict->GetString(ManifestError::kManifestKeyKey, &manifest_key)) {

NOTREACHED();

« no previous file with comments | « no previous file | extensions/browser/file_highlighter.cc » ('j') | no next file with comments »