| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/command_line.h" | 5 #include "base/command_line.h" |
| 6 #include "base/macros.h" | 6 #include "base/macros.h" |
| 7 #include "base/strings/stringprintf.h" | 7 #include "base/strings/stringprintf.h" |
| 8 #include "base/strings/utf_string_conversions.h" | 8 #include "base/strings/utf_string_conversions.h" |
| 9 #include "chrome/browser/ui/browser.h" | 9 #include "chrome/browser/ui/browser.h" |
| 10 #include "chrome/browser/ui/browser_commands.h" | 10 #include "chrome/browser/ui/browser_commands.h" |
| (...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 92 std::string blob_contents = "<script>chrome.extensions</script>"; | 92 std::string blob_contents = "<script>chrome.extensions</script>"; |
| 93 std::string blob_path = "5881f76e-10d2-410d-8c61-ef210502acfd"; | 93 std::string blob_path = "5881f76e-10d2-410d-8c61-ef210502acfd"; |
| 94 | 94 |
| 95 // Target the bookmark manager extension. | 95 // Target the bookmark manager extension. |
| 96 std::string target_origin = | 96 std::string target_origin = |
| 97 "chrome-extension://eemcgdkfndhakfknompkggombfjjjeno"; | 97 "chrome-extension://eemcgdkfndhakfknompkggombfjjjeno"; |
| 98 | 98 |
| 99 std::vector<storage::DataElement> data_elements(1); | 99 std::vector<storage::DataElement> data_elements(1); |
| 100 data_elements[0].SetToBytes(blob_contents.c_str(), blob_contents.size()); | 100 data_elements[0].SetToBytes(blob_contents.c_str(), blob_contents.size()); |
| 101 | 101 |
| 102 // Set up a blob ID and populate it with attacker-controlled value. These two | 102 // Set up a blob ID and populate it with attacker-controlled value. This |
| 103 // messages are allowed, because this data is not in any origin. | 103 // message is allowed, because this data is not in any origin. |
| 104 IPC::IpcSecurityTestUtil::PwnMessageReceived( | 104 IPC::IpcSecurityTestUtil::PwnMessageReceived( |
| 105 rfh->GetProcess()->GetChannel(), | 105 rfh->GetProcess()->GetChannel(), |
| 106 BlobStorageMsg_RegisterBlobUUID(blob_id, blob_type, "", | 106 BlobStorageMsg_RegisterBlob(blob_id, blob_type, "", data_elements)); |
| 107 std::set<std::string>())); | |
| 108 | |
| 109 IPC::IpcSecurityTestUtil::PwnMessageReceived( | |
| 110 rfh->GetProcess()->GetChannel(), | |
| 111 BlobStorageMsg_StartBuildingBlob(blob_id, data_elements)); | |
| 112 | 107 |
| 113 // This IPC should result in a kill because |target_origin| is not commitable | 108 // This IPC should result in a kill because |target_origin| is not commitable |
| 114 // in |rfh->GetProcess()|. | 109 // in |rfh->GetProcess()|. |
| 115 content::RenderProcessHostWatcher crash_observer( | 110 content::RenderProcessHostWatcher crash_observer( |
| 116 rfh->GetProcess(), | 111 rfh->GetProcess(), |
| 117 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); | 112 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); |
| 118 IPC::IpcSecurityTestUtil::PwnMessageReceived( | 113 IPC::IpcSecurityTestUtil::PwnMessageReceived( |
| 119 rfh->GetProcess()->GetChannel(), | 114 rfh->GetProcess()->GetChannel(), |
| 120 BlobHostMsg_RegisterPublicURL( | 115 BlobHostMsg_RegisterPublicURL( |
| 121 GURL("blob:" + target_origin + "/" + blob_path), blob_id)); | 116 GURL("blob:" + target_origin + "/" + blob_path), blob_id)); |
| 122 crash_observer.Wait(); // If the process is killed, this test passes. | 117 crash_observer.Wait(); // If the process is killed, this test passes. |
| 123 } | 118 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2448353002:
[BlobAsync] Moving async handling into BlobStorageContext & quota out. (Closed)
