OLD | NEW |
---|---|
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/command_line.h" | 5 #include "base/command_line.h" |
6 #include "base/macros.h" | 6 #include "base/macros.h" |
7 #include "base/strings/stringprintf.h" | 7 #include "base/strings/stringprintf.h" |
8 #include "base/strings/utf_string_conversions.h" | 8 #include "base/strings/utf_string_conversions.h" |
9 #include "chrome/browser/ui/browser.h" | 9 #include "chrome/browser/ui/browser.h" |
10 #include "chrome/browser/ui/browser_commands.h" | 10 #include "chrome/browser/ui/browser_commands.h" |
(...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
84 std::string blob_contents = "<script>chrome.extensions</script>"; | 84 std::string blob_contents = "<script>chrome.extensions</script>"; |
85 std::string blob_path = "5881f76e-10d2-410d-8c61-ef210502acfd"; | 85 std::string blob_path = "5881f76e-10d2-410d-8c61-ef210502acfd"; |
86 | 86 |
87 // Target the bookmark manager extension. | 87 // Target the bookmark manager extension. |
88 std::string target_origin = | 88 std::string target_origin = |
89 "chrome-extension://eemcgdkfndhakfknompkggombfjjjeno"; | 89 "chrome-extension://eemcgdkfndhakfknompkggombfjjjeno"; |
90 | 90 |
91 std::vector<storage::DataElement> data_elements(1); | 91 std::vector<storage::DataElement> data_elements(1); |
92 data_elements[0].SetToBytes(blob_contents.c_str(), blob_contents.size()); | 92 data_elements[0].SetToBytes(blob_contents.c_str(), blob_contents.size()); |
93 | 93 |
94 // Set up a blob ID and populate it with attacker-controlled value. These two | 94 // Set up a blob ID and populate it with attacker-controlled value. These two |
pwnall
2016/11/04 02:26:54
The comment diverges from the code.
dmurph
2016/11/04 23:23:01
Done.
| |
95 // messages are allowed, because this data is not in any origin. | 95 // messages are allowed, because this data is not in any origin. |
96 IPC::IpcSecurityTestUtil::PwnMessageReceived( | 96 IPC::IpcSecurityTestUtil::PwnMessageReceived( |
97 rfh->GetProcess()->GetChannel(), | 97 rfh->GetProcess()->GetChannel(), |
98 BlobStorageMsg_RegisterBlobUUID(blob_id, blob_type, "", | 98 BlobStorageMsg_RegisterBlob(blob_id, blob_type, "", data_elements)); |
99 std::set<std::string>())); | |
100 | 99 |
101 IPC::IpcSecurityTestUtil::PwnMessageReceived( | |
102 rfh->GetProcess()->GetChannel(), | |
103 BlobStorageMsg_StartBuildingBlob(blob_id, data_elements)); | |
104 | 100 |
105 // This IPC should result in a kill because |target_origin| is not commitable | 101 // This IPC should result in a kill because |target_origin| is not commitable |
106 // in |rfh->GetProcess()|. | 102 // in |rfh->GetProcess()|. |
107 content::RenderProcessHostWatcher crash_observer( | 103 content::RenderProcessHostWatcher crash_observer( |
108 rfh->GetProcess(), | 104 rfh->GetProcess(), |
109 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); | 105 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); |
110 IPC::IpcSecurityTestUtil::PwnMessageReceived( | 106 IPC::IpcSecurityTestUtil::PwnMessageReceived( |
111 rfh->GetProcess()->GetChannel(), | 107 rfh->GetProcess()->GetChannel(), |
112 BlobHostMsg_RegisterPublicURL( | 108 BlobHostMsg_RegisterPublicURL( |
113 GURL("blob:" + target_origin + "/" + blob_path), blob_id)); | 109 GURL("blob:" + target_origin + "/" + blob_path), blob_id)); |
114 crash_observer.Wait(); // If the process is killed, this test passes. | 110 crash_observer.Wait(); // If the process is killed, this test passes. |
115 } | 111 } |
OLD | NEW |