Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(444)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: chrome/browser/chrome_security_exploit_browsertest.cc

Issue 2448353002: [BlobAsync] Moving async handling into BlobStorageContext & quota out. (Closed)
Patch Set: comments & windows/chromeos compile Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | content/browser/blob_storage/blob_async_builder_host_unittest.cc » ('j') | content/browser/blob_storage/blob_dispatcher_host.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "base/command_line.h" 5 #include "base/command_line.h"
6 #include "base/macros.h" 6 #include "base/macros.h"
7 #include "base/strings/stringprintf.h" 7 #include "base/strings/stringprintf.h"
8 #include "base/strings/utf_string_conversions.h" 8 #include "base/strings/utf_string_conversions.h"
9 #include "chrome/browser/ui/browser.h" 9 #include "chrome/browser/ui/browser.h"
10 #include "chrome/browser/ui/browser_commands.h" 10 #include "chrome/browser/ui/browser_commands.h"
(...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after
84 std::string blob_contents = "<script>chrome.extensions</script>"; 84 std::string blob_contents = "<script>chrome.extensions</script>";
85 std::string blob_path = "5881f76e-10d2-410d-8c61-ef210502acfd"; 85 std::string blob_path = "5881f76e-10d2-410d-8c61-ef210502acfd";
86 86
87 // Target the bookmark manager extension. 87 // Target the bookmark manager extension.
88 std::string target_origin = 88 std::string target_origin =
89 "chrome-extension://eemcgdkfndhakfknompkggombfjjjeno"; 89 "chrome-extension://eemcgdkfndhakfknompkggombfjjjeno";
90 90
91 std::vector<storage::DataElement> data_elements(1); 91 std::vector<storage::DataElement> data_elements(1);
92 data_elements[0].SetToBytes(blob_contents.c_str(), blob_contents.size()); 92 data_elements[0].SetToBytes(blob_contents.c_str(), blob_contents.size());
93 93
94 // Set up a blob ID and populate it with attacker-controlled value. These two 94 // Set up a blob ID and populate it with attacker-controlled value. These two
pwnall 2016/11/04 02:26:54 The comment diverges from the code.
dmurph 2016/11/04 23:23:01 Done.
95 // messages are allowed, because this data is not in any origin. 95 // messages are allowed, because this data is not in any origin.
96 IPC::IpcSecurityTestUtil::PwnMessageReceived( 96 IPC::IpcSecurityTestUtil::PwnMessageReceived(
97 rfh->GetProcess()->GetChannel(), 97 rfh->GetProcess()->GetChannel(),
98 BlobStorageMsg_RegisterBlobUUID(blob_id, blob_type, "", 98 BlobStorageMsg_RegisterBlob(blob_id, blob_type, "", data_elements));
99 std::set<std::string>()));
100 99
101 IPC::IpcSecurityTestUtil::PwnMessageReceived(
102 rfh->GetProcess()->GetChannel(),
103 BlobStorageMsg_StartBuildingBlob(blob_id, data_elements));
104 100
105 // This IPC should result in a kill because |target_origin| is not commitable 101 // This IPC should result in a kill because |target_origin| is not commitable
106 // in |rfh->GetProcess()|. 102 // in |rfh->GetProcess()|.
107 content::RenderProcessHostWatcher crash_observer( 103 content::RenderProcessHostWatcher crash_observer(
108 rfh->GetProcess(), 104 rfh->GetProcess(),
109 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); 105 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
110 IPC::IpcSecurityTestUtil::PwnMessageReceived( 106 IPC::IpcSecurityTestUtil::PwnMessageReceived(
111 rfh->GetProcess()->GetChannel(), 107 rfh->GetProcess()->GetChannel(),
112 BlobHostMsg_RegisterPublicURL( 108 BlobHostMsg_RegisterPublicURL(
113 GURL("blob:" + target_origin + "/" + blob_path), blob_id)); 109 GURL("blob:" + target_origin + "/" + blob_path), blob_id));
114 crash_observer.Wait(); // If the process is killed, this test passes. 110 crash_observer.Wait(); // If the process is killed, this test passes.
115 } 111 }
OLDNEW
« no previous file with comments | « no previous file | content/browser/blob_storage/blob_async_builder_host_unittest.cc » ('j') | content/browser/blob_storage/blob_dispatcher_host.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698