Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(280)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/renderer/render_view_browsertest.cc

Issue 2514323003: Fix UaF in RenderFrameImpl::OnBeforeUnload. (Closed)
Patch Set: add comments Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « content/renderer/render_frame_impl.cc ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/renderer/render_view_browsertest.cc
diff --git a/content/renderer/render_view_browsertest.cc b/content/renderer/render_view_browsertest.cc
index fa357307a350ba0540c012431642f24d2a4a41f4..4a478961f960ef2bd507f46d17b30823c02a8a5a 100644
--- a/content/renderer/render_view_browsertest.cc
+++ b/content/renderer/render_view_browsertest.cc
@@ -2185,6 +2185,64 @@ TEST_F(RenderViewImplTest, HistoryIsProperlyUpdatedOnNavigation) {
view()->historyForwardListCount() + 1);
}
+// IPC Listener that runs a callback when a console.log() is executed from
+// javascript.
+class ConsoleCallbackFilter : public IPC::Listener {
+ public:
+ explicit ConsoleCallbackFilter(
+ base::Callback<void(const base::string16&)> callback)
+ : callback_(callback) {}
+
+ bool OnMessageReceived(const IPC::Message& msg) override {
+ bool handled = true;
+ IPC_BEGIN_MESSAGE_MAP(ConsoleCallbackFilter, msg)
+ IPC_MESSAGE_HANDLER(FrameHostMsg_DidAddMessageToConsole,
+ OnDidAddMessageToConsole)
+ IPC_MESSAGE_UNHANDLED(handled = false)
+ IPC_END_MESSAGE_MAP()
+ return handled;
+ }
+
+ void OnDidAddMessageToConsole(int32_t,
+ const base::string16& message,
+ int32_t,
+ const base::string16&) {
+ callback_.Run(message);
+ }
+
+ private:
+ base::Callback<void(const base::string16&)> callback_;
+};
+
+// Tests that there's no UaF after dispatchBeforeUnloadEvent.
+// See https://crbug.com/666714.
+TEST_F(RenderViewImplTest, DispatchBeforeUnloadCanDetachFrame) {
+ LoadHTML(
+ "<script>window.onbeforeunload = function() { "
+ "window.console.log('OnBeforeUnload called'); }</script>");
+
+ // Creates a callback that swaps the frame when the 'OnBeforeUnload called'
+ // log is printed from the beforeunload handler.
+ std::unique_ptr<ConsoleCallbackFilter> callback_filter(
+ new ConsoleCallbackFilter(base::Bind(
+ [](RenderFrameImpl* frame, const base::string16& msg) {
+ // Makes sure this happens during the beforeunload handler.
+ EXPECT_EQ(base::UTF8ToUTF16("OnBeforeUnload called"), msg);
+
+ // Swaps the main frame.
+ frame->OnMessageReceived(FrameMsg_SwapOut(
+ frame->GetRoutingID(), 1, false, FrameReplicationState()));
+ },
+ base::Unretained(frame()))));
+ render_thread_->sink().AddFilter(callback_filter.get());
+
+ // Simulates a BeforeUnload IPC received from the browser.
+ frame()->OnMessageReceived(
+ FrameMsg_BeforeUnload(frame()->GetRoutingID(), false));
+
+ render_thread_->sink().RemoveFilter(callback_filter.get());
+}
+
TEST_F(RenderViewImplBlinkSettingsTest, Default) {
DoSetUp();
EXPECT_FALSE(settings()->viewportEnabled());
« no previous file with comments | « content/renderer/render_frame_impl.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698