Exclude files from FileSelectChooser if they can't convert to WebStrings.

content/browser/frame_host/render_frame_host_manager_browsertest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include <memory>
 #include <set>
 
@@ skipping 1921 matching lines @@
   // the SwapOut ACK or a timeout.
   ASSERT_TRUE(rfh->IsRenderFrameLive());
   ASSERT_FALSE(rfh->is_active());
 
   // We specifically want verify behavior between swap-out and RFH destruction.
   ASSERT_FALSE(rfh_observer.deleted());
 
   EXPECT_FALSE(handler->IsJavascriptAllowed());
 }
 
+// Test for http://crbug.com/703303.
+IN_PROC_BROWSER_TEST_F(RenderFrameHostManagerTest,
+                       DontGrantAccessToInvalidFilePaths) {

[Charlie Reis, 2017/04/14 19:28:15]

This is based mostly on the following RestoreFileAccessForHistoryNavigation
test, which already mocks out the file chooser.  I've confirmed it causes the
renderer kill and fails without my fix, and passes with my fix.

+  StartServer();
+
+  // Use a file path with an invalid encoding, such that it can't be converted
+  // to a WebString.
+  base::FilePath file;
+  EXPECT_TRUE(PathService::Get(base::DIR_TEMP, &file));
+  file = file.Append("foo\337bar");
+
+  // Navigate and try to get page to reference this file in its PageState.
+  GURL url1(embedded_test_server()->GetURL("/file_input.html"));
+  NavigateToURL(shell(), url1);
+  int process_id = shell()->web_contents()->GetRenderProcessHost()->GetID();
+  std::unique_ptr<FileChooserDelegate> delegate(new FileChooserDelegate(file));
+  shell()->web_contents()->SetDelegate(delegate.get());
+  EXPECT_TRUE(
+      ExecuteScript(shell(), "document.getElementById('fileinput').click();"));
+  EXPECT_TRUE(delegate->file_chosen());
+
+  // No access should have been granted, since the browser process should
+  // realize Blink can't handle it.
+  EXPECT_FALSE(ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile(
+      process_id, file));
+
+  // Disable the swap out timer so we wait for the UpdateState message.
+  static_cast<WebContentsImpl*>(shell()->web_contents())
+      ->GetMainFrame()
+      ->DisableSwapOutTimerForTesting();
+
+  // Navigate to a different process and wait for the old process to exit.
+  RenderProcessHostWatcher exit_observer(
+      shell()->web_contents()->GetRenderProcessHost(),
+      RenderProcessHostWatcher::WATCH_FOR_HOST_DESTRUCTION);
+  NavigateToURL(shell(), GetCrossSiteURL("/title1.html"));
+  exit_observer.Wait();
+  EXPECT_FALSE(ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile(
+      shell()->web_contents()->GetRenderProcessHost()->GetID(), file));
+
+  // Ensure that the file did not end up in the PageState of the previous entry.
+  NavigationEntry* prev_entry =
+      shell()->web_contents()->GetController().GetEntryAtIndex(0);
+  EXPECT_EQ(url1, prev_entry->GetURL());
+  const std::vector<base::FilePath>& files =
+      prev_entry->GetPageState().GetReferencedFiles();
+  ASSERT_EQ(0U, files.size());
+}
+
 // Test for http://crbug.com/262948.
 IN_PROC_BROWSER_TEST_F(RenderFrameHostManagerTest,
                        RestoreFileAccessForHistoryNavigation) {
   StartServer();
   base::FilePath file;
   EXPECT_TRUE(PathService::Get(base::DIR_TEMP, &file));
   file = file.AppendASCII("bar");
 
   // Navigate to url and get it to reference a file in its PageState.
   GURL url1(embedded_test_server()->GetURL("/file_input.html"));
@@ skipping 1322 matching lines @@
   // than one ancestor has the same URL (excluding fragments), and the
   // navigating frame's current URL shouldn't count toward that.
   EXPECT_TRUE(
       ExecuteScript(child, "location.href = '" + first_url.spec() + "';"));
   observer2.Wait();
 
   EXPECT_EQ(child->current_url(), first_url);
 }
 
 }  // namespace content