| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <memory> | 5 #include <memory> |
| 6 | 6 |
| 7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
| 8 #include "base/files/file_path.h" | 8 #include "base/files/file_path.h" |
| 9 #include "base/files/file_util.h" | 9 #include "base/files/file_util.h" |
| 10 #include "base/files/scoped_temp_dir.h" | 10 #include "base/files/scoped_temp_dir.h" |
| 11 #include "base/macros.h" | 11 #include "base/macros.h" |
| 12 #include "base/memory/ptr_util.h" | 12 #include "base/memory/ptr_util.h" |
| 13 #include "base/strings/stringprintf.h" | 13 #include "base/strings/stringprintf.h" |
| 14 #include "content/browser/child_process_security_policy_impl.h" | 14 #include "content/browser/child_process_security_policy_impl.h" |
| 15 #include "content/browser/loader/resource_dispatcher_host_impl.h" | 15 #include "content/browser/loader/resource_dispatcher_host_impl.h" |
| 16 #include "content/public/browser/navigation_entry.h" | 16 #include "content/public/browser/navigation_entry.h" |
| 17 #include "content/public/browser/navigation_handle.h" | 17 #include "content/public/browser/navigation_handle.h" |
| 18 #include "content/public/browser/render_frame_host.h" |
| 18 #include "content/public/browser/render_process_host.h" | 19 #include "content/public/browser/render_process_host.h" |
| 19 #include "content/public/browser/resource_dispatcher_host_delegate.h" | 20 #include "content/public/browser/resource_dispatcher_host_delegate.h" |
| 20 #include "content/public/browser/resource_throttle.h" | 21 #include "content/public/browser/resource_throttle.h" |
| 21 #include "content/public/browser/web_contents.h" | 22 #include "content/public/browser/web_contents.h" |
| 22 #include "content/public/common/content_switches.h" | 23 #include "content/public/common/content_switches.h" |
| 23 #include "content/public/test/browser_test_utils.h" | 24 #include "content/public/test/browser_test_utils.h" |
| 24 #include "content/public/test/content_browser_test.h" | 25 #include "content/public/test/content_browser_test.h" |
| 25 #include "content/public/test/content_browser_test_utils.h" | 26 #include "content/public/test/content_browser_test_utils.h" |
| 26 #include "content/public/test/navigation_handle_observer.h" | 27 #include "content/public/test/navigation_handle_observer.h" |
| 27 #include "content/public/test/test_navigation_observer.h" | 28 #include "content/public/test/test_navigation_observer.h" |
| (...skipping 480 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 508 "window.domAutomationController.send(" | 509 "window.domAutomationController.send(" |
| 509 "document.getElementsByTagName('pre')[0].innerText);", | 510 "document.getElementsByTagName('pre')[0].innerText);", |
| 510 &actual_page_body)); | 511 &actual_page_body)); |
| 511 EXPECT_THAT(actual_page_body, ::testing::HasSubstr(file_content)); | 512 EXPECT_THAT(actual_page_body, ::testing::HasSubstr(file_content)); |
| 512 EXPECT_THAT(actual_page_body, | 513 EXPECT_THAT(actual_page_body, |
| 513 ::testing::HasSubstr(file_path.BaseName().AsUTF8Unsafe())); | 514 ::testing::HasSubstr(file_path.BaseName().AsUTF8Unsafe())); |
| 514 EXPECT_THAT(actual_page_body, | 515 EXPECT_THAT(actual_page_body, |
| 515 ::testing::HasSubstr("form-data; name=\"file\"")); | 516 ::testing::HasSubstr("form-data; name=\"file\"")); |
| 516 } | 517 } |
| 517 | 518 |
| 519 // Test that verifies that if navigation originator doesn't have access to a |
| 520 // file, then no access is granted after a cross-process transfer of POST data. |
| 521 // This is a regression test for https://crbug.com/726067. |
| 522 // |
| 523 // This test is somewhat similar to |
| 524 // http/tests/navigation/form-targets-cross-site-frame-post.html layout test |
| 525 // except that it 1) tests with files, 2) simulates a malicious scenario and 3) |
| 526 // verifies file access (all of these 3 things are not possible with layout |
| 527 // tests). |
| 528 // |
| 529 // This test is very similar to CrossSiteTransferTest.PostWithFileData above, |
| 530 // except that it simulates a malicious form / POST originator. |
| 531 IN_PROC_BROWSER_TEST_P(CrossSiteTransferTest, MaliciousPostWithFileData) { |
| 532 // The initial test window is a named form target. |
| 533 GURL initial_target_url( |
| 534 embedded_test_server()->GetURL("initial-target.com", "/title1.html")); |
| 535 EXPECT_TRUE(NavigateToURL(shell(), initial_target_url)); |
| 536 WebContents* target_contents = shell()->web_contents(); |
| 537 EXPECT_TRUE(ExecuteScript(target_contents, "window.name = 'form-target';")); |
| 538 |
| 539 // Create a new window containing a form targeting |target_contents|. |
| 540 GURL form_url(embedded_test_server()->GetURL( |
| 541 "main.com", "/form_that_posts_cross_site.html")); |
| 542 Shell* other_window = OpenPopup(target_contents, form_url, "form-window"); |
| 543 WebContents* form_contents = other_window->web_contents(); |
| 544 EXPECT_TRUE(ExecuteScript( |
| 545 form_contents, |
| 546 "document.getElementById('file-form').target = 'form-target';")); |
| 547 |
| 548 // Verify the current locations and process placement of |target_contents| |
| 549 // and |form_contents|. |
| 550 EXPECT_EQ(initial_target_url, target_contents->GetLastCommittedURL()); |
| 551 EXPECT_EQ(form_url, form_contents->GetLastCommittedURL()); |
| 552 EXPECT_NE(target_contents->GetMainFrame()->GetProcess()->GetID(), |
| 553 form_contents->GetMainFrame()->GetProcess()->GetID()); |
| 554 |
| 555 // Prepare a file to upload. |
| 556 base::ThreadRestrictions::ScopedAllowIO allow_io_for_temp_dir; |
| 557 base::ScopedTempDir temp_dir; |
| 558 base::FilePath file_path; |
| 559 std::string file_content("test-file-content"); |
| 560 ASSERT_TRUE(temp_dir.CreateUniqueTempDir()); |
| 561 ASSERT_TRUE(base::CreateTemporaryFileInDir(temp_dir.GetPath(), &file_path)); |
| 562 ASSERT_LT( |
| 563 0, base::WriteFile(file_path, file_content.data(), file_content.size())); |
| 564 |
| 565 // Fill out the form to refer to the test file. |
| 566 std::unique_ptr<FileChooserDelegate> delegate( |
| 567 new FileChooserDelegate(file_path)); |
| 568 form_contents->Focus(); |
| 569 form_contents->SetDelegate(delegate.get()); |
| 570 EXPECT_TRUE( |
| 571 ExecuteScript(form_contents, "document.getElementById('file').click();")); |
| 572 EXPECT_TRUE(delegate->file_chosen()); |
| 573 ChildProcessSecurityPolicyImpl* security_policy = |
| 574 ChildProcessSecurityPolicyImpl::GetInstance(); |
| 575 EXPECT_TRUE(security_policy->CanReadFile( |
| 576 form_contents->GetMainFrame()->GetProcess()->GetID(), file_path)); |
| 577 |
| 578 // Simulate a malicious situation, where the renderer doesn't really have |
| 579 // access to the file. |
| 580 security_policy->RevokeAllPermissionsForFile( |
| 581 form_contents->GetMainFrame()->GetProcess()->GetID(), file_path); |
| 582 EXPECT_FALSE(security_policy->CanReadFile( |
| 583 form_contents->GetMainFrame()->GetProcess()->GetID(), file_path)); |
| 584 EXPECT_FALSE(security_policy->CanReadFile( |
| 585 target_contents->GetMainFrame()->GetProcess()->GetID(), file_path)); |
| 586 |
| 587 // Submit the form and wait until the malicious renderer gets killed. |
| 588 RenderProcessHostWatcher process_exit_observer( |
| 589 form_contents->GetMainFrame()->GetProcess(), |
| 590 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); |
| 591 EXPECT_TRUE(ExecuteScript( |
| 592 form_contents, |
| 593 "setTimeout(\n" |
| 594 " function() { document.getElementById('file-form').submit(); },\n" |
| 595 " 0);")); |
| 596 process_exit_observer.Wait(); |
| 597 EXPECT_FALSE(process_exit_observer.did_exit_normally()); |
| 598 |
| 599 // The target frame should still be at the original location - the malicious |
| 600 // navigation should have been stopped. |
| 601 EXPECT_EQ(initial_target_url, target_contents->GetLastCommittedURL()); |
| 602 |
| 603 // Both processes still shouldn't have access. |
| 604 EXPECT_FALSE(security_policy->CanReadFile( |
| 605 form_contents->GetMainFrame()->GetProcess()->GetID(), file_path)); |
| 606 EXPECT_FALSE(security_policy->CanReadFile( |
| 607 target_contents->GetMainFrame()->GetProcess()->GetID(), file_path)); |
| 608 } |
| 609 |
| 518 INSTANTIATE_TEST_CASE_P(CrossSiteTransferTest, | 610 INSTANTIATE_TEST_CASE_P(CrossSiteTransferTest, |
| 519 CrossSiteTransferTest, | 611 CrossSiteTransferTest, |
| 520 ::testing::Values(TestParameter::LOADING_WITHOUT_MOJO, | 612 ::testing::Values(TestParameter::LOADING_WITHOUT_MOJO, |
| 521 TestParameter::LOADING_WITH_MOJO)); | 613 TestParameter::LOADING_WITH_MOJO)); |
| 522 | 614 |
| 523 } // namespace content | 615 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2908433003:
RenderFrameProxyHost::OnOpenURL needs to validate resource request body. (Closed)
