Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(181)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/browser/frame_host/render_frame_proxy_host.cc

Issue 2908433003: RenderFrameProxyHost::OnOpenURL needs to validate resource request body. (Closed)
Patch Set: Rebasing... Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/browser/frame_host/render_frame_host_impl.cc ('k') | content/browser/security_exploit_browsertest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/browser/frame_host/render_frame_proxy_host.h" 5 #include "content/browser/frame_host/render_frame_proxy_host.h"
6 6
7 #include <utility> 7 #include <utility>
8 8
9 #include "base/lazy_instance.h" 9 #include "base/lazy_instance.h"
10 #include "content/browser/bad_message.h" 10 #include "content/browser/bad_message.h"
11 #include "content/browser/child_process_security_policy_impl.h"
11 #include "content/browser/frame_host/cross_process_frame_connector.h" 12 #include "content/browser/frame_host/cross_process_frame_connector.h"
12 #include "content/browser/frame_host/frame_tree.h" 13 #include "content/browser/frame_host/frame_tree.h"
13 #include "content/browser/frame_host/frame_tree_node.h" 14 #include "content/browser/frame_host/frame_tree_node.h"
14 #include "content/browser/frame_host/navigator.h" 15 #include "content/browser/frame_host/navigator.h"
15 #include "content/browser/frame_host/render_frame_host_delegate.h" 16 #include "content/browser/frame_host/render_frame_host_delegate.h"
16 #include "content/browser/frame_host/render_widget_host_view_child_frame.h" 17 #include "content/browser/frame_host/render_widget_host_view_child_frame.h"
17 #include "content/browser/renderer_host/render_view_host_impl.h" 18 #include "content/browser/renderer_host/render_view_host_impl.h"
18 #include "content/browser/renderer_host/render_widget_host_view_base.h" 19 #include "content/browser/renderer_host/render_widget_host_view_base.h"
19 #include "content/browser/site_instance_impl.h" 20 #include "content/browser/site_instance_impl.h"
20 #include "content/common/frame_messages.h" 21 #include "content/common/frame_messages.h"
21 #include "content/common/frame_owner_properties.h" 22 #include "content/common/frame_owner_properties.h"
22 #include "content/public/browser/browser_thread.h" 23 #include "content/public/browser/browser_thread.h"
23 #include "ipc/ipc_message.h" 24 #include "ipc/ipc_message.h"
24 25
25 namespace content { 26 namespace content {
26 27
27 namespace { 28 namespace {
28 29
29 // The (process id, routing id) pair that identifies one RenderFrameProxy. 30 // The (process id, routing id) pair that identifies one RenderFrameProxy.
30 typedef std::pair<int32_t, int32_t> RenderFrameProxyHostID; 31 typedef std::pair<int32_t, int32_t> RenderFrameProxyHostID;
31 typedef base::hash_map<RenderFrameProxyHostID, RenderFrameProxyHost*> 32 typedef base::hash_map<RenderFrameProxyHostID, RenderFrameProxyHost*>
32 RoutingIDFrameProxyMap; 33 RoutingIDFrameProxyMap;
33 base::LazyInstance<RoutingIDFrameProxyMap>::DestructorAtExit 34 base::LazyInstance<RoutingIDFrameProxyMap>::DestructorAtExit
34 g_routing_id_frame_proxy_map = LAZY_INSTANCE_INITIALIZER; 35 g_routing_id_frame_proxy_map = LAZY_INSTANCE_INITIALIZER;
35 } 36
37 } // namespace
36 38
37 // static 39 // static
38 RenderFrameProxyHost* RenderFrameProxyHost::FromID(int process_id, 40 RenderFrameProxyHost* RenderFrameProxyHost::FromID(int process_id,
39 int routing_id) { 41 int routing_id) {
40 DCHECK_CURRENTLY_ON(BrowserThread::UI); 42 DCHECK_CURRENTLY_ON(BrowserThread::UI);
41 RoutingIDFrameProxyMap* frames = g_routing_id_frame_proxy_map.Pointer(); 43 RoutingIDFrameProxyMap* frames = g_routing_id_frame_proxy_map.Pointer();
42 RoutingIDFrameProxyMap::iterator it = frames->find( 44 RoutingIDFrameProxyMap::iterator it = frames->find(
43 RenderFrameProxyHostID(process_id, routing_id)); 45 RenderFrameProxyHostID(process_id, routing_id));
44 return it == frames->end() ? NULL : it->second; 46 return it == frames->end() ? NULL : it->second;
45 } 47 }
(...skipping 197 matching lines...) Expand 10 before | Expand all | Expand 10 after
243 const FrameHostMsg_OpenURL_Params& params) { 245 const FrameHostMsg_OpenURL_Params& params) {
244 GURL validated_url(params.url); 246 GURL validated_url(params.url);
245 GetProcess()->FilterURL(false, &validated_url); 247 GetProcess()->FilterURL(false, &validated_url);
246 248
247 // Verify that we are in the same BrowsingInstance as the current 249 // Verify that we are in the same BrowsingInstance as the current
248 // RenderFrameHost. 250 // RenderFrameHost.
249 RenderFrameHostImpl* current_rfh = frame_tree_node_->current_frame_host(); 251 RenderFrameHostImpl* current_rfh = frame_tree_node_->current_frame_host();
250 if (!site_instance_->IsRelatedSiteInstance(current_rfh->GetSiteInstance())) 252 if (!site_instance_->IsRelatedSiteInstance(current_rfh->GetSiteInstance()))
251 return; 253 return;
252 254
255 // Verify if the request originator (*not* |current_rfh|) has access to the
256 // contents of the POST body.
257 if (!ChildProcessSecurityPolicyImpl::GetInstance()->CanReadRequestBody(
258 GetSiteInstance(), params.resource_request_body)) {
259 bad_message::ReceivedBadMessage(GetProcess(),
260 bad_message::RFPH_ILLEGAL_UPLOAD_PARAMS);
261 return;
262 }
263
253 // Since this navigation targeted a specific RenderFrameProxy, it should stay 264 // Since this navigation targeted a specific RenderFrameProxy, it should stay
254 // in the current tab. 265 // in the current tab.
255 DCHECK_EQ(WindowOpenDisposition::CURRENT_TAB, params.disposition); 266 DCHECK_EQ(WindowOpenDisposition::CURRENT_TAB, params.disposition);
256 267
257 // TODO(alexmos, creis): Figure out whether |params.user_gesture| needs to be 268 // TODO(alexmos, creis): Figure out whether |params.user_gesture| needs to be
258 // passed in as well. 269 // passed in as well.
259 // TODO(lfg, lukasza): Remove |extra_headers| parameter from 270 // TODO(lfg, lukasza): Remove |extra_headers| parameter from
260 // RequestTransferURL method once both RenderFrameProxyHost and 271 // RequestTransferURL method once both RenderFrameProxyHost and
261 // RenderFrameHostImpl call RequestOpenURL from their OnOpenURL handlers. 272 // RenderFrameHostImpl call RequestOpenURL from their OnOpenURL handlers.
262 // See also https://crbug.com/647772. 273 // See also https://crbug.com/647772.
(...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after
346 357
347 target_rfh->AdvanceFocus(type, source_proxy); 358 target_rfh->AdvanceFocus(type, source_proxy);
348 } 359 }
349 360
350 void RenderFrameProxyHost::OnFrameFocused() { 361 void RenderFrameProxyHost::OnFrameFocused() {
351 frame_tree_node_->current_frame_host()->delegate()->SetFocusedFrame( 362 frame_tree_node_->current_frame_host()->delegate()->SetFocusedFrame(
352 frame_tree_node_, GetSiteInstance()); 363 frame_tree_node_, GetSiteInstance());
353 } 364 }
354 365
355 } // namespace content 366 } // namespace content
OLDNEW
« no previous file with comments | « content/browser/frame_host/render_frame_host_impl.cc ('k') | content/browser/security_exploit_browsertest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698