RenderFrameProxyHost::OnOpenURL needs to validate resource request body.

content/browser/security_exploit_browsertest.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <stdint.h>
 
 #include "base/command_line.h"
 #include "base/containers/hash_tables.h"
 #include "base/macros.h"
 #include "base/strings/utf_string_conversions.h"
@@ skipping 541 matching lines @@
   // terminated. However, the notification for that should be processed in a
   // separate task of the message loop, so ensure that the process is still
   // considered alive.
   EXPECT_TRUE(root->current_frame_host()->GetProcess()->HasConnection());
 
   exit_observer.Wait();
   EXPECT_FALSE(exit_observer.did_exit_normally());
   ResourceDispatcherHost::Get()->SetDelegate(nullptr);
 }
 
+// Test that a compromised renderer cannot ask to upload an arbitrary file in
+// OpenURL.  This is a regression test for https://crbug.com/726067.
+IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
+                       OpenUrl_ResourceRequestBody) {
+  GURL start_url(embedded_test_server()->GetURL("/title1.html"));
+  GURL target_url(embedded_test_server()->GetURL("/echoall"));
+  EXPECT_TRUE(NavigateToURL(shell(), start_url));
+
+  FrameTreeNode* root = static_cast<WebContentsImpl*>(shell()->web_contents())
+                            ->GetFrameTree()
+                            ->root();
+
+  RenderProcessHostWatcher exit_observer(
+      root->current_frame_host()->GetProcess(),
+      RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
+
+  // Prepare a file to upload.
+  base::ThreadRestrictions::ScopedAllowIO allow_io_for_temp_dir;
+  base::ScopedTempDir temp_dir;
+  base::FilePath file_path;
+  std::string file_content("test-file-content");
+  ASSERT_TRUE(temp_dir.CreateUniqueTempDir());
+  ASSERT_TRUE(base::CreateTemporaryFileInDir(temp_dir.GetPath(), &file_path));
+  ASSERT_LT(
+      0, base::WriteFile(file_path, file_content.data(), file_content.size()));
+
+  // Simulate an IPC message asking to POST a file that the renderer shouldn't
+  // have access to.
+  FrameHostMsg_OpenURL_Params params;
+  params.url = target_url;
+  params.uses_post = true;
+  params.resource_request_body = new ResourceRequestBodyImpl;
+  params.resource_request_body->AppendFileRange(
+      file_path, 0, file_content.size(), base::Time());
+  params.disposition = WindowOpenDisposition::CURRENT_TAB;
+  params.should_replace_current_entry = true;
+  params.user_gesture = true;
+  params.is_history_navigation_in_new_child = false;
+
+  FrameHostMsg_OpenURL msg(root->current_frame_host()->routing_id(), params);
+  IPC::IpcSecurityTestUtil::PwnMessageReceived(
+      root->current_frame_host()->GetProcess()->GetChannel(), msg);
+
+  // Verify that the malicious navigation did not commit the navigation to
+  // |target_url|.
+  WaitForLoadStop(shell()->web_contents());
+  EXPECT_EQ(start_url, root->current_frame_host()->GetLastCommittedURL());
+
+  // Verify that the malicious renderer got killed.
+  exit_observer.Wait();
+  EXPECT_FALSE(exit_observer.did_exit_normally());
+}
+
 }  // namespace content