Chromium Code Reviews Chromium Code Reviews
Issue 2908433003:
RenderFrameProxyHost::OnOpenURL needs to validate resource request body. (Closed)
| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "content/browser/resource_request_body_browser_utils.h" | |
| 6 | |
| 7 #include "content/browser/child_process_security_policy_impl.h" | |
| 8 #include "content/browser/site_instance_impl.h" | |
| 9 #include "content/common/resource_request_body_impl.h" | |
| 10 #include "content/public/browser/browser_context.h" | |
| 11 #include "content/public/browser/storage_partition.h" | |
| 12 #include "storage/browser/fileapi/file_system_context.h" | |
| 13 | |
| 14 namespace content { | |
| 15 | |
| 16 namespace { | |
| 17 | |
| 18 bool CanReadRequestBody(int child_id, | |
| 19 const storage::FileSystemContext* file_system_context, | |
| 20 const scoped_refptr<ResourceRequestBodyImpl>& body) { | |
|
alexmos
2017/05/25 23:44:06
This one looks like a ChildProcessSecurityPolicyIm
Łukasz Anforowicz
2017/05/26 00:05:14
nick@: Any concerns with making CanReadRequestBody
ncarter (slow)
2017/05/26 21:23:11
My gut sense: it doesn't totally feel like it fits
| |
| 21 if (!body) | |
| 22 return true; | |
| 23 | |
| 24 ChildProcessSecurityPolicyImpl* security_policy = | |
| 25 ChildProcessSecurityPolicyImpl::GetInstance(); | |
| 26 for (const ResourceRequestBodyImpl::Element& element : *body->elements()) { | |
| 27 switch (element.type()) { | |
| 28 case ResourceRequestBodyImpl::Element::TYPE_FILE: | |
| 29 if (!security_policy->CanReadFile(child_id, element.path())) | |
| 30 return false; | |
| 31 break; | |
| 32 | |
| 33 case ResourceRequestBodyImpl::Element::TYPE_FILE_FILESYSTEM: | |
| 34 if (!security_policy->CanReadFileSystemFile( | |
| 35 child_id, | |
| 36 file_system_context->CrackURL(element.filesystem_url()))) | |
| 37 return false; | |
| 38 break; | |
| 39 | |
| 40 case ResourceRequestBodyImpl::Element::TYPE_DISK_CACHE_ENTRY: | |
| 41 // TYPE_DISK_CACHE_ENTRY can't be sent via IPC according to | |
| 42 // content/common/resource_messages.cc | |
| 43 NOTREACHED(); | |
| 44 return false; | |
| 45 | |
| 46 case ResourceRequestBodyImpl::Element::TYPE_BYTES: | |
| 47 case ResourceRequestBodyImpl::Element::TYPE_BYTES_DESCRIPTION: | |
| 48 // Data is self-contained within |body| - no need to check access. | |
| 49 break; | |
| 50 | |
| 51 case ResourceRequestBodyImpl::Element::TYPE_BLOB: | |
| 52 // No need to validate - the unguessability of the uuid of the blob is a | |
| 53 // sufficient defense against access from an unrelated renderer. | |
| 54 break; | |
| 55 | |
| 56 case ResourceRequestBodyImpl::Element::TYPE_UNKNOWN: | |
| 57 default: | |
| 58 // Fail safe - deny access. | |
| 59 NOTREACHED(); | |
| 60 return false; | |
| 61 } | |
| 62 } | |
| 63 return true; | |
| 64 } | |
| 65 | |
| 66 } // namespace | |
| 67 | |
| 68 bool CanReadRequestBody(SiteInstance* site_instance, | |
| 69 const scoped_refptr<ResourceRequestBodyImpl>& body) { | |
| 70 int child_id = site_instance->GetProcess()->GetID(); | |
| 71 | |
| 72 StoragePartition* storage_partition = BrowserContext::GetStoragePartition( | |
| 73 site_instance->GetBrowserContext(), site_instance); | |
| 74 const storage::FileSystemContext* file_system_context = | |
| 75 storage_partition->GetFileSystemContext(); | |
| 76 | |
| 77 return CanReadRequestBody(child_id, file_system_context, body); | |
| 78 } | |
| 79 | |
| 80 } // namespace content | |
| OLD | NEW |
