Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(529)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/browser/security_exploit_browsertest.cc

Issue 2908433003: RenderFrameProxyHost::OnOpenURL needs to validate resource request body. (Closed)
Patch Set: Rebasing... Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « content/browser/frame_host/render_frame_proxy_host.cc ('k') | tools/metrics/histograms/enums.xml » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/browser/security_exploit_browsertest.cc
diff --git a/content/browser/security_exploit_browsertest.cc b/content/browser/security_exploit_browsertest.cc
index cf003bfe0f300567b765588e748d093cad00b205..872cdd487e0dca4dac0994a43edbd544fe18b7d0 100644
--- a/content/browser/security_exploit_browsertest.cc
+++ b/content/browser/security_exploit_browsertest.cc
@@ -559,4 +559,57 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, MismatchedOriginOnCommit) {
ResourceDispatcherHost::Get()->SetDelegate(nullptr);
}
+// Test that a compromised renderer cannot ask to upload an arbitrary file in
+// OpenURL. This is a regression test for https://crbug.com/726067.
+IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
+ OpenUrl_ResourceRequestBody) {
+ GURL start_url(embedded_test_server()->GetURL("/title1.html"));
+ GURL target_url(embedded_test_server()->GetURL("/echoall"));
+ EXPECT_TRUE(NavigateToURL(shell(), start_url));
+
+ FrameTreeNode* root = static_cast<WebContentsImpl*>(shell()->web_contents())
+ ->GetFrameTree()
+ ->root();
+
+ RenderProcessHostWatcher exit_observer(
+ root->current_frame_host()->GetProcess(),
+ RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
+
+ // Prepare a file to upload.
+ base::ThreadRestrictions::ScopedAllowIO allow_io_for_temp_dir;
+ base::ScopedTempDir temp_dir;
+ base::FilePath file_path;
+ std::string file_content("test-file-content");
+ ASSERT_TRUE(temp_dir.CreateUniqueTempDir());
+ ASSERT_TRUE(base::CreateTemporaryFileInDir(temp_dir.GetPath(), &file_path));
+ ASSERT_LT(
+ 0, base::WriteFile(file_path, file_content.data(), file_content.size()));
+
+ // Simulate an IPC message asking to POST a file that the renderer shouldn't
+ // have access to.
+ FrameHostMsg_OpenURL_Params params;
+ params.url = target_url;
+ params.uses_post = true;
+ params.resource_request_body = new ResourceRequestBodyImpl;
+ params.resource_request_body->AppendFileRange(
+ file_path, 0, file_content.size(), base::Time());
+ params.disposition = WindowOpenDisposition::CURRENT_TAB;
+ params.should_replace_current_entry = true;
+ params.user_gesture = true;
+ params.is_history_navigation_in_new_child = false;
+
+ FrameHostMsg_OpenURL msg(root->current_frame_host()->routing_id(), params);
+ IPC::IpcSecurityTestUtil::PwnMessageReceived(
+ root->current_frame_host()->GetProcess()->GetChannel(), msg);
+
+ // Verify that the malicious navigation did not commit the navigation to
+ // |target_url|.
+ WaitForLoadStop(shell()->web_contents());
+ EXPECT_EQ(start_url, root->current_frame_host()->GetLastCommittedURL());
+
+ // Verify that the malicious renderer got killed.
+ exit_observer.Wait();
+ EXPECT_FALSE(exit_observer.did_exit_normally());
+}
+
} // namespace content
« no previous file with comments | « content/browser/frame_host/render_frame_proxy_host.cc ('k') | tools/metrics/histograms/enums.xml » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698