Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(306)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: android_webview/browser/aw_request_interceptor.cc

Issue 59903011: [android_webview] Fix UAF in request interception code. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 7 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | android_webview/browser/intercepted_request_data.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "android_webview/browser/aw_request_interceptor.h" 5 #include "android_webview/browser/aw_request_interceptor.h"
6 6
7 #include "android_webview/browser/aw_contents_io_thread_client.h" 7 #include "android_webview/browser/aw_contents_io_thread_client.h"
8 #include "android_webview/browser/intercepted_request_data.h" 8 #include "android_webview/browser/intercepted_request_data.h"
9 #include "base/android/jni_string.h" 9 #include "base/android/jni_string.h"
10 #include "base/memory/scoped_ptr.h" 10 #include "base/memory/scoped_ptr.h"
(...skipping 10 matching lines...) Expand all
21 using content::ResourceRequestInfo; 21 using content::ResourceRequestInfo;
22 22
23 namespace android_webview { 23 namespace android_webview {
24 24
25 namespace { 25 namespace {
26 26
27 const void* kURLRequestUserDataKey = &kURLRequestUserDataKey; 27 const void* kURLRequestUserDataKey = &kURLRequestUserDataKey;
28 28
29 class URLRequestUserData : public base::SupportsUserData::Data { 29 class URLRequestUserData : public base::SupportsUserData::Data {
30 public: 30 public:
31 URLRequestUserData( 31 URLRequestUserData(scoped_refptr<InterceptedRequestData::Holder> holder)
32 scoped_ptr<InterceptedRequestData> intercepted_request_data) 32 : holder_(holder) {}
33 : intercepted_request_data_(intercepted_request_data.Pass()) {
34 }
35 33
36 static URLRequestUserData* Get(net::URLRequest* request) { 34 static URLRequestUserData* Get(net::URLRequest* request) {
37 return reinterpret_cast<URLRequestUserData*>( 35 return reinterpret_cast<URLRequestUserData*>(
38 request->GetUserData(kURLRequestUserDataKey)); 36 request->GetUserData(kURLRequestUserDataKey));
39 } 37 }
40 38
41 const InterceptedRequestData* intercepted_request_data() const { 39 scoped_refptr<InterceptedRequestData::Holder> holder() const {
42 return intercepted_request_data_.get(); 40 return holder_;
43 } 41 }
44 42
45 private: 43 private:
46 scoped_ptr<InterceptedRequestData> intercepted_request_data_; 44 scoped_refptr<InterceptedRequestData::Holder> holder_;
47 }; 45 };
48 46
49 } // namespace 47 } // namespace
50 48
51 AwRequestInterceptor::AwRequestInterceptor() { 49 AwRequestInterceptor::AwRequestInterceptor() {
52 } 50 }
53 51
54 AwRequestInterceptor::~AwRequestInterceptor() { 52 AwRequestInterceptor::~AwRequestInterceptor() {
55 } 53 }
56 54
(...skipping 27 matching lines...) Expand all
84 // as it is possible for the Interceptor chain to be invoked more than once 82 // as it is possible for the Interceptor chain to be invoked more than once
85 // (in which case we don't want to query the embedder multiple times). 83 // (in which case we don't want to query the embedder multiple times).
86 URLRequestUserData* user_data = URLRequestUserData::Get(request); 84 URLRequestUserData* user_data = URLRequestUserData::Get(request);
87 85
88 if (!user_data) { 86 if (!user_data) {
89 // To ensure we only query the embedder once, we rely on the fact that the 87 // To ensure we only query the embedder once, we rely on the fact that the
90 // user_data object will be created and attached to the URLRequest after a 88 // user_data object will be created and attached to the URLRequest after a
91 // call to QueryForInterceptedRequestData is made (regardless of whether 89 // call to QueryForInterceptedRequestData is made (regardless of whether
92 // the result of that call is a valid InterceptedRequestData* pointer or 90 // the result of that call is a valid InterceptedRequestData* pointer or
93 // NULL. 91 // NULL.
94 user_data = new URLRequestUserData( 92 scoped_ptr<InterceptedRequestData> data =
95 QueryForInterceptedRequestData(request->url(), request)); 93 QueryForInterceptedRequestData(request->url(), request);
94 scoped_refptr<InterceptedRequestData::Holder> holder;
95 if (data) {
96 holder = new InterceptedRequestData::Holder();
97 holder->data = data.Pass();
98 }
99 user_data = new URLRequestUserData(holder);
96 request->SetUserData(kURLRequestUserDataKey, user_data); 100 request->SetUserData(kURLRequestUserDataKey, user_data);
97 } 101 }
98 102
99 const InterceptedRequestData* intercepted_request_data = 103 if (!user_data->holder().get())
100 user_data->intercepted_request_data();
101
102 if (!intercepted_request_data)
103 return NULL; 104 return NULL;
104 return intercepted_request_data->CreateJobFor(request, network_delegate); 105 return InterceptedRequestData::CreateJobFor(
106 user_data->holder(), request, network_delegate);
105 } 107 }
106 108
107 } // namespace android_webview 109 } // namespace android_webview
OLDNEW
« no previous file with comments | « no previous file | android_webview/browser/intercepted_request_data.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698