Added impersonation of the anonymous token around CloseClipboard

ui/base/clipboard/clipboard_win.cc

Index: ui/base/clipboard/clipboard_win.cc
diff --git a/ui/base/clipboard/clipboard_win.cc b/ui/base/clipboard/clipboard_win.cc
index c2c2fb69f8e3f845e1ec28cedeb9a2de72bb2a9b..38d02f84ca6693c83c3d992823225f1a10562c82 100644
--- a/ui/base/clipboard/clipboard_win.cc
+++ b/ui/base/clipboard/clipboard_win.cc
@@ -35,6 +35,23 @@ namespace ui {
 
 namespace {
 
+// A scoper to impersonate the anonymous token and revert when leaving scope
+class AnonymousImpersonator {
+ public:
+  AnonymousImpersonator() {
+    must_revert_ = ::ImpersonateAnonymousToken(::GetCurrentThread());

[Wez, 2014/12/15 17:07:11]

Under what circumstances can ImpersonateAnonymousToken fail?

Should we instead be CHECK()ing this, since if it fails, we're not impersonating
the anonymous token? 

[forshaw, 2014/12/16 09:07:30]

It can fail if we're running under a restricted token, other than that it
shouldn't fail. However if we're in a restricted token it isn't as big an issue
if the token is captured. I don't think it needs a CHECK though as we don't want
to crash if it fails as it only makes a difference in a very limited set of
scenarios. 

+  }
+
+  ~AnonymousImpersonator() {
+    if (must_revert_)
+      ::RevertToSelf();
+  }
+
+ private:
+  BOOL must_revert_;
+  DISALLOW_COPY_AND_ASSIGN(AnonymousImpersonator);

[dcheng, 2014/12/15 16:58:20]

Note: I usually see a newline between DISALLOW_COPY_AND_ASSIGN and the rest of
the class definition.

[forshaw, 2014/12/16 09:07:30]

Acknowledged.

+};
+
 // A scoper to manage acquiring and automatically releasing the clipboard.
 class ScopedClipboard {
  public:
@@ -84,6 +101,11 @@ class ScopedClipboard {
 
   void Release() {
     if (opened_) {
+      // Impersonate the anonymous token during the call to CloseClipboard
+      // This prevents Windows 8+ capturing the broker's access token which
+      // could be accessed by lower-privileges chrome processes leading to
+      // a risk of EoP

[Wez, 2014/12/15 17:07:11]

nit: punctuation

Impersonating the anonymous token presumably impacts the behaviour of e.g.
putting files onto the clipboard - any application which expects to be able to
use GetClipboardAuthToken() to ensure that it has access to the files is going
to fail. We should document that likely impact, at least.

[forshaw, 2014/12/16 09:07:30]

The only thing I think this should impact is anyone calling the
GetClipboardAccessToken system call which as far as I can tell is limited to a
few internal DLLs. It isn't documented from what I can determine or clear what
it's actual purpose is. It shouldn't affect the processing of files transferred
over the clipboard but it's always a possibility that something won't work
correctly afterwards. 

+      AnonymousImpersonator impersonator;
       ::CloseClipboard();
       opened_ = false;
     } else {