Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
817103002:
Only take basename of default_file_name when starting a File Chooser. (Closed)
|
Created:
6 years ago by Will Harris Modified:
5 years, 10 months ago CC:
chromium-reviews Base URL:
https://chromium.googlesource.com/chromium/src.git@master Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionOnly take basename of default_file_name when starting a File Chooser.
Validate no ViewHostMsg_RunFileChooser messages received in the browser contain no path elements.
BUG=444198
TEST=content_browsertests
Committed: https://crrev.com/815c487fa677cf5413ed22e181437c1107300d49
Cr-Commit-Position: refs/heads/master@{#318111}
Patch Set 1 #
Total comments: 1
Patch Set 2 : change to filter at the IPC #
Total comments: 1
Patch Set 3 : add test #Patch Set 4 : POSIX fixes #
Total comments: 1
Messages
Total messages: 25 (4 generated)
wfh@chromium.org changed reviewers: + thestig@chromium.org
Can we change the renderer to only send the base name and sanity check that on the browser side when we first receive the IPC? I haven't touched the code in a while, so I'm trying to remember how this all works. https://codereview.chromium.org/817103002/diff/1/chrome/browser/file_select_h... File chrome/browser/file_select_helper.cc (right): https://codereview.chromium.org/817103002/diff/1/chrome/browser/file_select_h... chrome/browser/file_select_helper.cc:462: // default_file_name is untrusted from renderer so only take basename. nit: |default_file_name|
On 2014/12/20 01:08:58, Lei Zhang wrote: > Can we change the renderer to only send the base name and sanity check that on > the browser side when we first receive the IPC? > > I haven't touched the code in a while, so I'm trying to remember how this all > works. > > https://codereview.chromium.org/817103002/diff/1/chrome/browser/file_select_h... > File chrome/browser/file_select_helper.cc (right): > > https://codereview.chromium.org/817103002/diff/1/chrome/browser/file_select_h... > chrome/browser/file_select_helper.cc:462: // default_file_name is untrusted from > renderer so only take basename. > nit: |default_file_name| Yes, good point. I haven't actually found any legitimate cases where the renderer sends an absolute path, so I could just terminate the renderer if I get an IPC where params.default_file_name.IsAbsolute()
On 2014/12/20 01:17:41, Will Harris wrote: > On 2014/12/20 01:08:58, Lei Zhang wrote: > > Can we change the renderer to only send the base name and sanity check that on > > the browser side when we first receive the IPC? > > > > I haven't touched the code in a while, so I'm trying to remember how this all > > works. > > > > > https://codereview.chromium.org/817103002/diff/1/chrome/browser/file_select_h... > > File chrome/browser/file_select_helper.cc (right): > > > > > https://codereview.chromium.org/817103002/diff/1/chrome/browser/file_select_h... > > chrome/browser/file_select_helper.cc:462: // default_file_name is untrusted > from > > renderer so only take basename. > > nit: |default_file_name| > > Yes, good point. I haven't actually found any legitimate cases where the > renderer sends an absolute path, so I could just terminate the renderer if I get > an IPC where params.default_file_name.IsAbsolute() If that's the case, then ya, let's just sanity check in the ViewHostMsg_RunFileChooser IPC handler.
PTAL
On 2014/12/23 20:32:51, Will Harris wrote: > PTAL festive ping
wfh@chromium.org changed reviewers: + nasko@chromium.org - thestig@chromium.org
nasko@chromium.org: Please review changes when you get back from vacation!
The code looks good, but it will be nice to have a test for this to avoid regressing.
On 2015/01/02 16:48:14, nasko (Out till 2015) wrote: > The code looks good, but it will be nice to have a test for this to avoid > regressing. I certainly wanted to add a test but I had no idea where to add it. Do you have any suggestions?
There are a couple of options - you can write a test and fake the IPC message sent by the renderer and verify the child process is killed. An example of how to work with the FileChooser can be found in https://code.google.com/p/chromium/codesearch#chromium/src/content/browser/fr... And tests that try to fake IPCs are in security_exploit_browsertest.cc.
thestig@chromium.org changed reviewers: + thestig@chromium.org
Happy new year pong! https://codereview.chromium.org/817103002/diff/20001/content/browser/renderer... File content/browser/renderer_host/render_view_host_impl.cc (right): https://codereview.chromium.org/817103002/diff/20001/content/browser/renderer... content/browser/renderer_host/render_view_host_impl.cc:1451: if (params.default_file_name.IsAbsolute()) { Should we check and make sure the file name does not contain any path separators instead? i.e. No ../../ ... /../path/to/file
On 2015/01/05 22:43:55, Lei Zhang wrote: > Happy new year pong! > > https://codereview.chromium.org/817103002/diff/20001/content/browser/renderer... > File content/browser/renderer_host/render_view_host_impl.cc (right): > > https://codereview.chromium.org/817103002/diff/20001/content/browser/renderer... > content/browser/renderer_host/render_view_host_impl.cc:1451: if > (params.default_file_name.IsAbsolute()) { > Should we check and make sure the file name does not contain any path separators > instead? i.e. No ../../ ... /../path/to/file I have this aching feeling if I don't finish this CL someone will exploit it in pwn2own... so I'll get this done this week!
PTAL - added some tests.
lgtm
Looks good, but I have a question about the test. https://codereview.chromium.org/817103002/diff/60001/content/browser/security... File content/browser/security_exploit_browsertest.cc (right): https://codereview.chromium.org/817103002/diff/60001/content/browser/security... content/browser/security_exploit_browsertest.cc:120: GURL foo("http://foo.com/simple_page.html"); This seems like simple enough test that it should be doable in unit tests, which are much cheaper and more efficient. Have you tried going that route?
On 2015/02/25 15:14:45, nasko wrote: > Looks good, but I have a question about the test. > > https://codereview.chromium.org/817103002/diff/60001/content/browser/security... > File content/browser/security_exploit_browsertest.cc (right): > > https://codereview.chromium.org/817103002/diff/60001/content/browser/security... > content/browser/security_exploit_browsertest.cc:120: GURL > foo("http://foo.com/simple_page.html"); > This seems like simple enough test that it should be doable in unit tests, which > are much cheaper and more efficient. Have you tried going that route? How strongly do you feel about this - comment #12 suggested this was the best way so I went ahead and did it. Can you point me at some code in unit_tests that I can try and copy that instead - I need to verify the renderer is killed though, is that still possible from unit tests?
On 2015/02/25 17:24:39, Will Harris wrote: > On 2015/02/25 15:14:45, nasko wrote: > > Looks good, but I have a question about the test. > > > > > https://codereview.chromium.org/817103002/diff/60001/content/browser/security... > > File content/browser/security_exploit_browsertest.cc (right): > > > > > https://codereview.chromium.org/817103002/diff/60001/content/browser/security... > > content/browser/security_exploit_browsertest.cc:120: GURL > > foo("http://foo.com/simple_page.html"); > > This seems like simple enough test that it should be doable in unit tests, > which > > are much cheaper and more efficient. Have you tried going that route? > > How strongly do you feel about this - comment #12 suggested this was the best > way so I went ahead and did it. Can you point me at some code in unit_tests > that I can try and copy that instead - I need to verify the renderer is killed > though, is that still possible from unit tests? Sorry, I found the other example you gave. I have no way to get the renderer to generate the bad IPC because the renderer sanitises the path before sending it, so I need to fake the IPC anyway - it sounds like leaving this in security_exploit_browsertest.cc is a good place since it already does fake IPCs. Thoughts?
LGTM
The CQ bit was checked by wfh@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/817103002/60001
Message was sent while issue was closed.
Committed patchset #4 (id:60001)
Message was sent while issue was closed.
Patchset 4 (id:??) landed as https://crrev.com/815c487fa677cf5413ed22e181437c1107300d49 Cr-Commit-Position: refs/heads/master@{#318111} |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
