Only take basename of default_file_name when starting a File Chooser.

content/browser/security_exploit_browsertest.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/command_line.h"
 #include "base/containers/hash_tables.h"
 #include "base/strings/utf_string_conversions.h"
 #include "content/browser/dom_storage/dom_storage_context_wrapper.h"
 #include "content/browser/dom_storage/session_storage_namespace_impl.h"
 #include "content/browser/frame_host/navigator.h"
 #include "content/browser/renderer_host/render_view_host_factory.h"
 #include "content/browser/renderer_host/render_view_host_impl.h"
 #include "content/browser/web_contents/web_contents_impl.h"
 #include "content/common/frame_messages.h"
 #include "content/common/view_messages.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/interstitial_page.h"
 #include "content/public/browser/interstitial_page_delegate.h"
 #include "content/public/browser/storage_partition.h"
 #include "content/public/common/content_switches.h"
+#include "content/public/common/file_chooser_params.h"
 #include "content/public/test/browser_test_utils.h"
 #include "content/public/test/content_browser_test.h"
 #include "content/public/test/content_browser_test_utils.h"
 #include "content/public/test/test_utils.h"
 #include "content/shell/browser/shell.h"
 #include "ipc/ipc_security_test_util.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
 
 using IPC::IpcSecurityTestUtil;
@@ skipping 69 matching lines @@
     // Add a host resolver rule to map all outgoing requests to the test server.
     // This allows us to use "real" hostnames in URLs, which we can use to
     // create arbitrary SiteInstances.
     command_line->AppendSwitchASCII(
         switches::kHostResolverRules,
         "MAP * " +
             net::HostPortPair::FromURL(embedded_test_server()->base_url())
                 .ToString() +
             ",EXCLUDE localhost");
   }
+
+ protected:
+  // Tests that a given file path sent in a ViewHostMsg_RunFileChooser will
+  // cause renderer to be killed.
+  void TestFileChooserWithPath(const base::FilePath& path);
 };
 
+void SecurityExploitBrowserTest::TestFileChooserWithPath(
+    const base::FilePath& path) {
+  GURL foo("http://foo.com/simple_page.html");

[nasko, 2015/02/25 15:14:45]

This seems like simple enough test that it should be doable in unit tests, which
are much cheaper and more efficient. Have you tried going that route?

+  NavigateToURL(shell(), foo);
+  EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
+
+  content::RenderViewHost* compromised_renderer =
+      shell()->web_contents()->GetRenderViewHost();
+  content::RenderProcessHostWatcher terminated(
+      shell()->web_contents(),
+      content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
+
+  FileChooserParams params;
+  params.default_file_name = path;
+
+  ViewHostMsg_RunFileChooser evil(compromised_renderer->GetRoutingID(), params);
+
+  IpcSecurityTestUtil::PwnMessageReceived(
+      compromised_renderer->GetProcess()->GetChannel(), evil);
+  terminated.Wait();
+}
+
 // Ensure that we kill the renderer process if we try to give it WebUI
 // properties and it doesn't have enabled WebUI bindings.
 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) {
   GURL foo("http://foo.com/simple_page.html");
 
   NavigateToURL(shell(), foo);
   EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
   EXPECT_EQ(0,
       shell()->web_contents()->GetRenderViewHost()->GetEnabledBindings());
 
@@ skipping 50 matching lines @@
 
   // Since this test executes on the UI thread and hopping threads might cause
   // different timing in the test, let's simulate a CreateNewWidget call coming
   // from the IO thread.  Use the existing window routing id to cause a
   // deliberate collision.
   pending_rvh->CreateNewWidget(duplicate_routing_id, blink::WebPopupTypeSelect);
 
   // If the above operation doesn't crash, the test has succeeded!
 }
 
+// This is a test for crbug.com/444198. It tries to send a
+// ViewHostMsg_RunFileChooser containing an invalid path. The browser should
+// correctly terminate the renderer in these cases.
+IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, AttemptRunFileChoosers) {
+  TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("../../*.txt")));
+  TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("/etc/*.conf")));
+#if defined(OS_WIN)
+  TestFileChooserWithPath(
+      base::FilePath(FILE_PATH_LITERAL("\\\\evilserver\\evilshare\\*.txt")));
+  TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("c:\\*.txt")));
+  TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("..\\..\\*.txt")));
+#endif
+}
+
 class SecurityExploitTestInterstitialPage : public InterstitialPageDelegate {
  public:
   explicit SecurityExploitTestInterstitialPage(WebContents* contents) {
     InterstitialPage* interstitial = InterstitialPage::Create(
         contents, true, contents->GetLastCommittedURL(), this);
     interstitial->Show();
   }
 
   // InterstitialPageDelegate implementation.
   void CommandReceived(const std::string& command) override {
@@ skipping 74 matching lines @@
   // "evil" message doesn't arrive in the intervening period.
   ASSERT_TRUE(content::ExecuteScript(
       interstitial_page->GetMainFrame(),
       "window.domAutomationController.send(\"okay2\");"));
   ASSERT_TRUE(message_queue.WaitForMessage(&message));
   ASSERT_EQ("\"okay2\"", message);
   ASSERT_EQ("\"okay2\"", interstitial->last_command());
 }
 
 }  // namespace content