content/browser/renderer_host/render_view_host_impl.cc - Issue 817103002: Only take basename of default_file_name when starting a File Chooser.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: content/browser/renderer_host/render_view_host_impl.cc

Issue 817103002: Only take basename of default_file_name when starting a File Chooser. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: POSIX fixes Created 5 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: content/browser/renderer_host/render_view_host_impl.cc

diff --git a/content/browser/renderer_host/render_view_host_impl.cc b/content/browser/renderer_host/render_view_host_impl.cc

index 190545d1e8e51920cee75acfffbcc953f2e05d7e..b5839aa2483aa1eb762220a4e028ff0e57f27db2 100644

--- a/content/browser/renderer_host/render_view_host_impl.cc

+++ b/content/browser/renderer_host/render_view_host_impl.cc

@@ -1395,6 +1395,14 @@ void RenderViewHostImpl::OnDidZoomURL(double zoom_level,

}

void RenderViewHostImpl::OnRunFileChooser(const FileChooserParams& params) {

+ // Do not allow messages with absolute paths in them as this can permit a

+ // renderer to coerce the browser to perform I/O on a renderer controlled

+ // path.

+ if (params.default_file_name != params.default_file_name.BaseName()) {

+ GetProcess()->ReceivedBadMessage();

+ return;

+ }

delegate_->RunFileChooser(this, params);

}

« no previous file with comments | « no previous file | content/browser/security_exploit_browsertest.cc » ('j') | content/browser/security_exploit_browsertest.cc » ('J')