Only take basename of default_file_name when starting a File Chooser.

content/browser/security_exploit_browsertest.cc

Index: content/browser/security_exploit_browsertest.cc
diff --git a/content/browser/security_exploit_browsertest.cc b/content/browser/security_exploit_browsertest.cc
index ae01d5e3089a779830adf526eb3dcf1381090df7..62d3b62c674820a133f13cd26ed52bbca5d346cc 100644
--- a/content/browser/security_exploit_browsertest.cc
+++ b/content/browser/security_exploit_browsertest.cc
@@ -18,6 +18,7 @@
 #include "content/public/browser/interstitial_page_delegate.h"
 #include "content/public/browser/storage_partition.h"
 #include "content/public/common/content_switches.h"
+#include "content/public/common/file_chooser_params.h"
 #include "content/public/test/browser_test_utils.h"
 #include "content/public/test/content_browser_test.h"
 #include "content/public/test/content_browser_test_utils.h"
@@ -107,8 +108,35 @@ class SecurityExploitBrowserTest : public ContentBrowserTest {
                 .ToString() +
             ",EXCLUDE localhost");
   }
+
+ protected:
+  // Tests that a given file path sent in a ViewHostMsg_RunFileChooser will
+  // cause renderer to be killed.
+  void TestFileChooserWithPath(const base::FilePath& path);
 };
 
+void SecurityExploitBrowserTest::TestFileChooserWithPath(
+    const base::FilePath& path) {
+  GURL foo("http://foo.com/simple_page.html");

[nasko, 2015/02/25 15:14:45]

This seems like simple enough test that it should be doable in unit tests, which
are much cheaper and more efficient. Have you tried going that route?

+  NavigateToURL(shell(), foo);
+  EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
+
+  content::RenderViewHost* compromised_renderer =
+      shell()->web_contents()->GetRenderViewHost();
+  content::RenderProcessHostWatcher terminated(
+      shell()->web_contents(),
+      content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
+
+  FileChooserParams params;
+  params.default_file_name = path;
+
+  ViewHostMsg_RunFileChooser evil(compromised_renderer->GetRoutingID(), params);
+
+  IpcSecurityTestUtil::PwnMessageReceived(
+      compromised_renderer->GetProcess()->GetChannel(), evil);
+  terminated.Wait();
+}
+
 // Ensure that we kill the renderer process if we try to give it WebUI
 // properties and it doesn't have enabled WebUI bindings.
 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) {
@@ -179,6 +207,20 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
   // If the above operation doesn't crash, the test has succeeded!
 }
 
+// This is a test for crbug.com/444198. It tries to send a
+// ViewHostMsg_RunFileChooser containing an invalid path. The browser should
+// correctly terminate the renderer in these cases.
+IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, AttemptRunFileChoosers) {
+  TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("../../*.txt")));
+  TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("/etc/*.conf")));
+#if defined(OS_WIN)
+  TestFileChooserWithPath(
+      base::FilePath(FILE_PATH_LITERAL("\\\\evilserver\\evilshare\\*.txt")));
+  TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("c:\\*.txt")));
+  TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("..\\..\\*.txt")));
+#endif
+}
+
 class SecurityExploitTestInterstitialPage : public InterstitialPageDelegate {
  public:
   explicit SecurityExploitTestInterstitialPage(WebContents* contents) {