diff options
author | jvoung@chromium.org <jvoung@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-10-18 02:35:21 +0000 |
---|---|---|
committer | jvoung@chromium.org <jvoung@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-10-18 02:35:21 +0000 |
commit | 0e5eb33d622f5ef7a93299f355b2b5247246d76f (patch) | |
tree | a40ff0a2753510a0ede49a576ba2619f29b7dc43 | |
parent | 90fe4443b2e1aae4e2daaf7eda0505501f1c3721 (diff) | |
download | chromium_src-0e5eb33d622f5ef7a93299f355b2b5247246d76f.zip chromium_src-0e5eb33d622f5ef7a93299f355b2b5247246d76f.tar.gz chromium_src-0e5eb33d622f5ef7a93299f355b2b5247246d76f.tar.bz2 |
Change pnacl translator filenames and layout.
Layout will no longer have directory structure.
Swap back to testing pnacl-in-browser via a CWS extension
for now. That uses the old layout. We can swap back once we
finish renaming the files / mapping their names to this new
scheme from with pnacl_coordinator... or something.
BUG=155117
TEST=pnacl_file_host_unittest
Review URL: https://chromiumcodereview.appspot.com/11066113
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@162621 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | chrome/browser/nacl_host/pnacl_file_host.cc | 51 | ||||
-rw-r--r-- | chrome/browser/nacl_host/pnacl_file_host_unittest.cc | 32 | ||||
-rw-r--r-- | ppapi/native_client/src/trusted/plugin/pnacl_resources.cc | 5 |
3 files changed, 55 insertions, 33 deletions
diff --git a/chrome/browser/nacl_host/pnacl_file_host.cc b/chrome/browser/nacl_host/pnacl_file_host.cc index fa0e5f0..f9454f3 100644 --- a/chrome/browser/nacl_host/pnacl_file_host.cc +++ b/chrome/browser/nacl_host/pnacl_file_host.cc @@ -21,6 +21,13 @@ using content::BrowserThread; namespace { +// Force a prefix to prevent user from opening "magic" files. +const char* kExpectedFilePrefix = "pnacl_public_"; + +// Restrict PNaCl file lengths to reduce likelyhood of hitting bugs +// in file name limit error-handling-code-paths, etc. +const size_t kMaxFileLength = 40; + void NotifyRendererOfError( ChromeRenderMessageFilter* chrome_render_message_filter, IPC::Message* reply_msg) { @@ -134,43 +141,35 @@ void GetReadonlyPnaclFd( } } +// This function is security sensitive. Be sure to check with a security +// person before you modify it. bool PnaclCanOpenFile(const std::string& filename, FilePath* file_to_open) { - // The file must use only ASCII characters. - if (!IsStringASCII(filename)) { - return false; - } - - // Disallow special shell characters, just in case... - if (filename.find('%') != std::string::npos || - filename.find('$') != std::string::npos) { + if (filename.length() > kMaxFileLength) return false; - } -#if defined(OS_WIN) - FilePath file_to_find(ASCIIToUTF16(filename)); -#elif defined(OS_POSIX) - FilePath file_to_find(filename); -#endif - - if (file_to_find.empty() || file_util::IsDot(file_to_find)) { + if (filename.empty()) return false; - } - // Disallow peeking outside of the pnacl component directory. - if (file_to_find.ReferencesParent() || file_to_find.IsAbsolute()) { - return false; + // Restrict character set of the file name to something really simple + // (a-z, 0-9, and underscores). + for (size_t i = 0; i < filename.length(); ++i) { + char charAt = filename[i]; + if (charAt < 'a' || charAt > 'z') + if (charAt < '0' || charAt > '9') + if (charAt != '_') + return false; } + // PNaCl must be installed. FilePath pnacl_dir; - if (!PathService::Get(chrome::DIR_PNACL_COMPONENT, &pnacl_dir)) { + if (!PathService::Get(chrome::DIR_PNACL_COMPONENT, &pnacl_dir) || + pnacl_dir.empty()) return false; - } - if (pnacl_dir.empty()) { - return false; - } - FilePath full_path = pnacl_dir.Append(file_to_find); + // Prepend the prefix to restrict files to a whitelisted set. + FilePath full_path = pnacl_dir.AppendASCII( + std::string(kExpectedFilePrefix) + filename); *file_to_open = full_path; return true; } diff --git a/chrome/browser/nacl_host/pnacl_file_host_unittest.cc b/chrome/browser/nacl_host/pnacl_file_host_unittest.cc index 6fcc956..76eee82 100644 --- a/chrome/browser/nacl_host/pnacl_file_host_unittest.cc +++ b/chrome/browser/nacl_host/pnacl_file_host_unittest.cc @@ -21,16 +21,38 @@ TEST(PnaclFileHostTest, TestFilenamesWithPnaclPath) { kDummyPnaclPath); ASSERT_TRUE(PathService::Get(chrome::DIR_PNACL_COMPONENT, &kDummyPnaclPath)); + + // Check allowed strings, and check that the expected prefix is added. FilePath out_path; - EXPECT_TRUE(PnaclCanOpenFile("manifest.json", &out_path)); + EXPECT_TRUE(PnaclCanOpenFile("pnacl_json", &out_path)); FilePath expected_path = kDummyPnaclPath.Append( - FILE_PATH_LITERAL("manifest.json")); + FILE_PATH_LITERAL("pnacl_public_pnacl_json")); EXPECT_EQ(out_path, expected_path); - EXPECT_TRUE(PnaclCanOpenFile("x86-32/llc", &out_path)); - expected_path = kDummyPnaclPath.Append(FILE_PATH_LITERAL("x86-32/llc")); + EXPECT_TRUE(PnaclCanOpenFile("x86_32_llc", &out_path)); + expected_path = kDummyPnaclPath.Append( + FILE_PATH_LITERAL("pnacl_public_x86_32_llc")); EXPECT_EQ(out_path, expected_path); + // Check character ranges. + EXPECT_FALSE(PnaclCanOpenFile(".xchars", &out_path)); + EXPECT_FALSE(PnaclCanOpenFile("/xchars", &out_path)); + EXPECT_FALSE(PnaclCanOpenFile("x/chars", &out_path)); + EXPECT_FALSE(PnaclCanOpenFile("\\xchars", &out_path)); + EXPECT_FALSE(PnaclCanOpenFile("x\\chars", &out_path)); + EXPECT_FALSE(PnaclCanOpenFile("$xchars", &out_path)); + EXPECT_FALSE(PnaclCanOpenFile("%xchars", &out_path)); + EXPECT_FALSE(PnaclCanOpenFile("CAPS", &out_path)); + const char non_ascii[] = "\xff\xfe"; + EXPECT_FALSE(PnaclCanOpenFile(non_ascii, &out_path)); + + // Check file length restriction. + EXPECT_FALSE(PnaclCanOpenFile("thisstringisactuallywaaaaaaaaaaaaaaaaaaaaaaaa" + "toolongwaytoolongwaaaaayyyyytoooooooooooooooo" + "looooooooong", + &out_path)); + + // Other bad files. EXPECT_FALSE(PnaclCanOpenFile("", &out_path)); EXPECT_FALSE(PnaclCanOpenFile(".", &out_path)); EXPECT_FALSE(PnaclCanOpenFile("..", &out_path)); @@ -45,6 +67,4 @@ TEST(PnaclFileHostTest, TestFilenamesWithPnaclPath) { EXPECT_FALSE(PnaclCanOpenFile("$HOME/.bashrc", &out_path)); #endif - const char non_ascii[] = "\xff\xfe"; - EXPECT_FALSE(PnaclCanOpenFile(non_ascii, &out_path)); } diff --git a/ppapi/native_client/src/trusted/plugin/pnacl_resources.cc b/ppapi/native_client/src/trusted/plugin/pnacl_resources.cc index 0344e9e..d2535c0 100644 --- a/ppapi/native_client/src/trusted/plugin/pnacl_resources.cc +++ b/ppapi/native_client/src/trusted/plugin/pnacl_resources.cc @@ -29,7 +29,10 @@ bool PnaclUrls::UsePnaclExtension(const Plugin* plugin) { // --enable-pnacl is used and not use the chrome extension. // Some UI work, etc. remains before --enable-pnacl is usable: // http://code.google.com/p/nativeclient/issues/detail?id=2813 - return !(plugin->nacl_interface()->IsPnaclEnabled()); + // TODO(jvoung): re-enable the non-extension path if we decide + // to use that / once we have renamed and remap some of the files. + return true; + // return !(plugin->nacl_interface()->IsPnaclEnabled()); } nacl::string PnaclUrls::GetBaseUrl(bool use_extension) { |