diff options
| author | creis@chromium.org <creis@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-09 19:39:58 +0000 |
|---|---|---|
| committer | creis@chromium.org <creis@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-09 19:39:58 +0000 |
| commit | 54ec647bc4c41a46bab353c9eede6441030be150 (patch) | |
| tree | 1b3783f497ee5b5ba2eb2dbbae717301d49bac14 | |
| parent | 316e3f5dbde1c051d3e9535a90321906ae996e91 (diff) | |
| download | chromium_src-54ec647bc4c41a46bab353c9eede6441030be150.zip chromium_src-54ec647bc4c41a46bab353c9eede6441030be150.tar.gz chromium_src-54ec647bc4c41a46bab353c9eede6441030be150.tar.bz2 | |
Adds an updated safety check for DOM UI renderers.
We should not be passing web URLs to DOM UI renderers. This CL
adds a check to ensure that we only navigate to DOM-UI-permitted
URLs in such renderers.
BUG=40575, 40893
TEST=none
Review URL: http://codereview.chromium.org/1631009
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@44112 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | chrome/browser/renderer_host/render_view_host.h | 4 | ||||
| -rw-r--r-- | chrome/browser/tab_contents/tab_contents.cc | 7 | ||||
| -rw-r--r-- | chrome/test/data/reliability/known_crashes.txt | 3 |
3 files changed, 11 insertions, 3 deletions
diff --git a/chrome/browser/renderer_host/render_view_host.h b/chrome/browser/renderer_host/render_view_host.h index 0601821..3492603 100644 --- a/chrome/browser/renderer_host/render_view_host.h +++ b/chrome/browser/renderer_host/render_view_host.h @@ -323,6 +323,10 @@ class RenderViewHost : public RenderWidgetHost { // should be a combination of values from BindingsPolicy. void AllowBindings(int binding_flags); + // Returns a bitwise OR of bindings types that have been enabled for this + // RenderView. See BindingsPolicy for details. + int enabled_bindings() { return enabled_bindings_; } + // Sets a property with the given name and value on the DOM UI binding object. // Must call AllowDOMUIBindings() on this renderer first. void SetDOMUIProperty(const std::string& name, const std::string& value); diff --git a/chrome/browser/tab_contents/tab_contents.cc b/chrome/browser/tab_contents/tab_contents.cc index 0b64c05..4054816f 100644 --- a/chrome/browser/tab_contents/tab_contents.cc +++ b/chrome/browser/tab_contents/tab_contents.cc @@ -65,6 +65,7 @@ #include "chrome/browser/tab_contents/thumbnail_generator.h" #include "chrome/browser/thumbnail_store.h" #include "chrome/browser/translate/page_translated_details.h" +#include "chrome/common/bindings_policy.h" #include "chrome/common/chrome_switches.h" #include "chrome/common/extensions/extension.h" #include "chrome/common/extensions/extension_action.h" @@ -753,6 +754,12 @@ bool TabContents::NavigateToPendingEntry( if (!dest_render_view_host) return false; // Unable to create the desired render view host. + // For security, we should never send non-DOM-UI URLs to a DOM UI renderer. + // Double check that here. + int enabled_bindings = dest_render_view_host->enabled_bindings(); + CHECK(!BindingsPolicy::is_dom_ui_enabled(enabled_bindings) || + DOMUIFactory::UseDOMUIForURL(entry.url())); + // Tell DevTools agent that it is attached prior to the navigation. DevToolsManager* devtools_manager = DevToolsManager::GetInstance(); if (devtools_manager) { // NULL in unit tests. diff --git a/chrome/test/data/reliability/known_crashes.txt b/chrome/test/data/reliability/known_crashes.txt index ff96a2f..34b6cb0 100644 --- a/chrome/test/data/reliability/known_crashes.txt +++ b/chrome/test/data/reliability/known_crashes.txt @@ -178,6 +178,3 @@ v8::internal::setproperty___v8::internal::runtime::setobjectproperty___v8::inter # 40736 SUBSTRING : v8::internal::LargeObjectSpace::IterateRSet___v8::internal::Heap::Scavenge___v8::internal::Heap::PerformGarbageCollection___v8::internal::Heap::CollectGarbage___v8::internal::NormalizeProperties - -# 40893 -SUBSTRING : logging::logmessage::~logmessage___tabcontents::navigatetopendingentry___navigationcontroller::navigatetopendingentry___navigationcontroller::loadentry___navigationcontroller::loadurl___domview::loadurl |