Adding checks against directory traversal.

BUG= http://code.google.com/p/chromium/issues/detail?id=92751
TEST=ui_tests
Review URL: http://codereview.chromium.org/7631007

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@97144 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 35 insertions, 2 deletions

diff --git a/ppapi/tests/test_file_ref.cc b/ppapi/tests/test_file_ref.cc
index a753b03..d6b3b36 100644
--- a/ppapi/tests/test_file_ref.cc
+++ b/ppapi/tests/test_file_ref.cc
@@ -5,6 +5,7 @@
 #include "ppapi/tests/test_file_ref.h"
 
 #include <stdio.h>
+#include <vector>
 
 #include "ppapi/c/pp_errors.h"
 #include "ppapi/c/ppb_file_io.h"
@@ -44,6 +45,7 @@ bool TestFileRef::Init() {
 }
 
 void TestFileRef::RunTest() {
+  RUN_TEST_FORCEASYNC_AND_NOT(Create);
   RUN_TEST_FORCEASYNC_AND_NOT(GetFileSystemType);
   RUN_TEST_FORCEASYNC_AND_NOT(GetName);
   RUN_TEST_FORCEASYNC_AND_NOT(GetPath);
@@ -54,6 +56,36 @@ void TestFileRef::RunTest() {
   RUN_TEST_FORCEASYNC_AND_NOT(RenameFileAndDirectory);
 }
 
+std::string TestFileRef::TestCreate() {
+  std::vector<std::string> invalid_paths;
+  invalid_paths.push_back("invalid_path");  // no '/' at the first character
+  invalid_paths.push_back("");  // empty path
+  // The following are directory traversal checks
+  invalid_paths.push_back("..");
+  invalid_paths.push_back("/../invalid_path");
+  invalid_paths.push_back("/../../invalid_path");
+  invalid_paths.push_back("/invalid/../../path");
+  const size_t num_invalid_paths = invalid_paths.size();
+
+  pp::FileSystem file_system_pers(
+      instance_, PP_FILESYSTEMTYPE_LOCALPERSISTENT);
+  pp::FileSystem file_system_temp(
+      instance_, PP_FILESYSTEMTYPE_LOCALTEMPORARY);
+  for (size_t j = 0; j < num_invalid_paths; ++j) {
+    pp::FileRef file_ref_pers(file_system_pers, invalid_paths[j].c_str());
+    if (file_ref_pers.pp_resource() != 0) {
+      return "file_ref_pers expected to be invalid for path: " +
+          invalid_paths[j];
+    }
+    pp::FileRef file_ref_temp(file_system_temp, invalid_paths[j].c_str());
+    if (file_ref_temp.pp_resource() != 0) {
+      return "file_ref_temp expected to be invalid for path: " +
+          invalid_paths[j];
+    }
+  }
+  PASS();
+}
+
 std::string TestFileRef::TestGetFileSystemType() {
   pp::FileSystem file_system_pers(
       instance_, PP_FILESYSTEMTYPE_LOCALPERSISTENT);
diff --git a/ppapi/tests/test_file_ref.h b/ppapi/tests/test_file_ref.h
index ba9e39a..63df14e 100644
--- a/ppapi/tests/test_file_ref.h
+++ b/ppapi/tests/test_file_ref.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,6 +18,7 @@ class TestFileRef : public TestCase {
   virtual void RunTest();
 
  private:
+  std::string TestCreate();
   std::string TestGetFileSystemType();
   std::string TestGetName();
   std::string TestGetPath();
diff --git a/webkit/plugins/ppapi/ppb_file_ref_impl.cc b/webkit/plugins/ppapi/ppb_file_ref_impl.cc
index 1db9a22..00d5db4 100644
--- a/webkit/plugins/ppapi/ppb_file_ref_impl.cc
+++ b/webkit/plugins/ppapi/ppb_file_ref_impl.cc
@@ -33,7 +33,7 @@ namespace {
 
 bool IsValidLocalPath(const std::string& path) {
   // The path must start with '/'
-  if (path.empty() || path[0] != '/')
+  if (path.empty() || path[0] != '/' || path.find("..") != std::string::npos)
     return false;
 
   // The path must contain valid UTF-8 characters.