Restore PPAPI Flash in-process file access.

This behaviour is under control of the --ppapi-flash-in-process flag.  There
will be degraded protection of the pepper flash data directories from
compromised renderers under this option (hence the flag).

Review URL: https://chromiumcodereview.appspot.com/10533137

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@142449 0039d316-1c4b-4281-b951-d872f2087c98

12 files changed, 102 insertions, 23 deletions

diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc
index 513258d..6a44025 100644
--- a/chrome/browser/chrome_content_browser_client.cc
+++ b/chrome/browser/chrome_content_browser_client.cc
@@ -1493,7 +1493,7 @@ std::string ChromeContentBrowserClient::GetDefaultDownloadName() {
   return l10n_util::GetStringUTF8(IDS_DEFAULT_DOWNLOAD_FILENAME);
 }
 
-bool ChromeContentBrowserClient::AllowSocketAPI(
+bool ChromeContentBrowserClient::AllowPepperSocketAPI(
     content::BrowserContext* browser_context, const GURL& url) {
   if (!url.is_valid())
     return false;
@@ -1536,6 +1536,11 @@ bool ChromeContentBrowserClient::AllowSocketAPI(
   return false;
 }
 
+bool ChromeContentBrowserClient::AllowPepperPrivateFileAPI() {
+  return CommandLine::ForCurrentProcess()->HasSwitch(
+      switches::kPpapiFlashInProcess);
+}
+
 #if defined(OS_POSIX) && !defined(OS_MACOSX)
 int ChromeContentBrowserClient::GetCrashSignalFD(
     const CommandLine& command_line) {
diff --git a/chrome/browser/chrome_content_browser_client.h b/chrome/browser/chrome_content_browser_client.h
index bc6a367..d411a5b 100644
--- a/chrome/browser/chrome_content_browser_client.h
+++ b/chrome/browser/chrome_content_browser_client.h
@@ -175,8 +175,9 @@ class ChromeContentBrowserClient : public content::ContentBrowserClient {
   virtual void ClearCookies(content::RenderViewHost* rvh) OVERRIDE;
   virtual FilePath GetDefaultDownloadDirectory() OVERRIDE;
   virtual std::string GetDefaultDownloadName() OVERRIDE;
-  virtual bool AllowSocketAPI(content::BrowserContext* browser_context,
-                              const GURL& url) OVERRIDE;
+  virtual bool AllowPepperSocketAPI(content::BrowserContext* browser_context,
+                                    const GURL& url) OVERRIDE;
+  virtual bool AllowPepperPrivateFileAPI() OVERRIDE;
 
 #if defined(OS_POSIX) && !defined(OS_MACOSX)
   virtual int GetCrashSignalFD(const CommandLine& command_line) OVERRIDE;
diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
index d4050ad..857236b 100644
--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -984,6 +984,12 @@ const char kPpapiFlashFieldTrialEnableByDefault[] = "enable-by-default";
 // Forces the PPAPI version of Flash (if it's being used) to run in the
 // renderer process rather than in a separate plugin process.
 const char kPpapiFlashInProcess[]           = "ppapi-flash-in-process";
+// Use the PPAPI (Pepper) Flash found at the given path.
+const char kPpapiFlashPath[]                = "ppapi-flash-path";
+// Report the given version for the PPAPI (Pepper) Flash. The version should be
+// numbers separated by '.'s (e.g., "12.3.456.78"). If not specified, it
+// defaults to "10.2.999.999".
+const char kPpapiFlashVersion[]             = "ppapi-flash-version";
 
 // Triggers prerendering of pages from suggestions in the omnibox. Only has an
 // effect when Instant is either disabled or restricted to search, and when
diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h
index db03a14..d4c2bbf 100644
--- a/chrome/common/chrome_switches.h
+++ b/chrome/common/chrome_switches.h
@@ -265,6 +265,8 @@ extern const char kPpapiFlashFieldTrial[];
 extern const char kPpapiFlashFieldTrialDisableByDefault[];
 extern const char kPpapiFlashFieldTrialEnableByDefault[];
 extern const char kPpapiFlashInProcess[];
+extern const char kPpapiFlashPath[];
+extern const char kPpapiFlashVersion[];
 extern const char kPrerenderFromOmnibox[];
 extern const char kPrerenderFromOmniboxSwitchValueAuto[];
 extern const char kPrerenderFromOmniboxSwitchValueDisabled[];
diff --git a/content/browser/renderer_host/pepper_file_message_filter.cc b/content/browser/renderer_host/pepper_file_message_filter.cc
index a86542e..d508341 100644
--- a/content/browser/renderer_host/pepper_file_message_filter.cc
+++ b/content/browser/renderer_host/pepper_file_message_filter.cc
@@ -248,7 +248,7 @@ FilePath PepperTrustedFileMessageFilter::ValidateAndConvertPepperFilePath(
     const ppapi::PepperFilePath& pepper_path,
     int flags) {
   FilePath file_path;  // Empty path returned on error.
-  switch(pepper_path.domain()) {
+  switch (pepper_path.domain()) {
     case ppapi::PepperFilePath::DOMAIN_ABSOLUTE:
       if (pepper_path.path().IsAbsolute() &&
           ChildProcessSecurityPolicyImpl::GetInstance()->HasPermissionsForFile(
@@ -256,6 +256,8 @@ FilePath PepperTrustedFileMessageFilter::ValidateAndConvertPepperFilePath(
         file_path = pepper_path.path();
       break;
     case ppapi::PepperFilePath::DOMAIN_MODULE_LOCAL:
+      // This filter provides the module name portion of the path to prevent
+      // plugins from accessing each other's data.
       if (!pepper_path.path().IsAbsolute() &&
           !pepper_path.path().ReferencesParent())
         file_path = plugin_data_directory_.Append(pepper_path.path());
@@ -266,3 +268,38 @@ FilePath PepperTrustedFileMessageFilter::ValidateAndConvertPepperFilePath(
   }
   return file_path;
 }
+
+PepperUnsafeFileMessageFilter::PepperUnsafeFileMessageFilter(
+    int child_id,
+    const FilePath& profile_data_directory)
+    : PepperFileMessageFilter(child_id) {
+  profile_data_directory_ = GetDataDirName(profile_data_directory);
+}
+
+PepperUnsafeFileMessageFilter::~PepperUnsafeFileMessageFilter() {
+}
+
+FilePath PepperUnsafeFileMessageFilter::ValidateAndConvertPepperFilePath(
+    const ppapi::PepperFilePath& pepper_path,
+    int flags) {
+  FilePath file_path;  // Empty path returned on error.
+  switch (pepper_path.domain()) {
+    case ppapi::PepperFilePath::DOMAIN_ABSOLUTE:
+      if (pepper_path.path().IsAbsolute() &&
+          ChildProcessSecurityPolicyImpl::GetInstance()->HasPermissionsForFile(
+              child_id(), pepper_path.path(), flags))
+        file_path = pepper_path.path();
+      break;
+    case ppapi::PepperFilePath::DOMAIN_MODULE_LOCAL:
+      // The message supplies the module portion of the path (so it can't
+      // really be trusted).
+      if (!pepper_path.path().IsAbsolute() &&
+          !pepper_path.path().ReferencesParent())
+        file_path = profile_data_directory_.Append(pepper_path.path());
+      break;
+    default:
+      NOTREACHED();
+      break;
+  }
+  return file_path;
+}
diff --git a/content/browser/renderer_host/pepper_file_message_filter.h b/content/browser/renderer_host/pepper_file_message_filter.h
index 167f1f3..4ec0686 100644
--- a/content/browser/renderer_host/pepper_file_message_filter.h
+++ b/content/browser/renderer_host/pepper_file_message_filter.h
@@ -26,7 +26,9 @@ namespace ppapi {
 class PepperFilePath;
 }
 
-// A message filter for Pepper-specific File I/O messages.
+// A message filter for Pepper-specific File I/O messages. Used on
+// renderer channels, this denys the renderer the trusted operations
+// permitted only by plugin processes.
 class PepperFileMessageFilter : public content::BrowserMessageFilter {
  public:
   explicit PepperFileMessageFilter(int child_id);
@@ -88,7 +90,8 @@ class PepperFileMessageFilter : public content::BrowserMessageFilter {
   DISALLOW_COPY_AND_ASSIGN(PepperFileMessageFilter);
 };
 
-// Class for out-of-process plugins providing relaxed path validation.
+// Message filter used with out-of-process pepper flash plugin channels that
+// provides the trusted operations permitted only by plugin processes.
 class PepperTrustedFileMessageFilter : public PepperFileMessageFilter {
  public:
   PepperTrustedFileMessageFilter(int child_id,
@@ -102,10 +105,33 @@ class PepperTrustedFileMessageFilter : public PepperFileMessageFilter {
   virtual FilePath ValidateAndConvertPepperFilePath(
       const ppapi::PepperFilePath& pepper_path, int flags) OVERRIDE;
 
-  // The path to the per-plugin directory under the per-profile data directory.
+  // The path to the per-plugin directory under the per-profile data directory
+  // (includes module name).
   FilePath plugin_data_directory_;
 
   DISALLOW_COPY_AND_ASSIGN(PepperTrustedFileMessageFilter);
 };
 
+// Message filter used with in-process pepper flash plugins that provides the
+// renderer channels with the trusted operations permitted only by plugin
+// process. This should not be used as part of normal operations, and may
+// only be applied under the control of a command-line flag.
+class PepperUnsafeFileMessageFilter : public PepperFileMessageFilter {
+ public:
+  PepperUnsafeFileMessageFilter(int child_id,
+                                const FilePath& profile_data_directory);
+
+ protected:
+  virtual ~PepperUnsafeFileMessageFilter();
+
+ private:
+  virtual FilePath ValidateAndConvertPepperFilePath(
+      const ppapi::PepperFilePath& pepper_path, int flags) OVERRIDE;
+
+  // The per-profile data directory (not including module name).
+  FilePath profile_data_directory_;
+
+  DISALLOW_COPY_AND_ASSIGN(PepperUnsafeFileMessageFilter);
+};
+
 #endif  // CONTENT_BROWSER_RENDERER_HOST_PEPPER_FILE_MESSAGE_FILTER_H_
diff --git a/content/browser/renderer_host/pepper_message_filter.cc b/content/browser/renderer_host/pepper_message_filter.cc
index e4a97f3..d6336aa 100644
--- a/content/browser/renderer_host/pepper_message_filter.cc
+++ b/content/browser/renderer_host/pepper_message_filter.cc
@@ -767,7 +767,7 @@ bool PepperMessageFilter::CanUseSocketAPIs(int32 render_id) {
   if (!site_instance)
     return false;
 
-  if (!content::GetContentClient()->browser()->AllowSocketAPI(
+  if (!content::GetContentClient()->browser()->AllowPepperSocketAPI(
           site_instance->GetBrowserContext(),
           site_instance->GetSite())) {
     LOG(ERROR) << "Host " << site_instance->GetSite().host()
diff --git a/content/browser/renderer_host/render_process_host_impl.cc b/content/browser/renderer_host/render_process_host_impl.cc
index b00413f..c8aaa1c 100644
--- a/content/browser/renderer_host/render_process_host_impl.cc
+++ b/content/browser/renderer_host/render_process_host_impl.cc
@@ -482,7 +482,10 @@ void RenderProcessHostImpl::CreateMessageFilters() {
   channel_->AddFilter(new media_stream::MediaStreamDispatcherHost(
       resource_context, GetID(), BrowserMainLoop::GetAudioManager()));
 #endif
-  channel_->AddFilter(new PepperFileMessageFilter(GetID()));
+  channel_->AddFilter(
+      GetContentClient()->browser()->AllowPepperPrivateFileAPI() ?
+      new PepperUnsafeFileMessageFilter(GetID(), browser_context->GetPath()) :
+      new PepperFileMessageFilter(GetID()));
   channel_->AddFilter(new PepperMessageFilter(PepperMessageFilter::RENDERER,
                                               GetID(), browser_context));
 #if defined(ENABLE_INPUT_SPEECH)
diff --git a/content/public/browser/content_browser_client.cc b/content/public/browser/content_browser_client.cc
index 294355f..6331a27 100644
--- a/content/public/browser/content_browser_client.cc
+++ b/content/public/browser/content_browser_client.cc
@@ -199,8 +199,12 @@ std::string ContentBrowserClient::GetDefaultDownloadName() {
   return std::string();
 }
 
-bool ContentBrowserClient::AllowSocketAPI(BrowserContext* browser_context,
-                                          const GURL& url) {
+bool ContentBrowserClient::AllowPepperSocketAPI(
+    BrowserContext* browser_context, const GURL& url) {
+  return false;
+}
+
+bool ContentBrowserClient::AllowPepperPrivateFileAPI() {
   return false;
 }
 
diff --git a/content/public/browser/content_browser_client.h b/content/public/browser/content_browser_client.h
index cf9dc80..2b29174 100644
--- a/content/public/browser/content_browser_client.h
+++ b/content/public/browser/content_browser_client.h
@@ -388,8 +388,13 @@ class CONTENT_EXPORT ContentBrowserClient {
   // else we should do with the file.
   virtual std::string GetDefaultDownloadName();
 
-  // Returns true if given origin can use TCP/UDP sockets.
-  virtual bool AllowSocketAPI(BrowserContext* browser_context, const GURL& url);
+  // Returns true if renderer processes can use Pepper TCP/UDP sockets from
+  // the given origin.
+  virtual bool AllowPepperSocketAPI(BrowserContext* browser_context,
+                                    const GURL& url);
+
+  // Returns true if renderer processes can use private Pepper File APIs.
+  virtual bool AllowPepperPrivateFileAPI();
 
 #if defined(OS_POSIX) && !defined(OS_MACOSX)
   // Can return an optional fd for crash handling, otherwise returns -1. The
diff --git a/content/public/common/content_switches.cc b/content/public/common/content_switches.cc
index 1ae248c..b14965a 100644
--- a/content/public/common/content_switches.cc
+++ b/content/public/common/content_switches.cc
@@ -477,14 +477,6 @@ const char kPluginStartupDialog[]           = "plugin-startup-dialog";
 // Argument to the process type that indicates a PPAPI broker process type.
 const char kPpapiBrokerProcess[]            = "ppapi-broker";
 
-// Use the PPAPI (Pepper) Flash found at the given path.
-const char kPpapiFlashPath[]                = "ppapi-flash-path";
-
-// Report the given version for the PPAPI (Pepper) Flash. The version should be
-// numbers separated by '.'s (e.g., "12.3.456.78"). If not specified, it
-// defaults to "10.2.999.999".
-const char kPpapiFlashVersion[]             = "ppapi-flash-version";
-
 // Runs PPAPI (Pepper) plugins out-of-process.
 const char kPpapiOutOfProcess[]             = "ppapi-out-of-process";
 
diff --git a/content/public/common/content_switches.h b/content/public/common/content_switches.h
index b9dfd35..54e4be6 100644
--- a/content/public/common/content_switches.h
+++ b/content/public/common/content_switches.h
@@ -149,8 +149,6 @@ CONTENT_EXPORT extern const char kPluginPath[];
 CONTENT_EXPORT extern const char kPluginProcess[];
 extern const char kPluginStartupDialog[];
 CONTENT_EXPORT extern const char kPpapiBrokerProcess[];
-CONTENT_EXPORT extern const char kPpapiFlashPath[];
-CONTENT_EXPORT extern const char kPpapiFlashVersion[];
 CONTENT_EXPORT extern const char kPpapiOutOfProcess[];
 extern const char kPpapiPluginLauncher[];
 CONTENT_EXPORT extern const char kPpapiPluginProcess[];