WebDatabase: check path traversal in origin_identifier

BUG=172264 Review URL: https://chromiumcodereview.appspot.com/12212091 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@183141 0039d316-1c4b-4281-b951-d872f2087c98
author: aedla@chromium.org <aedla@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-02-18 22:21:04 +0000
committer: aedla@chromium.org <aedla@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-02-18 22:21:04 +0000
commit: ccfb891dc0c936a8806d663fe6581bf659761819 (patch)
tree: a8b686dc873ba23859b63b22cfb9bec63c8e8691
parent: 31c0e51315a22462860909c286a8db2324c7b6b9 (diff)
download: chromium_src-ccfb891dc0c936a8806d663fe6581bf659761819.zip
chromium_src-ccfb891dc0c936a8806d663fe6581bf659761819.tar.gz
chromium_src-ccfb891dc0c936a8806d663fe6581bf659761819.tar.bz2
4 files changed, 42 insertions, 0 deletions
diff --git a/content/browser/renderer_host/database_message_filter.cc b/content/browser/renderer_host/database_message_filter.cc
index f8b0aa6..f364ce2 100644
--- a/content/browser/renderer_host/database_message_filter.cc
+++ b/content/browser/renderer_host/database_message_filter.cc
@@ -284,6 +284,13 @@ void DatabaseMessageFilter::OnDatabaseOpened(const string16& origin_identifier,
                                              const string16& description,
                                              int64 estimated_size) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::FILE));
+
+  if (!DatabaseUtil::IsValidOriginIdentifier(origin_identifier)) {
+    RecordAction(UserMetricsAction("BadMessageTerminate_DBMF"));
+    BadMessageReceived();
+    return;
+  }
+
   int64 database_size = 0;
   db_tracker_->DatabaseOpened(origin_identifier, database_name, description,
                               estimated_size, &database_size);
@@ -325,6 +332,12 @@ void DatabaseMessageFilter::OnHandleSqliteError(
     const string16& database_name,
     int error) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::FILE));
+  if (!DatabaseUtil::IsValidOriginIdentifier(origin_identifier)) {
+    RecordAction(UserMetricsAction("BadMessageTerminate_DBMF"));
+    BadMessageReceived();
+    return;
+  }
+
   db_tracker_->HandleSqliteError(origin_identifier, database_name, error);
 }
 
diff --git a/webkit/database/database_util.cc b/webkit/database/database_util.cc
index 6d5ff95..8acccd2 100644
--- a/webkit/database/database_util.cc
+++ b/webkit/database/database_util.cc
@@ -4,6 +4,7 @@
 
 #include "webkit/database/database_util.h"
 
+#include "base/basictypes.h"
 #include "base/utf_string_conversions.h"
 #include "third_party/WebKit/Source/Platform/chromium/public/WebString.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebSecurityOrigin.h"
@@ -90,4 +91,15 @@ GURL DatabaseUtil::GetOriginFromIdentifier(const string16& origin_identifier) {
   return GURL(web_security_origin.toString());
 }
 
+bool DatabaseUtil::IsValidOriginIdentifier(const string16& origin_identifier) {
+  string16 dotdot = ASCIIToUTF16("..");
+  char16 forbidden[] = {'\\', '/', '\0'};
+
+  string16::size_type pos = origin_identifier.find(dotdot);
+  if (pos == string16::npos)
+    pos = origin_identifier.find_first_of(forbidden, 0, arraysize(forbidden));
+
+  return pos == string16::npos;
+}
+
 }  // namespace webkit_database
diff --git a/webkit/database/database_util.h b/webkit/database/database_util.h
index 8158f39..8b366aab 100644
--- a/webkit/database/database_util.h
+++ b/webkit/database/database_util.h
@@ -31,6 +31,7 @@ class WEBKIT_STORAGE_EXPORT DatabaseUtil {
                                                   const string16& vfs_file_name);
   static string16 GetOriginIdentifier(const GURL& url);
   static GURL GetOriginFromIdentifier(const string16& origin_identifier);
+  static bool IsValidOriginIdentifier(const string16& origin_identifier);
 };
 
 }  // namespace webkit_database
diff --git a/webkit/database/database_util_unittest.cc b/webkit/database/database_util_unittest.cc
index 18c7014..aa9d007 100644
--- a/webkit/database/database_util_unittest.cc
+++ b/webkit/database/database_util_unittest.cc
@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "base/string_piece.h"
 #include "base/utf_string_conversions.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "webkit/database/database_util.h"
@@ -31,6 +32,12 @@ static GURL ToAndFromOriginIdentifier(const GURL origin_url) {
   return DatabaseUtil::GetOriginFromIdentifier(id);
 }
 
+static void TestValidOriginIdentifier(bool expected_result,
+                                      const base::StringPiece id) {
+  EXPECT_EQ(expected_result,
+            DatabaseUtil::IsValidOriginIdentifier(ASCIIToUTF16(id)));
+}
+
 namespace webkit_database {
 
 // Test DatabaseUtil::CrackVfsFilePath on various inputs.
@@ -54,4 +61,13 @@ TEST(DatabaseUtilTest, OriginIdentifiers) {
   EXPECT_EQ(kHttpOrigin, ToAndFromOriginIdentifier(kHttpOrigin));
 }
 
+TEST(DatabaseUtilTest, IsValidOriginIdentifier) {
+  TestValidOriginIdentifier(true,  "http_bar_0");
+  TestValidOriginIdentifier(true,  "");
+  TestValidOriginIdentifier(false, "bad..id");
+  TestValidOriginIdentifier(false, "bad/id");
+  TestValidOriginIdentifier(false, "bad\\id");
+  TestValidOriginIdentifier(false, base::StringPiece("bad\0id", 6));
+}
+
 }  // namespace webkit_database
author	aedla@chromium.org <aedla@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-02-18 22:21:04 +0000
committer	aedla@chromium.org <aedla@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-02-18 22:21:04 +0000
commit	ccfb891dc0c936a8806d663fe6581bf659761819 (patch)
tree	a8b686dc873ba23859b63b22cfb9bec63c8e8691
parent	31c0e51315a22462860909c286a8db2324c7b6b9 (diff)
download	chromium_src-ccfb891dc0c936a8806d663fe6581bf659761819.zip chromium_src-ccfb891dc0c936a8806d663fe6581bf659761819.tar.gz chromium_src-ccfb891dc0c936a8806d663fe6581bf659761819.tar.bz2