<webview>: BrowserPluginHostMsg_RespondPermission IPC cleanup

Carrying around the permission type from the embedder to the browser process seems redundant. In fact, it also allows for a compromised app to crash the browser process: It can make a geolocation request, but pretend the response is something other than a GeolocationRequest. The request object in BrowserPluginGuest removes the request from the map, and the iterator becomes invalid. When we try to delete the request and remove the iterator, the browser process will crash. BUG=166165 Test=WebViewTest.* TBR=cdn@chromium.org for trivial browser_plugin_messages.h change. Review URL: https://chromiumcodereview.appspot.com/19448002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@212214 0039d316-1c4b-4281-b951-d872f2087c98
author: fsamuel@chromium.org <fsamuel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-07-18 02:31:22 +0000
committer: fsamuel@chromium.org <fsamuel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-07-18 02:31:22 +0000
commit: e06008d85607737034793241216d5180df305580 (patch)
tree: 9f129ed01a289a23a04afd800f6c9314627bb1dd /content/browser/browser_plugin/browser_plugin_guest.cc
parent: 71dfbc3fde764c1df683ae7fb67e589d84f7b192 (diff)
download: chromium_src-e06008d85607737034793241216d5180df305580.zip
chromium_src-e06008d85607737034793241216d5180df305580.tar.gz
chromium_src-e06008d85607737034793241216d5180df305580.tar.bz2
1 files changed, 15 insertions, 4 deletions
diff --git a/content/browser/browser_plugin/browser_plugin_guest.cc b/content/browser/browser_plugin/browser_plugin_guest.cc
index 4027365..2bcb301 100644
--- a/content/browser/browser_plugin/browser_plugin_guest.cc
+++ b/content/browser/browser_plugin/browser_plugin_guest.cc
@@ -63,6 +63,7 @@ class BrowserPluginGuest::PermissionRequest {
  public:
   virtual void Respond(bool should_allow) = 0;
   virtual ~PermissionRequest() {}
+  virtual BrowserPluginPermissionType GetType() const = 0;
  protected:
   PermissionRequest() {
     RecordAction(UserMetricsAction("BrowserPlugin.Guest.PermissionRequest"));
@@ -79,6 +80,9 @@ class BrowserPluginGuest::DownloadRequest : public PermissionRequest {
   virtual void Respond(bool should_allow) OVERRIDE {
     callback_.Run(should_allow);
   }
+  virtual BrowserPluginPermissionType GetType() const OVERRIDE {
+    return BrowserPluginPermissionTypeDownload;
+  }
   virtual ~DownloadRequest() {}
  private:
   base::Callback<void(bool)> callback_;
@@ -129,6 +133,9 @@ class BrowserPluginGuest::GeolocationRequest : public PermissionRequest {
     }
     guest_->SetGeolocationPermission(callback_, bridge_id_, false);
   }
+  virtual BrowserPluginPermissionType GetType() const OVERRIDE {
+    return BrowserPluginPermissionTypeGeolocation;
+  }
   virtual ~GeolocationRequest() {}
  private:
   base::Callback<void(bool)> callback_;
@@ -159,7 +166,9 @@ class BrowserPluginGuest::MediaRequest : public PermissionRequest {
       // Deny the request.
       callback_.Run(MediaStreamDevices(), scoped_ptr<MediaStreamUI>());
     }
-
+  }
+  virtual BrowserPluginPermissionType GetType() const OVERRIDE {
+    return BrowserPluginPermissionTypeMedia;
   }
   virtual ~MediaRequest() {}
  private:
@@ -192,6 +201,9 @@ class BrowserPluginGuest::NewWindowRequest : public PermissionRequest {
     if (!should_allow)
       guest->Destroy();
   }
+  virtual BrowserPluginPermissionType GetType() const OVERRIDE {
+    return BrowserPluginPermissionTypeNewWindow;
+  }
   virtual ~NewWindowRequest() {}
  private:
   int instance_id_;
@@ -1290,7 +1302,6 @@ void BrowserPluginGuest::OnSetVisibility(int instance_id, bool visible) {
 
 void BrowserPluginGuest::OnRespondPermission(
     int instance_id,
-    BrowserPluginPermissionType permission_type,
     int request_id,
     bool should_allow) {
   RequestMap::iterator request_itr = permission_request_map_.find(request_id);
@@ -1298,6 +1309,7 @@ void BrowserPluginGuest::OnRespondPermission(
     LOG(INFO) << "Not a valid request ID.";
     return;
   }
+  BrowserPluginPermissionType permission_type = request_itr->second->GetType();
   request_itr->second->Respond(should_allow);
 
   // Geolocation requests have to hang around for a while, so we don't delete
@@ -1485,8 +1497,7 @@ void BrowserPluginGuest::DidRetrieveDownloadURLFromRequestId(
     int permission_request_id,
     const std::string& url) {
   if (url.empty()) {
-    OnRespondPermission(instance_id(), BrowserPluginPermissionTypeDownload,
-                        permission_request_id, false);
+    OnRespondPermission(instance_id(), permission_request_id, false);
     return;
   }
author	fsamuel@chromium.org <fsamuel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-07-18 02:31:22 +0000
committer	fsamuel@chromium.org <fsamuel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-07-18 02:31:22 +0000
commit	e06008d85607737034793241216d5180df305580 (patch)
tree	9f129ed01a289a23a04afd800f6c9314627bb1dd /content/browser/browser_plugin/browser_plugin_guest.cc
parent	71dfbc3fde764c1df683ae7fb67e589d84f7b192 (diff)
download	chromium_src-e06008d85607737034793241216d5180df305580.zip chromium_src-e06008d85607737034793241216d5180df305580.tar.gz chromium_src-e06008d85607737034793241216d5180df305580.tar.bz2