diff options
author | wfh <wfh@chromium.org> | 2015-02-25 13:01:31 -0800 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2015-02-25 21:02:39 +0000 |
commit | 815c487fa677cf5413ed22e181437c1107300d49 (patch) | |
tree | 29c9d8d16487d874df51a01db535fe3624e1832d /content/browser/security_exploit_browsertest.cc | |
parent | cbc5df777caae32d4c48a5e22f389f4642994a0d (diff) | |
download | chromium_src-815c487fa677cf5413ed22e181437c1107300d49.zip chromium_src-815c487fa677cf5413ed22e181437c1107300d49.tar.gz chromium_src-815c487fa677cf5413ed22e181437c1107300d49.tar.bz2 |
Only take basename of default_file_name when starting a File Chooser.
Validate no ViewHostMsg_RunFileChooser messages received in the browser contain no path elements.
BUG=444198
TEST=content_browsertests
Review URL: https://codereview.chromium.org/817103002
Cr-Commit-Position: refs/heads/master@{#318111}
Diffstat (limited to 'content/browser/security_exploit_browsertest.cc')
-rw-r--r-- | content/browser/security_exploit_browsertest.cc | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/content/browser/security_exploit_browsertest.cc b/content/browser/security_exploit_browsertest.cc index ae01d5e..62d3b62 100644 --- a/content/browser/security_exploit_browsertest.cc +++ b/content/browser/security_exploit_browsertest.cc @@ -18,6 +18,7 @@ #include "content/public/browser/interstitial_page_delegate.h" #include "content/public/browser/storage_partition.h" #include "content/public/common/content_switches.h" +#include "content/public/common/file_chooser_params.h" #include "content/public/test/browser_test_utils.h" #include "content/public/test/content_browser_test.h" #include "content/public/test/content_browser_test_utils.h" @@ -107,8 +108,35 @@ class SecurityExploitBrowserTest : public ContentBrowserTest { .ToString() + ",EXCLUDE localhost"); } + + protected: + // Tests that a given file path sent in a ViewHostMsg_RunFileChooser will + // cause renderer to be killed. + void TestFileChooserWithPath(const base::FilePath& path); }; +void SecurityExploitBrowserTest::TestFileChooserWithPath( + const base::FilePath& path) { + GURL foo("http://foo.com/simple_page.html"); + NavigateToURL(shell(), foo); + EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle()); + + content::RenderViewHost* compromised_renderer = + shell()->web_contents()->GetRenderViewHost(); + content::RenderProcessHostWatcher terminated( + shell()->web_contents(), + content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); + + FileChooserParams params; + params.default_file_name = path; + + ViewHostMsg_RunFileChooser evil(compromised_renderer->GetRoutingID(), params); + + IpcSecurityTestUtil::PwnMessageReceived( + compromised_renderer->GetProcess()->GetChannel(), evil); + terminated.Wait(); +} + // Ensure that we kill the renderer process if we try to give it WebUI // properties and it doesn't have enabled WebUI bindings. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) { @@ -179,6 +207,20 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, // If the above operation doesn't crash, the test has succeeded! } +// This is a test for crbug.com/444198. It tries to send a +// ViewHostMsg_RunFileChooser containing an invalid path. The browser should +// correctly terminate the renderer in these cases. +IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, AttemptRunFileChoosers) { + TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("../../*.txt"))); + TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("/etc/*.conf"))); +#if defined(OS_WIN) + TestFileChooserWithPath( + base::FilePath(FILE_PATH_LITERAL("\\\\evilserver\\evilshare\\*.txt"))); + TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("c:\\*.txt"))); + TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("..\\..\\*.txt"))); +#endif +} + class SecurityExploitTestInterstitialPage : public InterstitialPageDelegate { public: explicit SecurityExploitTestInterstitialPage(WebContents* contents) { |