Only take basename of default_file_name when starting a File Chooser.

Validate no ViewHostMsg_RunFileChooser messages received in the browser contain no path elements.

BUG=444198
TEST=content_browsertests

Review URL: https://codereview.chromium.org/817103002

Cr-Commit-Position: refs/heads/master@{#318111}

1 files changed, 42 insertions, 0 deletions

diff --git a/content/browser/security_exploit_browsertest.cc b/content/browser/security_exploit_browsertest.cc
index ae01d5e..62d3b62 100644
--- a/content/browser/security_exploit_browsertest.cc
+++ b/content/browser/security_exploit_browsertest.cc
@@ -18,6 +18,7 @@
 #include "content/public/browser/interstitial_page_delegate.h"
 #include "content/public/browser/storage_partition.h"
 #include "content/public/common/content_switches.h"
+#include "content/public/common/file_chooser_params.h"
 #include "content/public/test/browser_test_utils.h"
 #include "content/public/test/content_browser_test.h"
 #include "content/public/test/content_browser_test_utils.h"
@@ -107,8 +108,35 @@ class SecurityExploitBrowserTest : public ContentBrowserTest {
                 .ToString() +
             ",EXCLUDE localhost");
   }
+
+ protected:
+  // Tests that a given file path sent in a ViewHostMsg_RunFileChooser will
+  // cause renderer to be killed.
+  void TestFileChooserWithPath(const base::FilePath& path);
 };
 
+void SecurityExploitBrowserTest::TestFileChooserWithPath(
+    const base::FilePath& path) {
+  GURL foo("http://foo.com/simple_page.html");
+  NavigateToURL(shell(), foo);
+  EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
+
+  content::RenderViewHost* compromised_renderer =
+      shell()->web_contents()->GetRenderViewHost();
+  content::RenderProcessHostWatcher terminated(
+      shell()->web_contents(),
+      content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
+
+  FileChooserParams params;
+  params.default_file_name = path;
+
+  ViewHostMsg_RunFileChooser evil(compromised_renderer->GetRoutingID(), params);
+
+  IpcSecurityTestUtil::PwnMessageReceived(
+      compromised_renderer->GetProcess()->GetChannel(), evil);
+  terminated.Wait();
+}
+
 // Ensure that we kill the renderer process if we try to give it WebUI
 // properties and it doesn't have enabled WebUI bindings.
 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) {
@@ -179,6 +207,20 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
   // If the above operation doesn't crash, the test has succeeded!
 }
 
+// This is a test for crbug.com/444198. It tries to send a
+// ViewHostMsg_RunFileChooser containing an invalid path. The browser should
+// correctly terminate the renderer in these cases.
+IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, AttemptRunFileChoosers) {
+  TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("../../*.txt")));
+  TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("/etc/*.conf")));
+#if defined(OS_WIN)
+  TestFileChooserWithPath(
+      base::FilePath(FILE_PATH_LITERAL("\\\\evilserver\\evilshare\\*.txt")));
+  TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("c:\\*.txt")));
+  TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("..\\..\\*.txt")));
+#endif
+}
+
 class SecurityExploitTestInterstitialPage : public InterstitialPageDelegate {
  public:
   explicit SecurityExploitTestInterstitialPage(WebContents* contents) {