diff options
| author | dcheng@chromium.org <dcheng@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-03-14 19:06:02 +0000 |
|---|---|---|
| committer | dcheng@chromium.org <dcheng@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-03-14 19:06:02 +0000 |
| commit | 5b0d76edd5d6d4054b2e1263e23c852226c5f701 (patch) | |
| tree | 6b1845643e62c76d68b54fa7135ce7c7a43140c2 /content/browser | |
| parent | deb581c1f5cfb7528ab230709d9876f272d2fec9 (diff) | |
| download | chromium_src-5b0d76edd5d6d4054b2e1263e23c852226c5f701.zip chromium_src-5b0d76edd5d6d4054b2e1263e23c852226c5f701.tar.gz chromium_src-5b0d76edd5d6d4054b2e1263e23c852226c5f701.tar.bz2 | |
Refactor ui::Clipboard::ObjectMap sanitization in ClipboardMsgFilter.
BUG=352395
R=tony@chromium.org
TBR=creis@chromium.org
Review URL: https://codereview.chromium.org/200523004
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@257164 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content/browser')
| -rw-r--r-- | content/browser/renderer_host/clipboard_message_filter.cc | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/content/browser/renderer_host/clipboard_message_filter.cc b/content/browser/renderer_host/clipboard_message_filter.cc index df6d5c3..e06852a 100644 --- a/content/browser/renderer_host/clipboard_message_filter.cc +++ b/content/browser/renderer_host/clipboard_message_filter.cc @@ -31,6 +31,33 @@ void WriteObjectsOnUIThread(ui::Clipboard::ObjectMap* objects) { clipboard->WriteObjects(ui::CLIPBOARD_TYPE_COPY_PASTE, *objects); } +enum BitmapPolicy { + kFilterBitmap, + kAllowBitmap, +}; +void SanitizeObjectMap(ui::Clipboard::ObjectMap* objects, + BitmapPolicy bitmap_policy) { + if (bitmap_policy != kAllowBitmap) + objects->erase(ui::Clipboard::CBF_SMBITMAP); + + ui::Clipboard::ObjectMap::iterator data_it = + objects->find(ui::Clipboard::CBF_DATA); + if (data_it != objects->end()) { + const ui::Clipboard::FormatType& web_custom_format = + ui::Clipboard::GetWebCustomDataFormatType(); + if (data_it->second.size() != 2 || + !web_custom_format.Equals( + ui::Clipboard::FormatType::Deserialize(std::string( + &data_it->second[0].front(), + data_it->second[0].size())))) { + // CBF_DATA should always have two parameters associated with it, and the + // associated FormatType should always be web custom data. If not, then + // data is malformed and we'll ignore it. + objects->erase(ui::Clipboard::CBF_DATA); + } + } +} + } // namespace @@ -102,6 +129,7 @@ void ClipboardMessageFilter::OnWriteObjectsSync( // to the clipboard later. scoped_ptr<ui::Clipboard::ObjectMap> long_living_objects( new ui::Clipboard::ObjectMap(objects)); + SanitizeObjectMap(long_living_objects.get(), kAllowBitmap); // Splice the shared memory handle into the data. |long_living_objects| now // contains a heap-allocated SharedMemory object that references // |bitmap_handle|. This reference will keep the shared memory section alive @@ -124,7 +152,7 @@ void ClipboardMessageFilter::OnWriteObjectsAsync( // be removed otherwise we might dereference a rubbish pointer. scoped_ptr<ui::Clipboard::ObjectMap> sanitized_objects( new ui::Clipboard::ObjectMap(objects)); - sanitized_objects->erase(ui::Clipboard::CBF_SMBITMAP); + SanitizeObjectMap(sanitized_objects.get(), kFilterBitmap); #if defined(OS_WIN) // We cannot write directly from the IO thread, and cannot service the IPC |