diff options
| -rw-r--r-- | chrome/browser/browser_init.cc | 24 | ||||
| -rw-r--r-- | chrome/browser/browser_init_browsertest.cc | 29 |
2 files changed, 49 insertions, 4 deletions
diff --git a/chrome/browser/browser_init.cc b/chrome/browser/browser_init.cc index 6512071..e495b71 100644 --- a/chrome/browser/browser_init.cc +++ b/chrome/browser/browser_init.cc @@ -14,6 +14,7 @@ #include "chrome/browser/browser_list.h" #include "chrome/browser/browser_process.h" #include "chrome/browser/browser_window.h" +#include "chrome/browser/child_process_security_policy.h" #include "chrome/browser/chrome_thread.h" #include "chrome/browser/defaults.h" #include "chrome/browser/extensions/extension_creator.h" @@ -503,9 +504,15 @@ bool BrowserInit::LaunchWithProfile::OpenApplicationURL(Profile* profile) { #endif GURL url(url_string); + // Restrict allowed URLs for --app switch. if (!url.is_empty() && url.is_valid()) { - Browser::OpenApplicationWindow(profile, url); - return true; + if (url.SchemeIs(chrome::kHttpsScheme) || + url.SchemeIs(chrome::kHttpScheme) || + url.SchemeIs(chrome::kFtpScheme) || + url.SchemeIs(chrome::kFileScheme)) { + Browser::OpenApplicationWindow(profile, url); + return true; + } } return false; } @@ -627,6 +634,9 @@ std::vector<GURL> BrowserInit::LaunchWithProfile::GetURLsFromCommandLine( Profile* profile) { std::vector<GURL> urls; std::vector<std::wstring> params = command_line_.GetLooseValues(); + ChildProcessSecurityPolicy *policy = + ChildProcessSecurityPolicy::GetInstance(); + for (size_t i = 0; i < params.size(); ++i) { std::wstring& value = params[i]; // Handle Vista way of searching - "? <search-term>" @@ -649,8 +659,14 @@ std::vector<GURL> BrowserInit::LaunchWithProfile::GetURLsFromCommandLine( // This will create a file URL or a regular URL. GURL url = GURL(WideToUTF8( URLFixerUpper::FixupRelativeFile(cur_dir_, value))); - if (url.is_valid()) - urls.push_back(url); + // Exclude dangerous schemes. + if (url.is_valid()) { + if (policy->IsWebSafeScheme(url.scheme()) || + url.SchemeIs(chrome::kFileScheme) || + !url.spec().compare(chrome::kAboutBlankURL)) { + urls.push_back(url); + } + } } } return urls; diff --git a/chrome/browser/browser_init_browsertest.cc b/chrome/browser/browser_init_browsertest.cc index 5c6d60a..ed4bad8 100644 --- a/chrome/browser/browser_init_browsertest.cc +++ b/chrome/browser/browser_init_browsertest.cc @@ -6,6 +6,7 @@ #include "chrome/browser/browser_init.h" #include "chrome/browser/browser_list.h" #include "chrome/browser/browser_window.h" +#include "chrome/browser/tab_contents/tab_contents.h" #include "chrome/test/in_process_browser_test.h" #include "testing/gtest/include/gtest/gtest.h" @@ -55,4 +56,32 @@ IN_PROC_BROWSER_TEST_F(BrowserInitTest, OpenURLsPopup) { BrowserList::RemoveObserver(&observer); } +// Test that we prevent openning potentially dangerous schemes from the +// command line. Marked FLAKY because browser instance may not start before +// enumerating the tabs. +IN_PROC_BROWSER_TEST_F(BrowserInitTest, FLAKY_BlockBadURLs) { + const std::wstring testurlstr(L"http://localhost/"); + const GURL testurl(WideToUTF16Hack(testurlstr)); + CommandLine cmdline(CommandLine::ARGUMENTS_ONLY); + cmdline.AppendLooseValue(testurlstr); + cmdline.AppendLooseValue(std::wstring(L"javascript:alert('boo')")); + cmdline.AppendLooseValue(testurlstr); + cmdline.AppendLooseValue(std::wstring(L"view-source:http://localhost/")); + + // This will pick up the current browser instance. + BrowserInit::LaunchWithProfile launch(std::wstring(), cmdline); + launch.Launch(browser()->profile(), false); + + // Give the browser a chance to start first. + PlatformThread::Sleep(50); + + // Skip about:blank in the first tab + for (int i = 1; i < browser()->tab_count(); i++) { + const GURL &url = browser()->GetTabContentsAt(i)->GetURL(); + ASSERT_EQ(url, testurl); + } + ASSERT_EQ(browser()->tab_count(), 3); +} + + } // namespace |