diff options
Diffstat (limited to 'chrome')
| -rw-r--r-- | chrome/browser/extensions/webstore_inline_installer.cc | 40 | ||||
| -rw-r--r-- | chrome/browser/extensions/webstore_inline_installer.h | 8 | ||||
| -rw-r--r-- | chrome/browser/extensions/webstore_inline_installer_unittest.cc | 71 | ||||
| -rw-r--r-- | chrome/chrome_tests.gypi | 1 |
4 files changed, 109 insertions, 11 deletions
diff --git a/chrome/browser/extensions/webstore_inline_installer.cc b/chrome/browser/extensions/webstore_inline_installer.cc index 598ca2b..c539022 100644 --- a/chrome/browser/extensions/webstore_inline_installer.cc +++ b/chrome/browser/extensions/webstore_inline_installer.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -18,6 +18,7 @@ #include "chrome/common/extensions/extension.h" #include "chrome/common/extensions/extension_constants.h" #include "chrome/common/extensions/url_pattern.h" +#include "chrome/common/url_constants.h" #include "content/browser/utility_process_host.h" #include "content/public/browser/web_contents.h" #include "content/public/common/url_fetcher.h" @@ -294,19 +295,13 @@ void WebstoreInlineInstaller::OnWebstoreResponseParseSuccess( // Verified site is required if (webstore_data->HasKey(kVerifiedSiteKey)) { - std::string verified_site_domain; - if (!webstore_data->GetString(kVerifiedSiteKey, &verified_site_domain)) { + std::string verified_site; + if (!webstore_data->GetString(kVerifiedSiteKey, &verified_site)) { CompleteInstall(kInvalidWebstoreResponseError); return; } - URLPattern verified_site_pattern(URLPattern::SCHEME_ALL); - verified_site_pattern.SetScheme("*"); - verified_site_pattern.SetHost(verified_site_domain); - verified_site_pattern.SetMatchSubdomains(true); - verified_site_pattern.SetPath("/*"); - - if (!verified_site_pattern.MatchesURL(requestor_url_)) { + if (!IsRequestorURLInVerifiedSite(requestor_url_, verified_site)) { CompleteInstall(kNotFromVerifiedSiteError); return; } @@ -328,6 +323,31 @@ void WebstoreInlineInstaller::OnWebstoreResponseParseSuccess( helper->Start(); } +// static +bool WebstoreInlineInstaller::IsRequestorURLInVerifiedSite( + const GURL& requestor_url, + const std::string& verified_site) { + // Turn the verified site (which may be a bare domain, or have a port and/or a + // path) into a URL that can be parsed by URLPattern. + std::string verified_site_url = + StringPrintf("http://*.%s%s", + verified_site.c_str(), + verified_site.find('/') == std::string::npos ? "/*" : "*"); + + URLPattern verified_site_pattern( + URLPattern::SCHEME_HTTP | URLPattern::SCHEME_HTTPS); + URLPattern::ParseResult parse_result = + verified_site_pattern.Parse(verified_site_url); + if (parse_result != URLPattern::PARSE_SUCCESS) { + DLOG(WARNING) << "Could not parse " << verified_site_url << + " as URL pattern " << parse_result; + return false; + } + verified_site_pattern.SetScheme("*"); + + return verified_site_pattern.MatchesURL(requestor_url); +} + void WebstoreInlineInstaller::OnWebstoreResponseParseFailure( const std::string& error) { CompleteInstall(error); diff --git a/chrome/browser/extensions/webstore_inline_installer.h b/chrome/browser/extensions/webstore_inline_installer.h index 96aedfb..68e4394 100644 --- a/chrome/browser/extensions/webstore_inline_installer.h +++ b/chrome/browser/extensions/webstore_inline_installer.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -52,6 +52,7 @@ class WebstoreInlineInstaller private: friend class base::RefCountedThreadSafe<WebstoreInlineInstaller>; friend class SafeWebstoreResponseParser; + FRIEND_TEST_ALL_PREFIXES(WebstoreInlineInstallerTest, DomainVerification); virtual ~WebstoreInlineInstaller(); @@ -100,6 +101,11 @@ class WebstoreInlineInstaller void CompleteInstall(const std::string& error); + // Checks whether the install is initiated by a page in the verified site + // (which is at least a domain, but can also have a port or a path). + static bool IsRequestorURLInVerifiedSite(const GURL& requestor_url, + const std::string& verified_site); + int install_id_; std::string id_; GURL requestor_url_; diff --git a/chrome/browser/extensions/webstore_inline_installer_unittest.cc b/chrome/browser/extensions/webstore_inline_installer_unittest.cc new file mode 100644 index 0000000..e5616bf --- /dev/null +++ b/chrome/browser/extensions/webstore_inline_installer_unittest.cc @@ -0,0 +1,71 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "chrome/browser/extensions/webstore_inline_installer.h" +#include "googleurl/src/gurl.h" +#include "testing/gtest/include/gtest/gtest.h" + +// A macro, so that the IsRequestorURLInVerifiedSite calls are inside of the +// the test, which is marked as a friend of WebstoreInlineInstaller. +#define IsVerified(requestor_url, verified_site) \ + WebstoreInlineInstaller::IsRequestorURLInVerifiedSite( \ + GURL(requestor_url), verified_site) + +TEST(WebstoreInlineInstallerTest, DomainVerification) { + // Exact domain match. + EXPECT_TRUE(IsVerified("http://example.com", "example.com")); + + // The HTTPS scheme is allowed. + EXPECT_TRUE(IsVerified("https://example.com", "example.com")); + + // The file: scheme is not allowed. + EXPECT_FALSE(IsVerified("file:///example.com", "example.com")); + + // Trailing slash in URL. + EXPECT_TRUE(IsVerified("http://example.com/", "example.com")); + + // Page on the domain. + EXPECT_TRUE(IsVerified("http://example.com/page.html", "example.com")); + + // Page on a subdomain. + EXPECT_TRUE(IsVerified("http://sub.example.com/page.html", "example.com")); + + // Root domain when only a subdomain is verified. + EXPECT_FALSE(IsVerified("http://example.com/", "sub.example.com")); + + // Different subdomain when only a subdomain is verified. + EXPECT_FALSE(IsVerified("http://www.example.com/", "sub.example.com")); + + // Port matches. + EXPECT_TRUE(IsVerified("http://example.com:123/", "example.com:123")); + + // Port doesn't match. + EXPECT_FALSE(IsVerified("http://example.com:456/", "example.com:123")); + + // Port is missing in the requestor URL. + EXPECT_FALSE(IsVerified("http://example.com/", "example.com:123")); + + // Port is missing in the verified site (any port matches). + EXPECT_TRUE(IsVerified("http://example.com:123/", "example.com")); + + // Path matches. + EXPECT_TRUE(IsVerified("http://example.com/path", "example.com/path")); + + // Path doesn't match. + EXPECT_FALSE(IsVerified("http://example.com/foo", "example.com/path")); + + // Path is missing. + EXPECT_FALSE(IsVerified("http://example.com", "example.com/path")); + + // Path matches (with trailing slash). + EXPECT_TRUE(IsVerified("http://example.com/path/", "example.com/path")); + + // Path matches (is a file under the path). + EXPECT_TRUE(IsVerified( + "http://example.com/path/page.html", "example.com/path")); + + // Path and port match. + EXPECT_TRUE(IsVerified( + "http://example.com:123/path/page.html", "example.com:123/path")); +} diff --git a/chrome/chrome_tests.gypi b/chrome/chrome_tests.gypi index 83c8a1d..f403878 100644 --- a/chrome/chrome_tests.gypi +++ b/chrome/chrome_tests.gypi @@ -1465,6 +1465,7 @@ 'browser/extensions/settings/testing_settings_storage_unittest.cc', 'browser/extensions/user_script_listener_unittest.cc', 'browser/extensions/user_script_master_unittest.cc', + 'browser/extensions/webstore_inline_installer_unittest.cc', 'browser/external_protocol/external_protocol_handler_unittest.cc', 'browser/favicon/favicon_handler_unittest.cc', 'browser/first_run/first_run_unittest.cc', |