summaryrefslogtreecommitdiffstats
path: root/content/browser/browser_plugin/browser_plugin_guest_manager.cc
diff options
context:
space:
mode:
Diffstat (limited to 'content/browser/browser_plugin/browser_plugin_guest_manager.cc')
-rw-r--r--content/browser/browser_plugin/browser_plugin_guest_manager.cc13
1 files changed, 11 insertions, 2 deletions
diff --git a/content/browser/browser_plugin/browser_plugin_guest_manager.cc b/content/browser/browser_plugin/browser_plugin_guest_manager.cc
index 6c86331b..3dceb63 100644
--- a/content/browser/browser_plugin/browser_plugin_guest_manager.cc
+++ b/content/browser/browser_plugin/browser_plugin_guest_manager.cc
@@ -16,6 +16,7 @@
#include "content/public/common/content_switches.h"
#include "content/public/common/result_codes.h"
#include "content/public/common/url_constants.h"
+#include "content/public/common/url_utils.h"
#include "net/base/escape.h"
#include "ui/events/keycodes/keyboard_codes.h"
@@ -44,6 +45,8 @@ BrowserPluginGuest* BrowserPluginGuestManager::CreateGuest(
const BrowserPluginHostMsg_Attach_Params& params,
scoped_ptr<base::DictionaryValue> extra_params) {
SiteInstance* guest_site_instance = NULL;
+ RenderProcessHost* embedder_process_host =
+ embedder_site_instance->GetProcess();
// Validate that the partition id coming from the renderer is valid UTF-8,
// since we depend on this in other parts of the code, such as FilePath
// creation. If the validation fails, treat it as a bad message and kill the
@@ -51,7 +54,7 @@ BrowserPluginGuest* BrowserPluginGuestManager::CreateGuest(
if (!IsStringUTF8(params.storage_partition_id)) {
content::RecordAction(UserMetricsAction("BadMessageTerminate_BPGM"));
base::KillProcess(
- embedder_site_instance->GetProcess()->GetHandle(),
+ embedder_process_host->GetHandle(),
content::RESULT_CODE_KILLED_BAD_MESSAGE, false);
return NULL;
}
@@ -70,7 +73,13 @@ BrowserPluginGuest* BrowserPluginGuestManager::CreateGuest(
guest_site_instance =
embedder_site_instance->GetRelatedSiteInstance(GURL(params.src));
} else {
- const std::string& host = embedder_site_instance->GetSiteURL().host();
+ // Only trust |embedder_frame_url| reported by a WebUI renderer.
+ const GURL& embedder_site_url = embedder_site_instance->GetSiteURL();
+ GURL validated_frame_url(params.embedder_frame_url);
+ RenderViewHost::FilterURL(
+ embedder_process_host, false, &validated_frame_url);
+ const std::string& host = content::HasWebUIScheme(embedder_site_url) ?
+ validated_frame_url.host() : embedder_site_url.host();
std::string url_encoded_partition = net::EscapeQueryParamValue(
params.storage_partition_id, false);
generated by cgit v1.1 at 2025-05-25 03:47:51 +0000