diff options
Diffstat (limited to 'content/browser/browser_plugin')
| -rw-r--r-- | content/browser/browser_plugin/browser_plugin_embedder.cc | 9 | ||||
| -rw-r--r-- | content/browser/browser_plugin/browser_plugin_guest_manager.cc | 13 |
2 files changed, 19 insertions, 3 deletions
diff --git a/content/browser/browser_plugin/browser_plugin_embedder.cc b/content/browser/browser_plugin/browser_plugin_embedder.cc index 1f673ba..ad4279c 100644 --- a/content/browser/browser_plugin/browser_plugin_embedder.cc +++ b/content/browser/browser_plugin/browser_plugin_embedder.cc @@ -16,6 +16,7 @@ #include "content/public/browser/browser_context.h" #include "content/public/browser/content_browser_client.h" #include "content/public/browser/native_web_keyboard_event.h" +#include "content/public/browser/render_view_host.h" #include "content/public/browser/user_metrics.h" #include "content/public/common/content_switches.h" #include "content/public/common/result_codes.h" @@ -176,7 +177,11 @@ void BrowserPluginEmbedder::OnAttach( BrowserPluginGuest* guest = GetBrowserPluginGuestManager()->GetGuestByInstanceID( instance_id, web_contents()->GetRenderProcessHost()->GetID()); - +
+ RenderProcessHost* render_process_host =
+ web_contents()->GetRenderProcessHost();
+ GURL validated_frame_url(params.embedder_frame_url);
+ RenderViewHost::FilterURL(render_process_host, false, &validated_frame_url); if (guest) { // There is an implicit order expectation here: @@ -187,6 +192,7 @@ void BrowserPluginEmbedder::OnAttach( GetContentClient()->browser()->GuestWebContentsAttached( guest->GetWebContents(), web_contents(), + validated_frame_url, extra_params); guest->Attach( static_cast<WebContentsImpl*>(web_contents()), params, extra_params); @@ -202,6 +208,7 @@ void BrowserPluginEmbedder::OnAttach( GetContentClient()->browser()->GuestWebContentsAttached( guest->GetWebContents(), web_contents(), + validated_frame_url, extra_params); guest->Initialize(static_cast<WebContentsImpl*>(web_contents()), params); } diff --git a/content/browser/browser_plugin/browser_plugin_guest_manager.cc b/content/browser/browser_plugin/browser_plugin_guest_manager.cc index 6c86331b..3dceb63 100644 --- a/content/browser/browser_plugin/browser_plugin_guest_manager.cc +++ b/content/browser/browser_plugin/browser_plugin_guest_manager.cc @@ -16,6 +16,7 @@ #include "content/public/common/content_switches.h" #include "content/public/common/result_codes.h" #include "content/public/common/url_constants.h" +#include "content/public/common/url_utils.h" #include "net/base/escape.h" #include "ui/events/keycodes/keyboard_codes.h" @@ -44,6 +45,8 @@ BrowserPluginGuest* BrowserPluginGuestManager::CreateGuest( const BrowserPluginHostMsg_Attach_Params& params, scoped_ptr<base::DictionaryValue> extra_params) { SiteInstance* guest_site_instance = NULL; + RenderProcessHost* embedder_process_host = + embedder_site_instance->GetProcess(); // Validate that the partition id coming from the renderer is valid UTF-8, // since we depend on this in other parts of the code, such as FilePath // creation. If the validation fails, treat it as a bad message and kill the @@ -51,7 +54,7 @@ BrowserPluginGuest* BrowserPluginGuestManager::CreateGuest( if (!IsStringUTF8(params.storage_partition_id)) { content::RecordAction(UserMetricsAction("BadMessageTerminate_BPGM")); base::KillProcess( - embedder_site_instance->GetProcess()->GetHandle(), + embedder_process_host->GetHandle(), content::RESULT_CODE_KILLED_BAD_MESSAGE, false); return NULL; } @@ -70,7 +73,13 @@ BrowserPluginGuest* BrowserPluginGuestManager::CreateGuest( guest_site_instance = embedder_site_instance->GetRelatedSiteInstance(GURL(params.src)); } else { - const std::string& host = embedder_site_instance->GetSiteURL().host(); + // Only trust |embedder_frame_url| reported by a WebUI renderer. + const GURL& embedder_site_url = embedder_site_instance->GetSiteURL(); + GURL validated_frame_url(params.embedder_frame_url);
+ RenderViewHost::FilterURL(
+ embedder_process_host, false, &validated_frame_url); + const std::string& host = content::HasWebUIScheme(embedder_site_url) ? + validated_frame_url.host() : embedder_site_url.host(); std::string url_encoded_partition = net::EscapeQueryParamValue( params.storage_partition_id, false); |