From 32d738858eea1b66aef96e250a0471e5e8835cd6 Mon Sep 17 00:00:00 2001
From: "bartfab@chromium.org"
 <bartfab@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Thu, 14 Aug 2014 13:05:32 +0000
Subject: Revert 289526 "Fix Mac sandbox meta data access"

Speculative revert as a lot of Mac bots broke when this landed:

http://build.chromium.org/p/chromium.mac/builders/Mac%2010.6%20Tests%20%28dbg%29%282%29/builds/54365
http://build.chromium.org/p/chromium.mac/builders/Mac%2010.6%20Tests%20%28dbg%29%284%29/builds/43947
http://build.chromium.org/p/chromium.mac/builders/Mac%2010.6%20Tests%20%28dbg%29%283%29/builds/52314

> Fix Mac sandbox meta data access
>
> Sandbox::AllowMetadataForPath() currently allow all metadata access due to
> https://codereview.chromium.org/10539009/ made the for loop comparison
> in Sandbox::AllowMetadataForPath() always false, when we actually only
> want to allow access to the path and all its parent path until root.
>
> Turn the for loop to a do/while loop instead as it's a better fit, also
> add a test case for Sandbox::AllowMetadataForPath().
>
> It should only affect component builds on OS X 10.6 and utility process
> as no other process is using this mechanism.
>
> Review URL: https://codereview.chromium.org/472513002

TBR=jiangj@opera.com

Review URL: https://codereview.chromium.org/469293002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@289541 0039d316-1c4b-4281-b951-d872f2087c98
---
 content/common/sandbox_mac.h                     |  1 -
 content/common/sandbox_mac.mm                    | 10 ++++------
 content/common/sandbox_mac_diraccess_unittest.mm | 13 +------------
 3 files changed, 5 insertions(+), 19 deletions(-)

diff --git a/content/common/sandbox_mac.h b/content/common/sandbox_mac.h
index f978f02..557b4fb7 100644
--- a/content/common/sandbox_mac.h
+++ b/content/common/sandbox_mac.h
@@ -160,7 +160,6 @@ class CONTENT_EXPORT Sandbox {
   FRIEND_TEST_ALL_PREFIXES(MacDirAccessSandboxTest, StringEscape);
   FRIEND_TEST_ALL_PREFIXES(MacDirAccessSandboxTest, RegexEscape);
   FRIEND_TEST_ALL_PREFIXES(MacDirAccessSandboxTest, SandboxAccess);
-  FRIEND_TEST_ALL_PREFIXES(MacDirAccessSandboxTest, AllowMetadataForPath);
 
   DISALLOW_IMPLICIT_CONSTRUCTORS(Sandbox);
 };
diff --git a/content/common/sandbox_mac.mm b/content/common/sandbox_mac.mm
index 4067e32..c7c1265 100644
--- a/content/common/sandbox_mac.mm
+++ b/content/common/sandbox_mac.mm
@@ -114,14 +114,12 @@ NSString* Sandbox::AllowMetadataForPath(const base::FilePath& allowed_path) {
   // Collect a list of all parent directories.
   base::FilePath last_path = allowed_path;
   std::vector<base::FilePath> subpaths;
-
-  base::FilePath path = allowed_path;
-  do {
+  for (base::FilePath path = allowed_path;
+       path.value() != last_path.value();
+       path = path.DirName()) {
     subpaths.push_back(path);
-
     last_path = path;
-    path = path.DirName();
-  } while (path.value() != last_path.value());
+  }
 
   // Iterate through all parents and allow stat() on them explicitly.
   NSString* sandbox_command = @"(allow file-read-metadata ";
diff --git a/content/common/sandbox_mac_diraccess_unittest.mm b/content/common/sandbox_mac_diraccess_unittest.mm
index 7fb7d45..06a5442 100644
--- a/content/common/sandbox_mac_diraccess_unittest.mm
+++ b/content/common/sandbox_mac_diraccess_unittest.mm
@@ -127,6 +127,7 @@ TEST_F(MacDirAccessSandboxTest, RegexEscape) {
     std::string out;
     EXPECT_TRUE(Sandbox::QuoteStringForRegex(in_utf8, &out));
     EXPECT_EQ(expected, out);
+
   }
 }
 
@@ -177,18 +178,6 @@ TEST_F(MacDirAccessSandboxTest, SandboxAccess) {
   }
 }
 
-TEST_F(MacDirAccessSandboxTest, AllowMetadataForPath) {
-  {
-    std::string expected(
-        "(allow file-read-metadata (literal \"/\")(literal \"/System\")"
-        "(literal \"/System/Library\")"
-        "(literal \"/System/Library/Frameworks\"))");
-    NSString* sandbox_command = Sandbox::AllowMetadataForPath(
-        base::FilePath("/System/Library/Frameworks"));
-    EXPECT_EQ(base::SysNSStringToUTF8(sandbox_command), expected);
-  }
-}
-
 MULTIPROCESS_TEST_MAIN(mac_sandbox_path_access) {
   char *sandbox_allowed_dir = getenv(kSandboxAccessPathKey);
   if (!sandbox_allowed_dir)
-- 
cgit v1.1