From f34d588eafb45ad5f39ac0d1e09d297a10a3029a Mon Sep 17 00:00:00 2001
From: "cevans@chromium.org"
 <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Thu, 10 Dec 2009 19:16:02 +0000
Subject: Guard against directory traversal due to evil message from
 compromised renderer.

TEST=NONE
BUG=29828

Review URL: http://codereview.chromium.org/467061

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@34264 0039d316-1c4b-4281-b951-d872f2087c98
---
 webkit/database/database_util.cc | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'webkit')

diff --git a/webkit/database/database_util.cc b/webkit/database/database_util.cc
index b1ba76a..ae52a5a 100644
--- a/webkit/database/database_util.cc
+++ b/webkit/database/database_util.cc
@@ -52,6 +52,10 @@ FilePath DatabaseUtil::GetFullFilePathForVfsFile(
     full_path = FilePath::FromWStringHack(
         full_path.ToWStringHack() + UTF16ToWide(sqlite_suffix));
   }
+  // Watch out for directory traversal attempts from a compromised renderer.
+  if (full_path.value().find(FILE_PATH_LITERAL("..")) !=
+          FilePath::StringType::npos)
+    return FilePath();
   return full_path;
 }
 
-- 
cgit v1.1