FileAPIMessageFilter Security: Minimal patch to fix permissions escalation.

Per vandebo's suggestion, this is a minimal fix to the security-hole meant
for backporting/merging.

https://codereview.chromium.org/23760004/ is the long-term fix.

BUG=284792

Review URL: https://chromiumcodereview.appspot.com/23461031

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@222143 0039d316-1c4b-4281-b951-d872f2087c98

content/browser/child_process_security_policy_impl.cc

@@ -38,6 +38,7 @@ const int kReadFilePermissions =
 const int kWriteFilePermissions =
     base::PLATFORM_FILE_OPEN |
     base::PLATFORM_FILE_WRITE |
+    base::PLATFORM_FILE_APPEND |
     base::PLATFORM_FILE_EXCLUSIVE_WRITE |
     base::PLATFORM_FILE_ASYNC |
     base::PLATFORM_FILE_WRITE_ATTRIBUTES;

content/browser/fileapi/fileapi_message_filter.cc

@@ -470,8 +470,7 @@ void FileAPIMessageFilter::OnOpenFile(
     int request_id, const GURL& path, int file_flags) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
   base::PlatformFileError error;
-  const int open_permissions = base::PLATFORM_FILE_OPEN |
-                               (file_flags & fileapi::kOpenFilePermissions);
+  const int open_permissions = file_flags & fileapi::kOpenPepperFilePermissions;
   FileSystemURL url(context_->CrackURL(path));
   if (!HasPermissionsForFile(url, open_permissions, &error)) {
     Send(new FileSystemMsg_DidFail(request_id, error));
@@ -492,7 +491,7 @@ void FileAPIMessageFilter::OnOpenFile(
   }
 
   operations_[request_id] = operation_runner()->OpenFile(
-      url, file_flags, PeerHandle(),
+      url, open_permissions, PeerHandle(),
       base::Bind(&FileAPIMessageFilter::DidOpenFile, this, request_id,
                  quota_policy));
 }

webkit/browser/fileapi/file_permission_policy.cc

@@ -21,14 +21,17 @@ const int kWriteFilePermissions = base::PLATFORM_FILE_OPEN |
 
 const int kCreateFilePermissions = base::PLATFORM_FILE_CREATE;
 
-const int kOpenFilePermissions = base::PLATFORM_FILE_CREATE |
-                                 base::PLATFORM_FILE_OPEN_ALWAYS |
-                                 base::PLATFORM_FILE_CREATE_ALWAYS |
-                                 base::PLATFORM_FILE_OPEN_TRUNCATED |
-                                 base::PLATFORM_FILE_WRITE |
-                                 base::PLATFORM_FILE_EXCLUSIVE_WRITE |
-                                 base::PLATFORM_FILE_DELETE_ON_CLOSE |
-                                 base::PLATFORM_FILE_WRITE_ATTRIBUTES;
+const int kOpenPepperFilePermissions = base::PLATFORM_FILE_OPEN |
+                                       base::PLATFORM_FILE_CREATE |
+                                       base::PLATFORM_FILE_OPEN_ALWAYS |
+                                       base::PLATFORM_FILE_CREATE_ALWAYS |
+                                       base::PLATFORM_FILE_OPEN_TRUNCATED |
+                                       base::PLATFORM_FILE_READ |
+                                       base::PLATFORM_FILE_WRITE |
+                                       base::PLATFORM_FILE_APPEND |
+                                       base::PLATFORM_FILE_EXCLUSIVE_WRITE |
+                                       base::PLATFORM_FILE_DELETE_ON_CLOSE |
+                                       base::PLATFORM_FILE_WRITE_ATTRIBUTES;
 
 
 }  // namespace fileapi

webkit/browser/fileapi/file_permission_policy.h

@@ -12,7 +12,7 @@ namespace fileapi {
 WEBKIT_STORAGE_BROWSER_EXPORT extern const int kReadFilePermissions;
 WEBKIT_STORAGE_BROWSER_EXPORT extern const int kWriteFilePermissions;
 WEBKIT_STORAGE_BROWSER_EXPORT extern const int kCreateFilePermissions;
-WEBKIT_STORAGE_BROWSER_EXPORT extern const int kOpenFilePermissions;
+WEBKIT_STORAGE_BROWSER_EXPORT extern const int kOpenPepperFilePermissions;
 
 enum FilePermissionPolicy {
   // Any access should be always denied.