Launch external protocol handlers with C:\Windows\System32 as their CWD.

This mitigates a potential DLL search order hijack for processes that don't implement their own mitigation. BUG=1126506 Change-Id: I26d88354c6b4f8ce42eab0a3ba49eca6313611fa Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2410030Reviewed-by: Nico Weber <thakis@chromium.org> Reviewed-by: Eric Lawrence [MSFT] <ericlaw@microsoft.com> Commit-Queue: Greg Thompson <grt@chromium.org> Cr-Commit-Position: refs/heads/master@{#807014}

Launch external protocol handlers with C:\Windows\System32 as their CWD.
This mitigates a potential DLL search order hijack for processes that don't implement their own mitigation. BUG=1126506 Change-Id: I26d88354c6b4f8ce42eab0a3ba49eca6313611fa Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2410030Reviewed-by: Nico Weber <thakis@chromium.org> Reviewed-by: Eric Lawrence [MSFT] <ericlaw@microsoft.com> Commit-Queue: Greg Thompson <grt@chromium.org> Cr-Commit-Position: refs/heads/master@{#807014}
496cb36c · Greg Thompson · Commit Bot · ac2fc982 · 496cb36c
Commit 496cb36c authored Sep 15, 2020 by Greg Thompson Committed by Commit Bot Sep 15, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 10 deletions

chrome/browser/platform_util_win.cc chrome/browser/platform_util_win.cc +13 -10

No files found.
--- a/chrome/browser/platform_util_win.cc
+++ b/chrome/browser/platform_util_win.cc
@@ -109,16 +109,19 @@ void OpenExternalOnWorkerThread(const GURL& url) {
  if (escaped_url.length() > kMaxUrlLength)
    return;

-  // Specify the user's %TMP% directory as the CWD so that any new proc spawned
-  // does not inherit this proc's CWD. Without this, uninstalls may be broken by
-  // a long-lived child proc that holds a handle to the browser's version
-  // directory.
-  base::FilePath temp_dir;
-  base::PathService::Get(base::DIR_TEMP, &temp_dir);
-  if (reinterpret_cast<ULONG_PTR>(ShellExecuteA(NULL, "open",
-                                                escaped_url.c_str(), NULL,
-                                                temp_dir.AsUTF8Unsafe().c_str(),
-                                                SW_SHOWNORMAL)) <= 32) {
+  // Specify %windir%\system32 as the CWD so that any new proc spawned does not
+  // inherit this proc's CWD. Without this, uninstalls may be broken by a
+  // long-lived child proc that holds a handle to the browser's version
+  // directory (the browser's CWD). A process's CWD is in the standard list of
+  // directories to search when loading a DLL, and precedes the system directory
+  // when safe DLL search mode is disabled (not the default). Setting the CWD to
+  // the system directory is a nice way to mitigate a potential DLL search order
+  // hijack for processes that don't implement their own mitigation.
+  base::FilePath system_dir;
+  base::PathService::Get(base::DIR_SYSTEM, &system_dir);
+  if (reinterpret_cast<ULONG_PTR>(ShellExecuteA(
+          NULL, "open", escaped_url.c_str(), NULL,
+          system_dir.AsUTF8Unsafe().c_str(), SW_SHOWNORMAL)) <= 32) {
    // On failure, it may be good to display a message to the user.
    // https://crbug.com/727913
    return;