[3p-Conflicts] Now ignore wanted modules in IsBlacklisted()

We explicitly allow all modules seemingly signed by the signer of the process's main exe to load into the process. Bug: 819793 Change-Id: I3636b8251cb82cd1d4a5f69f3899ea4516b1b00a Reviewed-on: https://chromium-review.googlesource.com/952074 Commit-Queue: Patrick Monette <pmonette@chromium.org> Reviewed-by: Greg Thompson <grt@chromium.org> Cr-Commit-Position: refs/heads/master@{#543091}

[3p-Conflicts] Now ignore wanted modules in IsBlacklisted()
We explicitly allow all modules seemingly signed by the signer of the process's main exe to load into the process. Bug: 819793 Change-Id: I3636b8251cb82cd1d4a5f69f3899ea4516b1b00a Reviewed-on: https://chromium-review.googlesource.com/952074 Commit-Queue: Patrick Monette <pmonette@chromium.org> Reviewed-by: Greg Thompson <grt@chromium.org> Cr-Commit-Position: refs/heads/master@{#543091}
7ceeebaf · Patrick Monette · Commit Bot · b693bb9f · 7ceeebaf · 7ceeebaf
Commit 7ceeebaf authored Mar 14, 2018 by Patrick Monette Committed by Commit Bot Mar 14, 2018
Showing with 21 additions and 1 deletion

chrome/browser/conflicts/module_list_filter_win.cc chrome/browser/conflicts/module_list_filter_win.cc +17 -1

chrome/browser/conflicts/module_list_filter_win.h chrome/browser/conflicts/module_list_filter_win.h +4 -0

No files found.
--- a/chrome/browser/conflicts/module_list_filter_win.cc
+++ b/chrome/browser/conflicts/module_list_filter_win.cc
@@ -6,10 +6,12 @@

 #include <string>

+#include "base/base_paths.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/i18n/case_conversion.h"
 #include "base/logging.h"
+#include "base/path_service.h"
 #include "base/sha1.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
@@ -61,10 +63,15 @@ ModuleListFilter::~ModuleListFilter() = default;
 bool ModuleListFilter::Initialize(const base::FilePath& module_list_path) {
  DCHECK(!initialized_);

+  base::FilePath exe_path;
  std::string contents;
-  initialized_ = base::ReadFileToString(module_list_path, &contents) &&
+  initialized_ = base::PathService::Get(base::FILE_EXE, &exe_path) &&
+                 base::ReadFileToString(module_list_path, &contents) &&
                 module_list_.ParseFromString(contents);

+  if (initialized_)
+    GetCertificateInfo(exe_path, &exe_certificate_info_);
+
  return initialized_;
 }

@@ -93,6 +100,15 @@ ModuleListFilter::IsBlacklisted(const ModuleInfoKey& module_key,
                                const ModuleInfoData& module_data) const {
  DCHECK(initialized_);

+  // Ignore modules whose signing cert's Subject field matches the one in the
+  // current executable. No attempt is made to check the validity of module
+  // signatures or of signing certs.
+  if (exe_certificate_info_.type != CertificateType::NO_CERTIFICATE &&
+      exe_certificate_info_.subject ==
+          module_data.inspection_result->certificate_info.subject) {
+    return nullptr;
+  }
+
  // Precompute the hash of the basename and of the code id.
  const std::string module_basename_hash =
      base::SHA1HashString(base::UTF16ToUTF8(

--- a/chrome/browser/conflicts/module_list_filter_win.h
+++ b/chrome/browser/conflicts/module_list_filter_win.h
@@ -8,6 +8,7 @@
 #include <memory>

 #include "base/macros.h"
+#include "chrome/browser/conflicts/module_info_util_win.h"
 #include "chrome/browser/conflicts/proto/module_list.pb.h"

 struct ModuleInfoKey;
@@ -49,6 +50,9 @@ class ModuleListFilter {
      const ModuleInfoData& module_data) const;

 private:
+  // The certificate info of the current executable.
+  CertificateInfo exe_certificate_info_;
+
  chrome::conflicts::ModuleList module_list_;

  // Indicates if Initalize() has been succesfully called.