Revert 169711 "Prevent web content from forging File entries in ..."

As it turns out, we only needed to patch the Chrome side. > Prevent web content from forging File entries in drag and drop. > > There are two separate bugs that this and the corresponding Chrome patch > aim to address: > - On Linux, files and URLs are transferred in the same MIME type, so > it's impossible to tell if a filename was set by a trusted source or > forged by web content. > - DownloadURL triggers the download of potentially cross-origin content. > On some platforms, such as Windows, the resulting download is treated > as a file drag by Chrome, allowing web content to read cross origin > content. > > In order to prevent web content from doing this, drags initiated by a > renderer will be marked as tainted. When tainted drags are over web > content, Blink will only allow the resulting filename to be used for > navigation, with Chrome enforcing this with the sandbox policy. > > Unfortunately, this does break some potentially interesting use cases > like being able to drag an attachment from Gmail to a file input, but > those will have to be separately addressed, if possible. > > BUG=346135 > R=abarth@chromium.org, tony@chromium.org > > Review URL: https://codereview.chromium.org/193803002 TBR=dcheng@chromium.org Review URL: https://codereview.chromium.org/211853002 git-svn-id: svn://svn.chromium.org/blink/trunk@169979 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Revert 169711 "Prevent web content from forging File entries in ..."
As it turns out, we only needed to patch the Chrome side. > Prevent web content from forging File entries in drag and drop. > > There are two separate bugs that this and the corresponding Chrome patch > aim to address: > - On Linux, files and URLs are transferred in the same MIME type, so > it's impossible to tell if a filename was set by a trusted source or > forged by web content. > - DownloadURL triggers the download of potentially cross-origin content. > On some platforms, such as Windows, the resulting download is treated > as a file drag by Chrome, allowing web content to read cross origin > content. > > In order to prevent web content from doing this, drags initiated by a > renderer will be marked as tainted. When tainted drags are over web > content, Blink will only allow the resulting filename to be used for > navigation, with Chrome enforcing this with the sandbox policy. > > Unfortunately, this does break some potentially interesting use cases > like being able to drag an attachment from Gmail to a file input, but > those will have to be separately addressed, if possible. > > BUG=346135 > R=abarth@chromium.org, tony@chromium.org > > Review URL: https://codereview.chromium.org/193803002 TBR=dcheng@chromium.org Review URL: https://codereview.chromium.org/211853002 git-svn-id: svn://svn.chromium.org/blink/trunk@169979 bbb929c8-8fbe-4397-9dbb-9b2b20218538
b65d8f8d · dcheng@chromium.org · 5565fad0 · b65d8f8d · b65d8f8d · b65d8f8d
Commit b65d8f8d authored Mar 25, 2014 by dcheng@chromium.org
6 changed files
--- a/third_party/WebKit/Source/core/clipboard/DataObject.h
+++ b/third_party/WebKit/Source/core/clipboard/DataObject.h
@@ -92,10 +92,6 @@ public:
    int modifierKeyState() const { return m_modifierKeyState; }
    void setModifierKeyState(int modifierKeyState) { m_modifierKeyState = modifierKeyState; }

-    // The accessor should only ever be called by DragData.
-    const String& filenameForNavigation() const { return m_filenameForNavigation; }
-    void setFilenameForNavigation(const String& filename) { m_filenameForNavigation = filename; }
-
    void trace(Visitor*);

 private:
@@ -108,8 +104,6 @@ private:

    WillBeHeapVector<RefPtrWillBeMember<DataObjectItem> > m_itemList;

-    String m_filenameForNavigation;
-
    // State of Shift/Ctrl/Alt/Meta keys.
    int m_modifierKeyState;
 };

--- a/third_party/WebKit/Source/core/page/DragController.cpp
+++ b/third_party/WebKit/Source/core/page/DragController.cpp
@@ -265,7 +265,7 @@ bool DragController::performDrag(DragData* dragData)
        return false;

    if (m_page->settings().navigateOnDragDrop())
-        m_page->mainFrame()->loader().load(FrameLoadRequest(0, ResourceRequest(dragData->asURL(DragData::ConvertFilenames))));
+        m_page->mainFrame()->loader().load(FrameLoadRequest(0, ResourceRequest(dragData->asURL())));
    return true;
 }

@@ -946,7 +946,7 @@ DragOperation DragController::dragOperation(DragData* dragData)
    // attached sheet If this can be determined from within WebCore
    // operationForDrag can be pulled into WebCore itself
    ASSERT(dragData);
-    return dragData->containsURL(DragData::ConvertFilenames) && !m_didInitiateDrag ? DragOperationCopy : DragOperationNone;
+    return dragData->containsURL() && !m_didInitiateDrag ? DragOperationCopy : DragOperationNone;
 }

 bool DragController::isCopyKeyDown(DragData* dragData)

--- a/third_party/WebKit/Source/core/page/DragData.cpp
+++ b/third_party/WebKit/Source/core/page/DragData.cpp
@@ -69,21 +69,16 @@ static bool containsHTML(const DataObject* dropData)
 bool DragData::containsURL(FilenameConversionPolicy filenamePolicy) const
 {
    return m_platformDragData->types().contains(mimeTypeTextURIList)
-        || (filenamePolicy == ConvertFilenames
-            && (m_platformDragData->containsFilenames() || !m_platformDragData->filenameForNavigation().isEmpty()));
+        || (filenamePolicy == ConvertFilenames && m_platformDragData->containsFilenames());
 }

 String DragData::asURL(FilenameConversionPolicy filenamePolicy, String* title) const
 {
    String url;
-    if (m_platformDragData->types().contains(mimeTypeTextURIList)) {
+    if (m_platformDragData->types().contains(mimeTypeTextURIList))
        m_platformDragData->urlAndTitle(url, title);
-    } else if (filenamePolicy == ConvertFilenames) {
-        if (containsFiles())
-            url = filePathToURL(m_platformDragData->filenames()[0]);
-        else
-            url = filePathToURL(m_platformDragData->filenameForNavigation());
-    }
+    else if (filenamePolicy == ConvertFilenames && containsFiles())
+        url = filePathToURL(m_platformDragData->filenames()[0]);
    return url;
 }


--- a/third_party/WebKit/Source/core/page/DragData.h
+++ b/third_party/WebKit/Source/core/page/DragData.h
@@ -51,7 +51,6 @@ enum DragApplicationFlags {

 class DragData {
 public:
-    // ConvertFilenames is only intended to be used when treating drags as a navigation action.
    enum FilenameConversionPolicy { DoNotConvertFilenames, ConvertFilenames };

    // clientPosition is taken to be the position of the drag event within the target window, with (0,0) at the top left
@@ -62,10 +61,10 @@ public:
    DragApplicationFlags flags() const { return m_applicationFlags; }
    DataObject* platformData() const { return m_platformDragData; }
    DragOperation draggingSourceOperationMask() const { return m_draggingSourceOperationMask; }
-    bool containsURL(FilenameConversionPolicy filenamePolicy = DoNotConvertFilenames) const;
+    bool containsURL(FilenameConversionPolicy filenamePolicy = ConvertFilenames) const;
    bool containsPlainText() const;
    bool containsCompatibleContent() const;
-    String asURL(FilenameConversionPolicy filenamePolicy = DoNotConvertFilenames, String* title = 0) const;
+    String asURL(FilenameConversionPolicy filenamePolicy = ConvertFilenames, String* title = 0) const;
    String asPlainText() const;
    void asFilenames(Vector<String>&) const;
    PassRefPtr<DocumentFragment> asFragment(LocalFrame*, PassRefPtr<Range> context, bool allowPlainText, bool& chosePlainText) const;

--- a/third_party/WebKit/Source/web/WebDragData.cpp
+++ b/third_party/WebKit/Source/web/WebDragData.cpp
@@ -161,10 +161,4 @@ void WebDragData::setFilesystemId(const WebString& filesystemId)
    DraggedIsolatedFileSystem::provideTo(*m_private.get(), DraggedIsolatedFileSystem::supplementName(), DraggedIsolatedFileSystem::create(filesystemId));
 }

-void WebDragData::setFilenameForNavigation(const WebString& filename)
-{
-    ensureMutable();
-    m_private->setFilenameForNavigation(filename);
-}
-
 } // namespace blink
--- a/third_party/WebKit/public/platform/WebDragData.h
+++ b/third_party/WebKit/public/platform/WebDragData.h
@@ -102,8 +102,6 @@ public:
    BLINK_EXPORT WebString filesystemId() const;
    BLINK_EXPORT void setFilesystemId(const WebString&);

-    BLINK_EXPORT void setFilenameForNavigation(const WebString&);
-
 #if BLINK_IMPLEMENTATION
    explicit WebDragData(const PassRefPtrWillBeRawPtr<WebCore::DataObject>&);
    WebDragData& operator=(const PassRefPtrWillBeRawPtr<WebCore::DataObject>&);