Prevent bindings escalation on an existing NavigationEntry (attempt 2).

content/browser/web_contents/render_view_host_manager.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/web_contents/render_view_host_manager.h"
 
 #include <utility>
 
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "content/browser/devtools/render_view_devtools_agent_host.h"
 #include "content/browser/renderer_host/render_process_host_impl.h"
 #include "content/browser/renderer_host/render_view_host_factory.h"
 #include "content/browser/renderer_host/render_view_host_impl.h"
 #include "content/browser/site_instance_impl.h"
 #include "content/browser/web_contents/interstitial_page_impl.h"
 #include "content/browser/web_contents/navigation_controller_impl.h"
 #include "content/browser/web_contents/navigation_entry_impl.h"
 #include "content/browser/webui/web_ui_impl.h"
 #include "content/common/view_messages.h"
 #include "content/port/browser/render_widget_host_view_port.h"
 #include "content/public/browser/content_browser_client.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/notification_types.h"
+#include "content/public/browser/user_metrics.h"
 #include "content/public/browser/web_contents_view.h"
 #include "content/public/browser/web_ui_controller.h"
 #include "content/public/browser/web_ui_controller_factory.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/url_constants.h"
 
 namespace content {
 
 RenderViewHostManager::RenderViewHostManager(
     RenderViewHostDelegate* render_view_delegate,
@@ skipping 55 matching lines @@
 }
 
 RenderWidgetHostView* RenderViewHostManager::GetRenderWidgetHostView() const {
   if (interstitial_page_)
     return interstitial_page_->GetView();
   if (!render_view_host_)
     return NULL;
   return render_view_host_->GetView();
 }
 
+void RenderViewHostManager::SetPendingWebUI(const NavigationEntryImpl& entry) {
+  pending_web_ui_.reset(
+      delegate_->CreateWebUIForRenderManager(entry.GetURL()));
+  pending_and_current_web_ui_.reset();
+
+  // If this is an existing NavigationEntry, make sure we're not granting it
+  // different bindings than it had before.  If so, note it and don't give it
+  // any bindings, to avoid a potential privilege escalation.
+  if (pending_web_ui_.get() &&
+      !entry.GetContentState().empty() &&

[nasko, 2013/02/13 23:44:02]

This seems redundant, since we already check the bindings on the entry. If an
entry is existing, its bindings shouldn't be kInvalidBindings.

[Charlie Reis, 2013/02/13 23:56:18]

Good point!  Updated.

+      entry.bindings() != NavigationEntryImpl::kInvalidBindings &&
+      pending_web_ui_->GetBindings() != entry.bindings()) {
+    RecordAction(UserMetricsAction("ProcessSwapBindingsMismatch_RVHM"));
+    pending_web_ui_.reset();
+  }
+}
+
 RenderViewHostImpl* RenderViewHostManager::Navigate(
     const NavigationEntryImpl& entry) {
   // Create a pending RenderViewHost. It will give us the one we should use
   RenderViewHostImpl* dest_render_view_host =
       static_cast<RenderViewHostImpl*>(UpdateRendererStateForNavigate(entry));
   if (!dest_render_view_host)
     return NULL;  // We weren't able to create a pending render view host.
 
   // If the current render_view_host_ isn't live, we should create it so
   // that we don't show a sad tab while the dest_render_view_host fetches
@@ skipping 697 matching lines @@
   if (!is_guest_scheme && (new_instance != curr_instance || force_swap)) {
     // New SiteInstance.
     DCHECK(!cross_navigation_pending_);
 
     // This will possibly create (set to NULL) a Web UI object for the pending
     // page. We'll use this later to give the page special access. This must
     // happen before the new renderer is created below so it will get bindings.
     // It must also happen after the above conditional call to CancelPending(),
     // otherwise CancelPending may clear the pending_web_ui_ and the page will
     // not have its bindings set appropriately.
-    pending_web_ui_.reset(
-        delegate_->CreateWebUIForRenderManager(entry.GetURL()));
-    pending_and_current_web_ui_.reset();
+    SetPendingWebUI(entry);
 
     // Ensure that we have created RVHs for the new RVH's opener chain if
     // we are staying in the same BrowsingInstance. This allows the pending RVH
     // to send cross-process script calls to its opener(s).
     int opener_route_id = MSG_ROUTING_NONE;
     if (new_instance->IsRelatedSiteInstance(curr_instance)) {
       opener_route_id =
           delegate_->CreateOpenerRenderViewsForRenderManager(new_instance);
     }
 
@@ skipping 44 matching lines @@
     // doesn't otherwise know that the cross-site request is happening.  This
     // will trigger a call to ShouldClosePage with the reply.
     render_view_host_->FirePageBeforeUnload(true);
 
     return pending_render_view_host_;
   } else {
     if (ShouldReuseWebUI(curr_entry, &entry)) {
       pending_web_ui_.reset();
       pending_and_current_web_ui_ = web_ui_->AsWeakPtr();
     } else {
-      pending_and_current_web_ui_.reset();
-      pending_web_ui_.reset(
-          delegate_->CreateWebUIForRenderManager(entry.GetURL()));
+      SetPendingWebUI(entry);
     }
 
     if (pending_web_ui() && render_view_host_->IsRenderViewLive())
       pending_web_ui()->GetController()->RenderViewReused(render_view_host_);
 
     // The renderer can exit view source mode when any error or cancellation
     // happen. We must overwrite to recover the mode.
     if (entry.IsViewSourceMode()) {
       render_view_host_->Send(
           new ViewMsg_EnableViewSourceMode(render_view_host_->GetRoutingID()));
@@ skipping 76 matching lines @@
 RenderViewHostImpl* RenderViewHostManager::GetSwappedOutRenderViewHost(
     SiteInstance* instance) {
   RenderViewHostMap::iterator iter = swapped_out_hosts_.find(instance->GetId());
   if (iter != swapped_out_hosts_.end())
     return iter->second;
 
   return NULL;
 }
 
 }  // namespace content