WebDatabase: check path traversal in origin_identifier

content/browser/renderer_host/database_message_filter.cc

Index: content/browser/renderer_host/database_message_filter.cc
diff --git a/content/browser/renderer_host/database_message_filter.cc b/content/browser/renderer_host/database_message_filter.cc
index f8b0aa680c9f5148acb3713f0229c1e53a57837f..f364ce2f2c1a6772e5f86b646c08dd0de48117ba 100644
--- a/content/browser/renderer_host/database_message_filter.cc
+++ b/content/browser/renderer_host/database_message_filter.cc
@@ -284,6 +284,13 @@ void DatabaseMessageFilter::OnDatabaseOpened(const string16& origin_identifier,
                                              const string16& description,
                                              int64 estimated_size) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::FILE));
+
+  if (!DatabaseUtil::IsValidOriginIdentifier(origin_identifier)) {
+    RecordAction(UserMetricsAction("BadMessageTerminate_DBMF"));
+    BadMessageReceived();
+    return;
+  }
+
   int64 database_size = 0;
   db_tracker_->DatabaseOpened(origin_identifier, database_name, description,
                               estimated_size, &database_size);
@@ -325,6 +332,12 @@ void DatabaseMessageFilter::OnHandleSqliteError(
     const string16& database_name,
     int error) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::FILE));
+  if (!DatabaseUtil::IsValidOriginIdentifier(origin_identifier)) {
+    RecordAction(UserMetricsAction("BadMessageTerminate_DBMF"));
+    BadMessageReceived();
+    return;
+  }
+
   db_tracker_->HandleSqliteError(origin_identifier, database_name, error);
 }