Handle invalid input for SourceHighlighter, Don't Allow Relative Paths in ErrorHandler

chrome/browser/ui/webui/extensions/extension_error_handler.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ui/webui/extensions/extension_error_handler.h"
 
 #include "base/bind.h"
 #include "base/file_util.h"
 #include "base/files/file_path.h"
 #include "base/location.h"
@@ skipping 72 matching lines @@
     const base::ListValue* args) {
   // There should only be one argument, a dictionary. Use this instead of a list
   // because it's more descriptive, harder to accidentally break with minor
   // modifications, and supports optional arguments more easily.
   CHECK_EQ(1u, args->GetSize());
 
   const base::DictionaryValue* dict = NULL;
 
   // Three required arguments: extension_id, path_suffix, and error_message.
   std::string extension_id;
-  base::FilePath::StringType path_suffix;
+  base::FilePath::StringType path_suffix_string;
   base::string16 error_message;
 
   if (!args->GetDictionary(0, &dict) ||
-      !dict->GetString(kPathSuffixKey, &path_suffix) ||
+      !dict->GetString(kPathSuffixKey, &path_suffix_string) ||
       !dict->GetString(ExtensionError::kExtensionIdKey, &extension_id) ||
       !dict->GetString(ExtensionError::kMessageKey, &error_message)) {
     NOTREACHED();
     return;
   }
 
   const Extension* extension =
       ExtensionSystem::Get(Profile::FromWebUI(web_ui()))->
           extension_service()->GetExtensionById(extension_id,
                                                 true /* include disabled */ );
+
+  // Under no circumstances should we ever need to reference a file outside of
+  // the extension's directory. If it tries to, abort.
+  base::FilePath path_suffix(path_suffix_string);
+  if (path_suffix.ReferencesParent())
+    return;
+
   base::FilePath path = extension->path().Append(path_suffix);
 
   // Setting the title and the error message is the same for all file types.
   scoped_ptr<base::DictionaryValue> results(new base::DictionaryValue);
   results->SetString(kTitleKey,
                      base::UTF8ToUTF16(extension->name()) +
                          base::ASCIIToUTF16(": ") +
                          path.BaseName().LossyDisplayName());
   results->SetString(ExtensionError::kMessageKey, error_message);
 
   base::Closure closure;
   std::string* contents = NULL;
 
-  if (path_suffix == kManifestFilename) {
+  if (path_suffix_string == kManifestFilename) {
     std::string manifest_key;
     if (!dict->GetString(ManifestError::kManifestKeyKey, &manifest_key)) {
       NOTREACHED();
       return;
     }
 
     // A "specific" location is optional.
     std::string specific;
     dict->GetString(ManifestError::kManifestSpecificKey, &specific);
 
@@ skipping 39 matching lines @@
     base::DictionaryValue* results,
     int line_number,
     std::string* contents) {
   SourceHighlighter highlighter(*contents, line_number);
   highlighter.SetHighlightedRegions(results);
   web_ui()->CallJavascriptFunction(
       "extensions.ExtensionErrorOverlay.requestFileSourceResponse", *results);
 }
 
 }  // namespace extensions