search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
QUIC - cleanup changes to sync chromium tree with internal source.
[chromium-blink-merge.git] / components / nacl / browser / nacl_file_host.cc
blob51c29c56458d84af63c0b6331f40b66157f6cdfc
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "components/nacl/browser/nacl_file_host.h"
6
7 #include "base/bind.h"
8 #include "base/files/file.h"
9 #include "base/files/file_path.h"
10 #include "base/files/file_util.h"
11 #include "base/strings/utf_string_conversions.h"
12 #include "base/threading/sequenced_worker_pool.h"
13 #include "components/nacl/browser/bad_message.h"
14 #include "components/nacl/browser/nacl_browser.h"
15 #include "components/nacl/browser/nacl_browser_delegate.h"
16 #include "components/nacl/browser/nacl_host_message_filter.h"
17 #include "components/nacl/common/nacl_host_messages.h"
18 #include "content/public/browser/browser_thread.h"
19 #include "content/public/browser/render_view_host.h"
20 #include "content/public/browser/site_instance.h"
21 #include "ipc/ipc_platform_file.h"
22
23 using content::BrowserThread;
24
25 namespace {
26
27 // Force a prefix to prevent user from opening "magic" files.
28 const char* kExpectedFilePrefix = "pnacl_public_";
29
30 // Restrict PNaCl file lengths to reduce likelyhood of hitting bugs
31 // in file name limit error-handling-code-paths, etc.
32 const size_t kMaxFileLength = 40;
33
34 void NotifyRendererOfError(
35 nacl::NaClHostMessageFilter* nacl_host_message_filter,
36 IPC::Message* reply_msg) {
37 reply_msg->set_reply_error();
38 nacl_host_message_filter->Send(reply_msg);
39 }
40
41 typedef void (*WriteFileInfoReply)(IPC::Message* reply_msg,
42 IPC::PlatformFileForTransit file_desc,
43 uint64 file_token_lo,
44 uint64 file_token_hi);
45
46 void DoRegisterOpenedNaClExecutableFile(
47 scoped_refptr<nacl::NaClHostMessageFilter> nacl_host_message_filter,
48 base::File file,
49 base::FilePath file_path,
50 IPC::Message* reply_msg,
51 WriteFileInfoReply write_reply_message) {
52 // IO thread owns the NaClBrowser singleton.
53 DCHECK_CURRENTLY_ON(BrowserThread::IO);
54
55 nacl::NaClBrowser* nacl_browser = nacl::NaClBrowser::GetInstance();
56 uint64 file_token_lo = 0;
57 uint64 file_token_hi = 0;
58 nacl_browser->PutFilePath(file_path, &file_token_lo, &file_token_hi);
59
60 IPC::PlatformFileForTransit file_desc = IPC::TakeFileHandleForProcess(
61 file.Pass(),
62 nacl_host_message_filter->PeerHandle());
63
64 write_reply_message(reply_msg, file_desc, file_token_lo, file_token_hi);
65 nacl_host_message_filter->Send(reply_msg);
66 }
67
68 void DoOpenPnaclFile(
69 scoped_refptr<nacl::NaClHostMessageFilter> nacl_host_message_filter,
70 const std::string& filename,
71 bool is_executable,
72 IPC::Message* reply_msg) {
73 DCHECK(BrowserThread::GetBlockingPool()->RunsTasksOnCurrentThread());
74 base::FilePath full_filepath;
75
76 // PNaCl must be installed.
77 base::FilePath pnacl_dir;
78 if (!nacl::NaClBrowser::GetDelegate()->GetPnaclDirectory(&pnacl_dir) ||
79 !base::PathExists(pnacl_dir)) {
80 NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
81 return;
82 }
83
84 // Do some validation.
85 if (!nacl_file_host::PnaclCanOpenFile(filename, &full_filepath)) {
86 NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
87 return;
88 }
89
90 base::File file_to_open = nacl::OpenNaClReadExecImpl(full_filepath,
91 is_executable);
92 if (!file_to_open.IsValid()) {
93 NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
94 return;
95 }
96
97 // This function is running on the blocking pool, but the path needs to be
98 // registered in a structure owned by the IO thread.
99 // Not all PNaCl files are executable. Only register those that are
100 // executable in the NaCl file_path cache.
101 if (is_executable) {
102 BrowserThread::PostTask(
103 BrowserThread::IO, FROM_HERE,
104 base::Bind(&DoRegisterOpenedNaClExecutableFile,
105 nacl_host_message_filter,
106 Passed(file_to_open.Pass()), full_filepath, reply_msg,
107 static_cast<WriteFileInfoReply>(
108 NaClHostMsg_GetReadonlyPnaclFD::WriteReplyParams)));
109 } else {
110 IPC::PlatformFileForTransit target_desc =
111 IPC::TakeFileHandleForProcess(file_to_open.Pass(),
112 nacl_host_message_filter->PeerHandle());
113 uint64_t dummy_file_token = 0;
114 NaClHostMsg_GetReadonlyPnaclFD::WriteReplyParams(
115 reply_msg, target_desc, dummy_file_token, dummy_file_token);
116 nacl_host_message_filter->Send(reply_msg);
117 }
118 }
119
120 // Convert the file URL into a file descriptor.
121 // This function is security sensitive. Be sure to check with a security
122 // person before you modify it.
123 void DoOpenNaClExecutableOnThreadPool(
124 scoped_refptr<nacl::NaClHostMessageFilter> nacl_host_message_filter,
125 const GURL& file_url,
126 bool enable_validation_caching,
127 IPC::Message* reply_msg) {
128 DCHECK(BrowserThread::GetBlockingPool()->RunsTasksOnCurrentThread());
129
130 base::FilePath file_path;
131 if (!nacl::NaClBrowser::GetDelegate()->MapUrlToLocalFilePath(
132 file_url,
133 true /* use_blocking_api */,
134 nacl_host_message_filter->profile_directory(),
135 &file_path)) {
136 NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
137 return;
138 }
139
140 base::File file = nacl::OpenNaClReadExecImpl(file_path,
141 true /* is_executable */);
142 if (file.IsValid()) {
143 // Opening a NaCl executable works with or without validation caching.
144 // Validation caching requires that the file descriptor is registered now
145 // for later use, which will save time.
146 // When validation caching isn't used (e.g. Non-SFI mode), there is no
147 // reason to do that unnecessary registration.
148 if (enable_validation_caching) {
149 // This function is running on the blocking pool, but the path needs to be
150 // registered in a structure owned by the IO thread.
151 BrowserThread::PostTask(
152 BrowserThread::IO, FROM_HERE,
153 base::Bind(
154 &DoRegisterOpenedNaClExecutableFile,
155 nacl_host_message_filter,
156 Passed(file.Pass()), file_path, reply_msg,
157 static_cast<WriteFileInfoReply>(
158 NaClHostMsg_OpenNaClExecutable::WriteReplyParams)));
159 } else {
160 IPC::PlatformFileForTransit file_desc =
161 IPC::TakeFileHandleForProcess(file.Pass(),
162 nacl_host_message_filter->PeerHandle());
163 uint64_t dummy_file_token = 0;
164 NaClHostMsg_OpenNaClExecutable::WriteReplyParams(
165 reply_msg, file_desc, dummy_file_token, dummy_file_token);
166 nacl_host_message_filter->Send(reply_msg);
167 }
168 } else {
169 NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
170 return;
171 }
172 }
173
174 } // namespace
175
176 namespace nacl_file_host {
177
178 void GetReadonlyPnaclFd(
179 scoped_refptr<nacl::NaClHostMessageFilter> nacl_host_message_filter,
180 const std::string& filename,
181 bool is_executable,
182 IPC::Message* reply_msg) {
183 if (!BrowserThread::PostBlockingPoolTask(
184 FROM_HERE,
185 base::Bind(&DoOpenPnaclFile,
186 nacl_host_message_filter,
187 filename,
188 is_executable,
189 reply_msg))) {
190 NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
191 }
192 }
193
194 // This function is security sensitive. Be sure to check with a security
195 // person before you modify it.
196 bool PnaclCanOpenFile(const std::string& filename,
197 base::FilePath* file_to_open) {
198 if (filename.length() > kMaxFileLength)
199 return false;
200
201 if (filename.empty())
202 return false;
203
204 // Restrict character set of the file name to something really simple
205 // (a-z, 0-9, and underscores).
206 for (size_t i = 0; i < filename.length(); ++i) {
207 char charAt = filename[i];
208 if (charAt < 'a' || charAt > 'z')
209 if (charAt < '0' || charAt > '9')
210 if (charAt != '_')
211 return false;
212 }
213
214 // PNaCl must be installed.
215 base::FilePath pnacl_dir;
216 if (!nacl::NaClBrowser::GetDelegate()->GetPnaclDirectory(&pnacl_dir) ||
217 pnacl_dir.empty())
218 return false;
219
220 // Prepend the prefix to restrict files to a whitelisted set.
221 base::FilePath full_path = pnacl_dir.AppendASCII(
222 std::string(kExpectedFilePrefix) + filename);
223 *file_to_open = full_path;
224 return true;
225 }
226
227 void OpenNaClExecutable(
228 scoped_refptr<nacl::NaClHostMessageFilter> nacl_host_message_filter,
229 int render_view_id,
230 const GURL& file_url,
231 bool enable_validation_caching,
232 IPC::Message* reply_msg) {
233 if (!BrowserThread::CurrentlyOn(BrowserThread::UI)) {
234 BrowserThread::PostTask(
235 BrowserThread::UI, FROM_HERE,
236 base::Bind(
237 &OpenNaClExecutable,
238 nacl_host_message_filter,
239 render_view_id,
240 file_url,
241 enable_validation_caching,
242 reply_msg));
243 return;
244 }
245
246 // Make sure render_view_id is valid and that the URL is a part of the
247 // render view's site. Without these checks, apps could probe the extension
248 // directory or run NaCl code from other extensions.
249 content::RenderViewHost* rvh = content::RenderViewHost::FromID(
250 nacl_host_message_filter->render_process_id(), render_view_id);
251 if (!rvh) {
252 nacl::bad_message::ReceivedBadMessage(
253 nacl_host_message_filter.get(),
254 nacl::bad_message::NFH_OPEN_EXECUTABLE_BAD_ROUTING_ID);
255 delete reply_msg;
256 return;
257 }
258 content::SiteInstance* site_instance = rvh->GetSiteInstance();
259 if (!content::SiteInstance::IsSameWebSite(site_instance->GetBrowserContext(),
260 site_instance->GetSiteURL(),
261 file_url)) {
262 NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
263 return;
264 }
265
266 // The URL is part of the current app. Now query the extension system for the
267 // file path and convert that to a file descriptor. This should be done on a
268 // blocking pool thread.
269 if (!BrowserThread::PostBlockingPoolTask(
270 FROM_HERE,
271 base::Bind(
272 &DoOpenNaClExecutableOnThreadPool,
273 nacl_host_message_filter,
274 file_url,
275 enable_validation_caching,
276 reply_msg))) {
277 NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
278 }
279 }
280
281 } // namespace nacl_file_host