Home | History | Annotate | Download | only in browser 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "components/nacl/browser/nacl_file_host.h"
      6 
      7 #include "base/bind.h"
      8 #include "base/file_util.h"
      9 #include "base/files/file.h"
     10 #include "base/files/file_path.h"
     11 #include "base/path_service.h"
     12 #include "base/strings/utf_string_conversions.h"
     13 #include "base/threading/sequenced_worker_pool.h"
     14 #include "components/nacl/browser/nacl_browser.h"
     15 #include "components/nacl/browser/nacl_browser_delegate.h"
     16 #include "components/nacl/browser/nacl_host_message_filter.h"
     17 #include "components/nacl/common/nacl_host_messages.h"
     18 #include "content/public/browser/browser_thread.h"
     19 #include "content/public/browser/render_view_host.h"
     20 #include "content/public/browser/site_instance.h"
     21 #include "ipc/ipc_platform_file.h"
     22 
     23 using content::BrowserThread;
     24 
     25 namespace {
     26 
     27 // Force a prefix to prevent user from opening "magic" files.
     28 const char* kExpectedFilePrefix = "pnacl_public_";
     29 
     30 // Restrict PNaCl file lengths to reduce likelyhood of hitting bugs
     31 // in file name limit error-handling-code-paths, etc.
     32 const size_t kMaxFileLength = 40;
     33 
     34 void NotifyRendererOfError(
     35     nacl::NaClHostMessageFilter* nacl_host_message_filter,
     36     IPC::Message* reply_msg) {
     37   reply_msg->set_reply_error();
     38   nacl_host_message_filter->Send(reply_msg);
     39 }
     40 
     41 base::File PnaclDoOpenFile(const base::FilePath& file_to_open) {
     42   return base::File(file_to_open,
     43                     base::File::FLAG_OPEN | base::File::FLAG_READ);
     44 }
     45 
     46 void DoOpenPnaclFile(
     47     scoped_refptr<nacl::NaClHostMessageFilter> nacl_host_message_filter,
     48     const std::string& filename,
     49     IPC::Message* reply_msg) {
     50   DCHECK(BrowserThread::GetBlockingPool()->RunsTasksOnCurrentThread());
     51   base::FilePath full_filepath;
     52 
     53   // PNaCl must be installed.
     54   base::FilePath pnacl_dir;
     55   if (!nacl::NaClBrowser::GetDelegate()->GetPnaclDirectory(&pnacl_dir) ||
     56       !base::PathExists(pnacl_dir)) {
     57     NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
     58     return;
     59   }
     60 
     61   // Do some validation.
     62   if (!nacl_file_host::PnaclCanOpenFile(filename, &full_filepath)) {
     63     NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
     64     return;
     65   }
     66 
     67   base::File file_to_open = PnaclDoOpenFile(full_filepath);
     68   if (!file_to_open.IsValid()) {
     69     NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
     70     return;
     71   }
     72 
     73   // Send the reply!
     74   // Do any DuplicateHandle magic that is necessary first.
     75   IPC::PlatformFileForTransit target_desc =
     76       IPC::TakeFileHandleForProcess(file_to_open.Pass(),
     77                                     nacl_host_message_filter->PeerHandle());
     78   if (target_desc == IPC::InvalidPlatformFileForTransit()) {
     79     NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
     80     return;
     81   }
     82   NaClHostMsg_GetReadonlyPnaclFD::WriteReplyParams(
     83       reply_msg, target_desc);
     84   nacl_host_message_filter->Send(reply_msg);
     85 }
     86 
     87 void DoRegisterOpenedNaClExecutableFile(
     88     scoped_refptr<nacl::NaClHostMessageFilter> nacl_host_message_filter,
     89     base::File file,
     90     base::FilePath file_path,
     91     IPC::Message* reply_msg) {
     92   // IO thread owns the NaClBrowser singleton.
     93   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
     94 
     95   nacl::NaClBrowser* nacl_browser = nacl::NaClBrowser::GetInstance();
     96   uint64 file_token_lo = 0;
     97   uint64 file_token_hi = 0;
     98   nacl_browser->PutFilePath(file_path, &file_token_lo, &file_token_hi);
     99 
    100   IPC::PlatformFileForTransit file_desc = IPC::TakeFileHandleForProcess(
    101       file.Pass(),
    102       nacl_host_message_filter->PeerHandle());
    103 
    104   NaClHostMsg_OpenNaClExecutable::WriteReplyParams(
    105       reply_msg, file_desc, file_token_lo, file_token_hi);
    106   nacl_host_message_filter->Send(reply_msg);
    107 }
    108 
    109 // Convert the file URL into a file descriptor.
    110 // This function is security sensitive.  Be sure to check with a security
    111 // person before you modify it.
    112 void DoOpenNaClExecutableOnThreadPool(
    113     scoped_refptr<nacl::NaClHostMessageFilter> nacl_host_message_filter,
    114     const GURL& file_url,
    115     IPC::Message* reply_msg) {
    116   DCHECK(BrowserThread::GetBlockingPool()->RunsTasksOnCurrentThread());
    117 
    118   base::FilePath file_path;
    119   if (!nacl::NaClBrowser::GetDelegate()->MapUrlToLocalFilePath(
    120           file_url,
    121           true /* use_blocking_api */,
    122           nacl_host_message_filter->profile_directory(),
    123           &file_path)) {
    124     NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
    125     return;
    126   }
    127 
    128   base::File file = nacl::OpenNaClExecutableImpl(file_path);
    129   if (file.IsValid()) {
    130     // This function is running on the blocking pool, but the path needs to be
    131     // registered in a structure owned by the IO thread.
    132     BrowserThread::PostTask(
    133         BrowserThread::IO, FROM_HERE,
    134         base::Bind(
    135             &DoRegisterOpenedNaClExecutableFile,
    136             nacl_host_message_filter,
    137             Passed(file.Pass()), file_path, reply_msg));
    138   } else {
    139     NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
    140     return;
    141   }
    142 }
    143 
    144 }  // namespace
    145 
    146 namespace nacl_file_host {
    147 
    148 void GetReadonlyPnaclFd(
    149     scoped_refptr<nacl::NaClHostMessageFilter> nacl_host_message_filter,
    150     const std::string& filename,
    151     IPC::Message* reply_msg) {
    152   if (!BrowserThread::PostBlockingPoolTask(
    153           FROM_HERE,
    154           base::Bind(&DoOpenPnaclFile,
    155                      nacl_host_message_filter,
    156                      filename,
    157                      reply_msg))) {
    158     NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
    159   }
    160 }
    161 
    162 // This function is security sensitive.  Be sure to check with a security
    163 // person before you modify it.
    164 bool PnaclCanOpenFile(const std::string& filename,
    165                       base::FilePath* file_to_open) {
    166   if (filename.length() > kMaxFileLength)
    167     return false;
    168 
    169   if (filename.empty())
    170     return false;
    171 
    172   // Restrict character set of the file name to something really simple
    173   // (a-z, 0-9, and underscores).
    174   for (size_t i = 0; i < filename.length(); ++i) {
    175     char charAt = filename[i];
    176     if (charAt < 'a' || charAt > 'z')
    177       if (charAt < '0' || charAt > '9')
    178         if (charAt != '_')
    179           return false;
    180   }
    181 
    182   // PNaCl must be installed.
    183   base::FilePath pnacl_dir;
    184   if (!nacl::NaClBrowser::GetDelegate()->GetPnaclDirectory(&pnacl_dir) ||
    185       pnacl_dir.empty())
    186     return false;
    187 
    188   // Prepend the prefix to restrict files to a whitelisted set.
    189   base::FilePath full_path = pnacl_dir.AppendASCII(
    190       std::string(kExpectedFilePrefix) + filename);
    191   *file_to_open = full_path;
    192   return true;
    193 }
    194 
    195 void OpenNaClExecutable(
    196     scoped_refptr<nacl::NaClHostMessageFilter> nacl_host_message_filter,
    197     int render_view_id,
    198     const GURL& file_url,
    199     IPC::Message* reply_msg) {
    200   if (!BrowserThread::CurrentlyOn(BrowserThread::UI)) {
    201     BrowserThread::PostTask(
    202         BrowserThread::UI, FROM_HERE,
    203         base::Bind(
    204             &OpenNaClExecutable,
    205             nacl_host_message_filter,
    206             render_view_id, file_url, reply_msg));
    207     return;
    208   }
    209 
    210   // Make sure render_view_id is valid and that the URL is a part of the
    211   // render view's site. Without these checks, apps could probe the extension
    212   // directory or run NaCl code from other extensions.
    213   content::RenderViewHost* rvh = content::RenderViewHost::FromID(
    214       nacl_host_message_filter->render_process_id(), render_view_id);
    215   if (!rvh) {
    216     nacl_host_message_filter->BadMessageReceived();  // Kill the renderer.
    217     return;
    218   }
    219   content::SiteInstance* site_instance = rvh->GetSiteInstance();
    220   if (!content::SiteInstance::IsSameWebSite(site_instance->GetBrowserContext(),
    221                                             site_instance->GetSiteURL(),
    222                                             file_url)) {
    223     NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
    224     return;
    225   }
    226 
    227   // The URL is part of the current app. Now query the extension system for the
    228   // file path and convert that to a file descriptor. This should be done on a
    229   // blocking pool thread.
    230   if (!BrowserThread::PostBlockingPoolTask(
    231       FROM_HERE,
    232       base::Bind(
    233           &DoOpenNaClExecutableOnThreadPool,
    234           nacl_host_message_filter,
    235           file_url, reply_msg))) {
    236     NotifyRendererOfError(nacl_host_message_filter.get(), reply_msg);
    237   }
    238 }
    239 
    240 }  // namespace nacl_file_host
    241