diff options
-rw-r--r-- | chromium/net/base/filename_util.cc | 16 | ||||
-rw-r--r-- | chromium/net/base/filename_util.h | 6 |
2 files changed, 15 insertions, 7 deletions
diff --git a/chromium/net/base/filename_util.cc b/chromium/net/base/filename_util.cc index a3135f1ed85..eec7c218e4f 100644 --- a/chromium/net/base/filename_util.cc +++ b/chromium/net/base/filename_util.cc @@ -17,6 +17,7 @@ #include "net/base/escape.h" #include "net/base/filename_util_internal.h" #include "net/base/net_string_util.h" +#include "net/base/url_util.h" #include "net/http/http_content_disposition.h" #include "url/gurl.h" @@ -69,6 +70,10 @@ bool FileURLToFilePath(const GURL& url, base::FilePath* file_path) { if (!url.is_valid()) return false; + // We may want to change this to a CHECK in the future. + if (!url.SchemeIsFile()) + return false; + #if defined(OS_WIN) std::string path; std::string host = url.host(); @@ -89,10 +94,13 @@ bool FileURLToFilePath(const GURL& url, base::FilePath* file_path) { } std::replace(path.begin(), path.end(), '/', '\\'); #else // defined(OS_WIN) - // Firefox seems to ignore the "host" of a file url if there is one. That is, - // file://foo/bar.txt maps to /bar.txt. - // TODO(dhg): This should probably take into account UNCs which could - // include a hostname other than localhost or blank + // On POSIX, there's no obvious interpretation of file:// URLs with a host. + // Usually, remote mounts are still mounted onto the local filesystem. + // Therefore, we discard all URLs that are not obviously local to prevent + // spoofing attacks using file:// URLs. See crbug.com/881675. + if (!url.host().empty() && !net::IsLocalhost(url)) { + return false; + } std::string path = url.path(); #endif // !defined(OS_WIN) diff --git a/chromium/net/base/filename_util.h b/chromium/net/base/filename_util.h index 5956827fcd2..d6b33cc9976 100644 --- a/chromium/net/base/filename_util.h +++ b/chromium/net/base/filename_util.h @@ -29,9 +29,9 @@ NET_EXPORT GURL FilePathToFileURL(const base::FilePath& path); // invalid or the file path cannot be extracted from |url|. // On failure, *file_path will be empty. // -// It is not a requirement that |url| have a file scheme as other URLs may -// still convert to a file path. One example is on the Windows platform where -// https://hostname/path/to/file.txt will return \\hostname\path\to\file.txt. +// Do not call this with a |url| that doesn't have a file:// scheme. +// The implementation is specific to the platform filesystem, and not +// applicable to other schemes. NET_EXPORT bool FileURLToFilePath(const GURL& url, base::FilePath* file_path); // Generates a filename using the first successful method from the following (in |