angler-fishThe Vulnerability History Project

Resource requests from Save-Page-As should go through CanRequestURL checks.

      This CL:

- Added checks to ResourceDispatcherHostImpl::BeginSaveFile to verify if
  the renderer process is authorized to access a given resource.

- Removed separate code path for file: URIs that used to be implemented
  in SaveFileManager::SaveLocalFile.  Avoiding a separate code path
  helps consolidate all authorization checks in one place.

BUG=616429

Review-Url: https://codereview.chromium.org/2075273002
Cr-Commit-Position: refs/heads/master@{#408235}
by Cornelius the Mosquito 2016-07-27 21:03:26 UTC
commit eff8e457298d01b437e4fd78194ad6de3c8d7ad6
Chromium Fix CVE-2016-5166
chrome/browser/download/save_page_browsertest.cc
+21 -82
chrome/test/data/save_page/frames-objects.htm
-6
chrome/test/data/save_page/text.txt
-1
chrome/test/data/save_page/unauthorized-access.htm
-16
content/browser/download/docs/save-page-as.md
+6 -5
content/browser/download/save_file_manager.cc
+36
content/browser/download/save_file_resource_handler.cc
+9 -17
content/browser/download/save_file_resource_handler.h
+1 -16
content/browser/download/save_item.cc
+1 -3
content/browser/download/save_item.h
+2 -11
content/browser/download/save_package.cc
+25 -30
content/browser/download/save_types.h
+3
content/browser/loader/resource_dispatcher_host_impl.cc
+2 -15
expand_less