[Backport] Fix for security issue 888678

Destroy KeyboardLockServiceImpl instance when RenderFrameHost goes away This CL updates KeyboardLockServiceImpl to release its mojo binding if the RenderFrameHost instance it is linked to is destroyed. Bug: 888678 Change-Id: I96f8e67029389c7c34942d04242fb9bde1f5a0f3 Reviewed-on: https://chromium-review.googlesource.com/1246290 Commit-Queue: Joe Downing <joedow@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Scott Violet <sky@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#594534}(cherry picked from commit 9d46e6e6ca8b9021b2d9f60bc3f3261b8718c616) Reviewed-on: https://chromium-review.googlesource.com/1254503 Reviewed-by: Joe Downing <joedow@chromium.org> Cr-Commit-Position: refs/branch-heads/3538@{#769} Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2018-10-29 12:55:06 +0100
committer: Michael Brüning <michael.bruning@qt.io> 2018-11-05 15:37:21 +0000
commit: f428bbce2a8f33801b92c6bb87203afb7ad6701c (patch)
tree: 63a0e190153ae3bd05bf784885f25c541368aa9c
parent: 5d514fa9baf044e77594471e1dce04e7c93e83cd (diff)
2 files changed, 23 insertions, 13 deletions
diff --git a/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.cc b/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.cc
index 49d3535cbdc..74716f7a00f 100644
--- a/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.cc
+++ b/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.cc
@@ -9,25 +9,28 @@
 
 #include "base/memory/ptr_util.h"
 #include "content/public/browser/render_frame_host.h"
+#include "content/browser/frame_host/render_frame_host_impl.h"
 #include "content/public/browser/web_contents.h"
 
 namespace content {
 
 KeyboardLockServiceImpl::KeyboardLockServiceImpl(
-    RenderFrameHost* render_frame_host)
-    : web_contents_(WebContents::FromRenderFrameHost(render_frame_host)) {
-  DCHECK(web_contents_);
+    RenderFrameHost* render_frame_host,
+    blink::mojom::KeyboardLockServiceRequest request)
+    : FrameServiceBase(render_frame_host, std::move(request)),
+      render_frame_host_(static_cast<RenderFrameHostImpl*>(render_frame_host)) {
+  DCHECK(render_frame_host_);
 }
 
-KeyboardLockServiceImpl::~KeyboardLockServiceImpl() = default;
-
 // static
 void KeyboardLockServiceImpl::CreateMojoService(
     RenderFrameHost* render_frame_host,
     blink::mojom::KeyboardLockServiceRequest request) {
-  mojo::MakeStrongBinding(
-      std::make_unique<KeyboardLockServiceImpl>(render_frame_host),
-      std::move(request));
+  DCHECK(render_frame_host);
+
+  // The object is bound to the lifetime of |render_frame_host| and the mojo
+  // connection. See FrameServiceBase for details.
+  new KeyboardLockServiceImpl(render_frame_host, std::move(request));
 }
 
 void KeyboardLockServiceImpl::RequestKeyboardLock(
@@ -41,4 +44,6 @@ void KeyboardLockServiceImpl::CancelKeyboardLock() {
   // TODO(zijiehe): Implementation required.
 }
 
+KeyboardLockServiceImpl::~KeyboardLockServiceImpl() = default;
+
 }  // namespace content
diff --git a/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.h b/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.h
index e217d71c8ea..aebca742063 100644
--- a/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.h
+++ b/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.h
@@ -9,19 +9,21 @@
 #include <vector>
 
 #include "content/common/content_export.h"
+#include "content/public/browser/frame_service_base.h"
 #include "mojo/public/cpp/bindings/strong_binding.h"
 #include "third_party/WebKit/public/platform/modules/keyboard_lock/keyboard_lock.mojom.h"
 
 namespace content {
 
 class RenderFrameHost;
+class RenderFrameHostImpl;
 class WebContents;
 
-class CONTENT_EXPORT KeyboardLockServiceImpl
-    : public blink::mojom::KeyboardLockService {
+class CONTENT_EXPORT KeyboardLockServiceImpl final
+    : public FrameServiceBase<blink::mojom::KeyboardLockService> {
  public:
-  explicit KeyboardLockServiceImpl(RenderFrameHost* render_frame_host);
-  ~KeyboardLockServiceImpl() override;
+  KeyboardLockServiceImpl(RenderFrameHost* render_frame_host,
+                          blink::mojom::KeyboardLockServiceRequest request);
 
   static void CreateMojoService(
       RenderFrameHost* render_frame_host,
@@ -33,7 +35,10 @@ class CONTENT_EXPORT KeyboardLockServiceImpl
   void CancelKeyboardLock() override;
 
  private:
-  WebContents* const web_contents_;
+  // |this| can only be destroyed by FrameServiceBase.
+  ~KeyboardLockServiceImpl() override;
+
+  RenderFrameHostImpl* const render_frame_host_;
 };
 
 }  // namespace
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2018-10-29 12:55:06 +0100
committer	Michael Brüning <michael.bruning@qt.io>	2018-11-05 15:37:21 +0000
commit	f428bbce2a8f33801b92c6bb87203afb7ad6701c (patch)
tree	63a0e190153ae3bd05bf784885f25c541368aa9c
parent	5d514fa9baf044e77594471e1dce04e7c93e83cd (diff)