From f428bbce2a8f33801b92c6bb87203afb7ad6701c Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Mon, 29 Oct 2018 12:55:06 +0100 Subject: [Backport] Fix for security issue 888678 Destroy KeyboardLockServiceImpl instance when RenderFrameHost goes away This CL updates KeyboardLockServiceImpl to release its mojo binding if the RenderFrameHost instance it is linked to is destroyed. Bug: 888678 Change-Id: I96f8e67029389c7c34942d04242fb9bde1f5a0f3 Reviewed-on: https://chromium-review.googlesource.com/1246290 Commit-Queue: Joe Downing Reviewed-by: Daniel Cheng Reviewed-by: Scott Violet Cr-Original-Commit-Position: refs/heads/master@{#594534}(cherry picked from commit 9d46e6e6ca8b9021b2d9f60bc3f3261b8718c616) Reviewed-on: https://chromium-review.googlesource.com/1254503 Reviewed-by: Joe Downing Cr-Commit-Position: refs/branch-heads/3538@{#769} Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811} Reviewed-by: Allan Sandfeld Jensen --- .../keyboard_lock/keyboard_lock_service_impl.cc | 21 +++++++++++++-------- .../keyboard_lock/keyboard_lock_service_impl.h | 15 ++++++++++----- 2 files changed, 23 insertions(+), 13 deletions(-) diff --git a/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.cc b/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.cc index 49d3535cbdc..74716f7a00f 100644 --- a/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.cc +++ b/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.cc @@ -9,25 +9,28 @@ #include "base/memory/ptr_util.h" #include "content/public/browser/render_frame_host.h" +#include "content/browser/frame_host/render_frame_host_impl.h" #include "content/public/browser/web_contents.h" namespace content { KeyboardLockServiceImpl::KeyboardLockServiceImpl( - RenderFrameHost* render_frame_host) - : web_contents_(WebContents::FromRenderFrameHost(render_frame_host)) { - DCHECK(web_contents_); + RenderFrameHost* render_frame_host, + blink::mojom::KeyboardLockServiceRequest request) + : FrameServiceBase(render_frame_host, std::move(request)), + render_frame_host_(static_cast(render_frame_host)) { + DCHECK(render_frame_host_); } -KeyboardLockServiceImpl::~KeyboardLockServiceImpl() = default; - // static void KeyboardLockServiceImpl::CreateMojoService( RenderFrameHost* render_frame_host, blink::mojom::KeyboardLockServiceRequest request) { - mojo::MakeStrongBinding( - std::make_unique(render_frame_host), - std::move(request)); + DCHECK(render_frame_host); + + // The object is bound to the lifetime of |render_frame_host| and the mojo + // connection. See FrameServiceBase for details. + new KeyboardLockServiceImpl(render_frame_host, std::move(request)); } void KeyboardLockServiceImpl::RequestKeyboardLock( @@ -41,4 +44,6 @@ void KeyboardLockServiceImpl::CancelKeyboardLock() { // TODO(zijiehe): Implementation required. } +KeyboardLockServiceImpl::~KeyboardLockServiceImpl() = default; + } // namespace content diff --git a/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.h b/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.h index e217d71c8ea..aebca742063 100644 --- a/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.h +++ b/chromium/content/browser/keyboard_lock/keyboard_lock_service_impl.h @@ -9,19 +9,21 @@ #include #include "content/common/content_export.h" +#include "content/public/browser/frame_service_base.h" #include "mojo/public/cpp/bindings/strong_binding.h" #include "third_party/WebKit/public/platform/modules/keyboard_lock/keyboard_lock.mojom.h" namespace content { class RenderFrameHost; +class RenderFrameHostImpl; class WebContents; -class CONTENT_EXPORT KeyboardLockServiceImpl - : public blink::mojom::KeyboardLockService { +class CONTENT_EXPORT KeyboardLockServiceImpl final + : public FrameServiceBase { public: - explicit KeyboardLockServiceImpl(RenderFrameHost* render_frame_host); - ~KeyboardLockServiceImpl() override; + KeyboardLockServiceImpl(RenderFrameHost* render_frame_host, + blink::mojom::KeyboardLockServiceRequest request); static void CreateMojoService( RenderFrameHost* render_frame_host, @@ -33,7 +35,10 @@ class CONTENT_EXPORT KeyboardLockServiceImpl void CancelKeyboardLock() override; private: - WebContents* const web_contents_; + // |this| can only be destroyed by FrameServiceBase. + ~KeyboardLockServiceImpl() override; + + RenderFrameHostImpl* const render_frame_host_; }; } // namespace -- cgit v1.2.3