Status: Untriaged Owner: ---- CC: m...@chromium.org, jer...@chromium.org Labels: Type-Bug Pri-2 OS-Mac Area-BrowserBackend Size-Medium
New issue 21483 by m...@chromium.org: Be more careful with USER_HOMEDIR in Mac sandbox http://code.google.com/p/chromium/issues/detail?id=21483 I found this while looking into what might be happening in bug 21476. src/chrome/renderer/renderer.sb has: ; USER_HOMEDIR is substitued at runtime - http://crbug.com/11269 (allow file-read-data (regex #"^USER_HOMEDIR/Library/Fonts")) ; 10.6 seed release The substitution occurs in src/chrome/renderer/renderer_main_platform_delegate_mac.mm: sandbox_data = [sandbox_data stringByReplacingOccurrencesOfString:@"USER_HOMEDIR" withString:NSHomeDirectory()]; This is bad. We're replacing a string that's used in a regex without checking and escaping characters that have special meanings to a regex parser, like . (period), +, ?, brackets, and parentheses. We're replacing a quoted string without checking that we're not doing something horrible that violates quoting. -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs -~----------~----~----~----~------~----~------~--~---