src/plugin/AdblockPlusClient.cpp - Issue 6308231068516352: Fix issues with security tokens (Enhanced Protected Mode, Protected Mode etc)

Side by Side Diff: src/plugin/AdblockPlusClient.cpp

Issue 6308231068516352: Fix issues with security tokens (Enhanced Protected Mode, Protected Mode etc) (Closed)

Patch Set: Created Nov. 15, 2013, 7:22 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View unified diff | Download patch

OLD	NEW
1 #include "PluginStdAfx.h"	1 #include "PluginStdAfx.h"

2 #include "PluginSettings.h"	2 #include "PluginSettings.h"

3 #include "PluginSystem.h"	3 #include "PluginSystem.h"

4 #include "PluginFilter.h"	4 #include "PluginFilter.h"

5 #include "PluginClientFactory.h"	5 #include "PluginClientFactory.h"

6 #include "PluginMutex.h"	6 #include "PluginMutex.h"

7 #include "PluginClass.h"	7 #include "PluginClass.h"

8	8

9 #include "AdblockPlusClient.h"	9 #include "AdblockPlusClient.h"

10	10

(...skipping 26 matching lines...) Expand all Loading...
37 else	37 else

38 {	38 {

39 throw std::runtime_error("Out of memory");	39 throw std::runtime_error("Out of memory");

40 }	40 }

41 }	41 }

42	42

43 BOOL createProcRes = 0;	43 BOOL createProcRes = 0;

44 // Running inside AppContainer?	44 // Running inside AppContainer?

45 if (acs != NULL && acs->TokenAppContainer != NULL)	45 if (acs != NULL && acs->TokenAppContainer != NULL)

46 {	46 {

47 // Launch with default security. Registry entry will eat the user prompt	47 // We need to break out from AppContainer. Launch with default security - registry entry will eat the user prompt

48 // See http://msdn.microsoft.com/en-us/library/bb250462(v=vs.85).aspx#wpm_ elebp	48 // See http://msdn.microsoft.com/en-us/library/bb250462(v=vs.85).aspx#wpm_ elebp

49 LPWSTR stringSid;

50 ConvertSidToStringSidW(acs->TokenAppContainer, &stringSid);

51 params.Append(L" ");

52 params.Append(stringSid);

53 LocalFree(stringSid);

54 createProcRes = CreateProcessW(engineExecutablePath.c_str(), params.GetBuf fer(params.GetLength() + 1),	49 createProcRes = CreateProcessW(engineExecutablePath.c_str(), params.GetBuf fer(params.GetLength() + 1),

55 0, 0, false, 0, 0, 0, (STARTUPINFOW*)&startupInfo, &processInformation);	50 0, 0, false, 0, 0, 0, (STARTUPINFOW*)&startupInfo, &processInformation);

56 }	51 }

57 else	52 else
	Felix Dahlke 2013/12/10 16:46:36 This happens if the engine is first started from b This happens if the engine is first started from bing.com, right? Oleksandr 2014/03/04 10:40:05 yes. bing.com (or any other website from the excep yes. bing.com (or any other website from the exceptions list) or just not in Enhanced Protected Mode. On 2013/12/10 16:46:36, Felix H. Dahlke wrote: Show quoted text > This happens if the engine is first started from http://bing.com, right?
58 {	53 {

59 // Launch with the same security token (Low Integrity) explicitly	54 // Launch with Low Integrity explicitly

60 HANDLE newToken;	55 HANDLE newToken;

61 DuplicateTokenEx(token, 0, 0, SecurityImpersonation, TokenPrimary, &newTok en);	56 DuplicateTokenEx(token, 0, 0, SecurityImpersonation, TokenPrimary, &newTok en);

62	57

	58 PSID pIntegritySid = 0;
	Felix Dahlke 2013/12/10 16:46:36 Less Hungarian please :D Less Hungarian please :D
	59 BOOL res = ConvertStringSidToSid(L"S-1-16-4096", &pIntegritySid);
	Felix Dahlke 2013/12/10 16:46:36 Since the return value is ignored, there's no need Since the return value is ignored, there's no need to store it.
	60 std::tr1::shared_ptr<SID> sharedIntegritySid(static_cast<SID*>(pIntegrityS id), FreeSid); // Just to simplify cleanup

	61

	62 TOKEN_MANDATORY_LABEL tml = {0};
	Felix Dahlke 2013/12/10 16:46:36 Let's go with {} for consistency's sake. Let's go with {} for consistency's sake.
	63 tml.Label.Attributes = SE_GROUP_INTEGRITY;

	64 tml.Label.Sid = pIntegritySid;

	65

	66 // Set the process integrity level

	67 res = SetTokenInformation(newToken, TokenIntegrityLevel, &tml, sizeof(TOKE N_MANDATORY_LABEL) + GetLengthSid(pIntegritySid));
	Felix Dahlke 2013/12/10 16:46:36 As above, no need to store the return value. As above, no need to store the return value.
	68

	69 STARTUPINFO startupInfo = {};

	70 PROCESS_INFORMATION processInformation = {};

	71 BOOL createProcRes = 0;
	Felix Dahlke 2013/12/10 16:46:36 Why redeclare the variable here? This means that w Why redeclare the variable here? This means that when createProcRes is checked further below, it's always 0.
	72

63 createProcRes = CreateProcessAsUserW(newToken, engineExecutablePath.c_str( ), params.GetBuffer(params.GetLength() + 1),	73 createProcRes = CreateProcessAsUserW(newToken, engineExecutablePath.c_str( ), params.GetBuffer(params.GetLength() + 1),

64 0, 0, false, 0, 0, 0, (STARTUPINFOW*)&startupInfo, &processInformation);	74 0, 0, false, 0, 0, 0, (STARTUPINFOW*)&startupInfo, &processInformation);

65 }	75 }

66	76

67 if (!createProcRes)	77 if (!createProcRes)

68 {	78 {

69 throw std::runtime_error("Failed to start Adblock Plus Engine");	79 throw std::runtime_error("Failed to start Adblock Plus Engine");

70 }	80 }

71	81

72 CloseHandle(processInformation.hProcess);	82 CloseHandle(processInformation.hProcess);

(...skipping 424 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
497 bool CAdblockPlusClient::TogglePluginEnabled()	507 bool CAdblockPlusClient::TogglePluginEnabled()

498 {	508 {

499 DEBUG_GENERAL("TogglePluginEnabled");	509 DEBUG_GENERAL("TogglePluginEnabled");

500 Communication::InputBuffer response;	510 Communication::InputBuffer response;

501 if (!CallEngine(Communication::PROC_TOGGLE_PLUGIN_ENABLED, response))	511 if (!CallEngine(Communication::PROC_TOGGLE_PLUGIN_ENABLED, response))

502 return false;	512 return false;

503 bool currentEnabledState;	513 bool currentEnabledState;

504 response >> currentEnabledState;	514 response >> currentEnabledState;

505 return currentEnabledState;	515 return currentEnabledState;

506 }	516 }

OLD	NEW

« no previous file with comments | « src/engine/Main.cpp ('k') | src/shared/Communication.cpp » ('j') | src/shared/Communication.cpp » ('J')