Disallow launching unknown apps via browser client.

CVE-2018-1000006

atom/app/atom_library_main.h

@@ -10,7 +10,7 @@
 #if defined(OS_MACOSX)
 extern "C" {
 __attribute__((visibility("default")))
-int AtomMain(int argc, const char* argv[]);
+int AtomMain(int argc, char* argv[]);
 
 __attribute__((visibility("default")))
 int AtomInitializeICUandStartNode(int argc, char *argv[]);

atom/app/atom_library_main.mm

@@ -15,11 +15,11 @@
 #include "content/public/app/content_main.h"
 
 #if defined(OS_MACOSX)
-int AtomMain(int argc, const char* argv[]) {
+int AtomMain(int argc, char* argv[]) {
   atom::AtomMainDelegate delegate;
   content::ContentMainParams params(&delegate);
   params.argc = argc;
-  params.argv = argv;
+  params.argv = const_cast<const char**>(argv);
   atom::AtomCommandLine::Init(argc, argv);
   return content::ContentMain(params);
 }

atom/app/atom_main.cc

@@ -4,7 +4,8 @@
 
 #include "atom/app/atom_main.h"
 
-#include <stdlib.h>
+#include <cstdlib>
+#include <vector>
 
 #if defined(OS_WIN)
 #include <windows.h>  // windows.h must be included first
@@ -15,9 +16,11 @@
 #include <tchar.h>
 
 #include "atom/app/atom_main_delegate.h"
+#include "atom/app/command_line_args.h"
 #include "atom/common/crash_reporter/win/crash_service_main.h"
 #include "base/environment.h"
 #include "base/process/launch.h"
+#include "base/strings/utf_string_conversions.h"
 #include "base/win/windows_version.h"
 #include "content/public/app/sandbox_helper_win.h"
 #include "sandbox/win/src/sandbox_types.h"
@@ -52,18 +55,23 @@ bool IsEnvSet(const char* name) {
 
 #if defined(OS_WIN)
 int APIENTRY wWinMain(HINSTANCE instance, HINSTANCE, wchar_t* cmd, int) {
-  int argc = 0;
-  wchar_t** wargv = ::CommandLineToArgvW(::GetCommandLineW(), &argc);
+  struct Arguments {
+    int argc = 0;
+    wchar_t** argv = ::CommandLineToArgvW(::GetCommandLineW(), &argc);
 
-  bool run_as_node = IsEnvSet(kRunAsNode);
+    ~Arguments() { LocalFree(argv); }
+  } arguments;
+
+  if (!arguments.argv)
+    return -1;
 
 #ifdef _DEBUG
   // Don't display assert dialog boxes in CI test runs
   static const auto kCI = "ELECTRON_CI";
   bool is_ci = IsEnvSet(kCI);
   if (!is_ci) {
-    for (int i = 0; i < argc; ++i) {
-      if (!_wcsicmp(wargv[i], L"--ci")) {
+    for (int i = 0; i < arguments.argc; ++i) {
+      if (!_wcsicmp(arguments.argv[i], L"--ci")) {
         is_ci = true;
         _putenv_s(kCI, "1");  // set flag for child processes
         break;
@@ -81,44 +89,12 @@ int APIENTRY wWinMain(HINSTANCE instance, HINSTANCE, wchar_t* cmd, int) {
   }
 #endif
 
+  bool run_as_node = IsEnvSet(kRunAsNode);
+
   // Make sure the output is printed to console.
   if (run_as_node || !IsEnvSet("ELECTRON_NO_ATTACH_CONSOLE"))
     base::RouteStdioToConsole(false);
 
-  // Convert argv to to UTF8
-  char** argv = new char*[argc];
-  for (int i = 0; i < argc; i++) {
-    // Compute the size of the required buffer
-    DWORD size = WideCharToMultiByte(CP_UTF8,
-                                     0,
-                                     wargv[i],
-                                     -1,
-                                     NULL,
-                                     0,
-                                     NULL,
-                                     NULL);
-    if (size == 0) {
-      // This should never happen.
-      fprintf(stderr, "Could not convert arguments to utf8.");
-      exit(1);
-    }
-    // Do the actual conversion
-    argv[i] = new char[size];
-    DWORD result = WideCharToMultiByte(CP_UTF8,
-                                       0,
-                                       wargv[i],
-                                       -1,
-                                       argv[i],
-                                       size,
-                                       NULL,
-                                       NULL);
-    if (result == 0) {
-      // This should never happen.
-      fprintf(stderr, "Could not convert arguments to utf8.");
-      exit(1);
-    }
-  }
-
 #ifndef DEBUG
   // Chromium has its own TLS subsystem which supports automatic destruction
   // of thread-local data, and also depends on memory allocation routines
@@ -139,14 +115,23 @@ int APIENTRY wWinMain(HINSTANCE instance, HINSTANCE, wchar_t* cmd, int) {
 #endif
 
   if (run_as_node) {
-    // Now that argv conversion is done, we can finally start.
+    std::vector<char*> argv(arguments.argc);
+    std::transform(
+        arguments.argv, arguments.argv + arguments.argc, argv.begin(),
+        [](auto& a) { return _strdup(base::WideToUTF8(a).c_str()); });
+
     base::AtExitManager atexit_manager;
     base::i18n::InitializeICU();
-    return atom::NodeMain(argc, argv);
+    auto ret = atom::NodeMain(argv.size(), argv.data());
+    std::for_each(argv.begin(), argv.end(), free);
+    return ret;
   } else if (IsEnvSet("ELECTRON_INTERNAL_CRASH_SERVICE")) {
     return crash_service::Main(cmd);
   }
 
+  if (!atom::CheckCommandLineArguments(arguments.argc, arguments.argv))
+    return -1;
+
   sandbox::SandboxInterfaceInfo sandbox_info = {0};
   content::InitializeSandboxInfo(&sandbox_info);
   atom::AtomMainDelegate delegate;
@@ -154,33 +139,32 @@ int APIENTRY wWinMain(HINSTANCE instance, HINSTANCE, wchar_t* cmd, int) {
   content::ContentMainParams params(&delegate);
   params.instance = instance;
   params.sandbox_info = &sandbox_info;
-  atom::AtomCommandLine::Init(argc, argv);
-  atom::AtomCommandLine::InitW(argc, wargv);
+  atom::AtomCommandLine::Init(arguments.argc, arguments.argv);
   return content::ContentMain(params);
 }
 
 #elif defined(OS_LINUX)  // defined(OS_WIN)
 
-int main(int argc, const char* argv[]) {
+int main(int argc, char* argv[]) {
   if (IsEnvSet(kRunAsNode)) {
     base::i18n::InitializeICU();
     base::AtExitManager atexit_manager;
-    return atom::NodeMain(argc, const_cast<char**>(argv));
+    return atom::NodeMain(argc, argv);
   }
 
   atom::AtomMainDelegate delegate;
   content::ContentMainParams params(&delegate);
   params.argc = argc;
-  params.argv = argv;
+  params.argv = const_cast<const char**>(argv);
   atom::AtomCommandLine::Init(argc, argv);
   return content::ContentMain(params);
 }
 
 #else  // defined(OS_LINUX)
 
-int main(int argc, const char* argv[]) {
+int main(int argc, char* argv[]) {
   if (IsEnvSet(kRunAsNode)) {
-    return AtomInitializeICUandStartNode(argc, const_cast<char**>(argv));
+    return AtomInitializeICUandStartNode(argc, argv);
   }
 
   return AtomMain(argc, argv);

atom/app/command_line_args.h

@@ -0,0 +1,17 @@
+// Copyright (c) 2018 GitHub, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#ifndef ATOM_APP_COMMAND_LINE_ARGS_H_
+#define ATOM_APP_COMMAND_LINE_ARGS_H_
+
+#include "base/command_line.h"
+
+namespace atom {
+
+bool CheckCommandLineArguments(int argc, base::CommandLine::CharType** argv);
+
+}  // namespace atom
+
+#endif  // ATOM_APP_COMMAND_LINE_ARGS_H_
+