|
|
@@ -4,15 +4,15 @@ Subject: Block gateway attacks via websockets
|
|
|
|
|
|
---
|
|
|
.../renderer/core/loader/base_fetch_context.h | 1 +
|
|
|
- .../core/loader/frame_fetch_context.cc | 20 ++++++++++++++
|
|
|
+ .../core/loader/frame_fetch_context.cc | 20 +++++++++++++
|
|
|
.../core/loader/frame_fetch_context.h | 1 +
|
|
|
- .../core/loader/worker_fetch_context.cc | 21 +++++++++++++++
|
|
|
+ .../core/loader/worker_fetch_context.cc | 21 ++++++++++++++
|
|
|
.../core/loader/worker_fetch_context.h | 1 +
|
|
|
- .../background_fetch_manager.cc | 2 --
|
|
|
+ .../background_fetch_manager.cc | 4 +--
|
|
|
.../websockets/websocket_channel_impl.cc | 5 ++++
|
|
|
- .../modules/websockets/websocket_common.cc | 27 +++++++++++++++++++
|
|
|
+ .../modules/websockets/websocket_common.cc | 29 +++++++++++++++++++
|
|
|
.../modules/websockets/websocket_common.h | 4 +++
|
|
|
- 9 files changed, 80 insertions(+), 2 deletions(-)
|
|
|
+ 9 files changed, 84 insertions(+), 2 deletions(-)
|
|
|
|
|
|
diff --git a/third_party/blink/renderer/core/loader/base_fetch_context.h b/third_party/blink/renderer/core/loader/base_fetch_context.h
|
|
|
--- a/third_party/blink/renderer/core/loader/base_fetch_context.h
|
|
|
@@ -118,15 +118,19 @@ diff --git a/third_party/blink/renderer/core/loader/worker_fetch_context.h b/thi
|
|
|
diff --git a/third_party/blink/renderer/modules/background_fetch/background_fetch_manager.cc b/third_party/blink/renderer/modules/background_fetch/background_fetch_manager.cc
|
|
|
--- a/third_party/blink/renderer/modules/background_fetch/background_fetch_manager.cc
|
|
|
+++ b/third_party/blink/renderer/modules/background_fetch/background_fetch_manager.cc
|
|
|
-@@ -104,7 +104,6 @@ bool ShouldBlockDanglingMarkup(const KURL& request_url) {
|
|
|
+@@ -104,9 +104,10 @@ bool ShouldBlockDanglingMarkup(const KURL& request_url) {
|
|
|
|
|
|
bool ShouldBlockGateWayAttacks(ExecutionContext* execution_context,
|
|
|
const KURL& request_url) {
|
|
|
- if (RuntimeEnabledFeatures::CorsRFC1918Enabled()) {
|
|
|
network::mojom::IPAddressSpace requestor_space =
|
|
|
execution_context->AddressSpace();
|
|
|
++ if (requestor_space == network::mojom::IPAddressSpace::kUnknown)
|
|
|
++ requestor_space = network::mojom::IPAddressSpace::kPublic;
|
|
|
|
|
|
-@@ -121,7 +120,6 @@ bool ShouldBlockGateWayAttacks(ExecutionContext* execution_context,
|
|
|
+ // TODO(mkwst): This only checks explicit IP addresses. We'll have to move
|
|
|
+ // all this up to //net and //content in order to have any real impact on
|
|
|
+@@ -121,7 +122,6 @@ bool ShouldBlockGateWayAttacks(ExecutionContext* execution_context,
|
|
|
bool is_external_request = requestor_space > target_space;
|
|
|
if (is_external_request)
|
|
|
return true;
|
|
|
@@ -152,7 +156,7 @@ diff --git a/third_party/blink/renderer/modules/websockets/websocket_channel_imp
|
|
|
diff --git a/third_party/blink/renderer/modules/websockets/websocket_common.cc b/third_party/blink/renderer/modules/websockets/websocket_common.cc
|
|
|
--- a/third_party/blink/renderer/modules/websockets/websocket_common.cc
|
|
|
+++ b/third_party/blink/renderer/modules/websockets/websocket_common.cc
|
|
|
-@@ -124,9 +124,36 @@ WebSocketCommon::ConnectResult WebSocketCommon::Connect(
|
|
|
+@@ -124,9 +124,38 @@ WebSocketCommon::ConnectResult WebSocketCommon::Connect(
|
|
|
return ConnectResult::kException;
|
|
|
}
|
|
|
|
|
|
@@ -172,6 +176,8 @@ diff --git a/third_party/blink/renderer/modules/websockets/websocket_common.cc b
|
|
|
+ // TODO(mkwst): This only checks explicit IP addresses. We'll have to move
|
|
|
+ // all this up to //net and //content in order to have any real impact on
|
|
|
+ // gateway attacks. That turns out to be a TON of work (crbug.com/378566).
|
|
|
++ if (requestor_space == network::mojom::IPAddressSpace::kUnknown)
|
|
|
++ requestor_space = network::mojom::IPAddressSpace::kPublic;
|
|
|
+ network::mojom::IPAddressSpace target_space =
|
|
|
+ network::mojom::IPAddressSpace::kPublic;
|
|
|
+ if (network_utils::IsReservedIPAddress(request_url.Host()))
|
Carmelo Messina