0ct0pu5/bromite
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix Block gateway attacks via websockets

Browse source
This commit is contained in:
Carmelo Messina 2022-01-18 17:09:09 +01:00
parent 823997d051
commit b974c19b2e
No known key found for this signature in database
GPG key ID: 968894BE688289FD
1 changed files with 9 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
build/patches/Block-gateway-attacks-via-websockets.patch
View file

@ -4,15 +4,15 @@ Subject: Block gateway attacks via websockets
---
.../renderer/core/loader/base_fetch_context.h | 1 +
.../core/loader/frame_fetch_context.cc | 18 +++++++++++++
.../core/loader/frame_fetch_context.cc | 20 ++++++++++++++
.../core/loader/frame_fetch_context.h | 1 +
.../core/loader/worker_fetch_context.cc | 19 +++++++++++++
.../core/loader/worker_fetch_context.cc | 21 +++++++++++++++
.../core/loader/worker_fetch_context.h | 1 +
.../background_fetch_manager.cc | 2 --
.../websockets/websocket_channel_impl.cc | 5 ++++
.../modules/websockets/websocket_common.cc | 27 +++++++++++++++++++
.../modules/websockets/websocket_common.h | 4 +++
9 files changed, 76 insertions(+), 2 deletions(-)
9 files changed, 80 insertions(+), 2 deletions(-)
diff --git a/third_party/blink/renderer/core/loader/base_fetch_context.h b/third_party/blink/renderer/core/loader/base_fetch_context.h
--- a/third_party/blink/renderer/core/loader/base_fetch_context.h
@ -28,7 +28,7 @@ diff --git a/third_party/blink/renderer/core/loader/base_fetch_context.h b/third
diff --git a/third_party/blink/renderer/core/loader/frame_fetch_context.cc b/third_party/blink/renderer/core/loader/frame_fetch_context.cc
--- a/third_party/blink/renderer/core/loader/frame_fetch_context.cc
+++ b/third_party/blink/renderer/core/loader/frame_fetch_context.cc
@@ -566,6 +566,24 @@ bool FrameFetchContext::ShouldBlockRequestByInspector(const KURL& url) const {
@@ -566,6 +566,26 @@ bool FrameFetchContext::ShouldBlockRequestByInspector(const KURL& url) const {
return should_block_request;
}
@ -36,6 +36,8 @@ diff --git a/third_party/blink/renderer/core/loader/frame_fetch_context.cc b/thi
+ // TODO(mkwst): This only checks explicit IP addresses. We'll have to move
+ // all this up to //net and //content in order to have any real impact on
+ // gateway attacks. That turns out to be a TON of work (crbug.com/378566).
+ if (requestor_space == network::mojom::IPAddressSpace::kUnknown)
+ requestor_space = network::mojom::IPAddressSpace::kPublic;
+ network::mojom::IPAddressSpace target_space =
+ network::mojom::IPAddressSpace::kPublic;
+ if (network_utils::IsReservedIPAddress(request_url.Host()))
@ -75,7 +77,7 @@ diff --git a/third_party/blink/renderer/core/loader/worker_fetch_context.cc b/th
#include "third_party/blink/renderer/platform/runtime_enabled_features.h"
#include "third_party/blink/renderer/platform/supplementable.h"
#include "third_party/blink/renderer/platform/weborigin/security_policy.h"
@@ -90,6 +91,24 @@ bool WorkerFetchContext::ShouldBlockRequestByInspector(const KURL& url) const {
@@ -90,6 +91,26 @@ bool WorkerFetchContext::ShouldBlockRequestByInspector(const KURL& url) const {
return should_block_request;
}
@ -83,6 +85,8 @@ diff --git a/third_party/blink/renderer/core/loader/worker_fetch_context.cc b/th
+ // TODO(mkwst): This only checks explicit IP addresses. We'll have to move
+ // all this up to //net and //content in order to have any real impact on
+ // gateway attacks. That turns out to be a TON of work (crbug.com/378566).
+ if (requestor_space == network::mojom::IPAddressSpace::kUnknown)
+ requestor_space = network::mojom::IPAddressSpace::kPublic;
+ network::mojom::IPAddressSpace target_space =
+ network::mojom::IPAddressSpace::kPublic;
+ if (network_utils::IsReservedIPAddress(request_url.Host()))