WebKit Bugzilla
Attachment 341784 Details for
Bug 186208
: Add an option to restrict communication to localhost sockets
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-186208-20180601134840.patch (text/plain), 11.65 KB, created by
youenn fablet
on 2018-06-01 13:48:40 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
youenn fablet
Created:
2018-06-01 13:48:40 PDT
Size:
11.65 KB
patch
obsolete
>Subversion Revision: 232334 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 5235b548e3020c2b1830629a743080fc92195fbc..0aaa60b78ce9b6aadfff835ac97af6f18e9bce6d 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,18 @@ >+2018-06-01 Youenn Fablet <youenn@apple.com> >+ >+ Add an option to restrict communication to localhost sockets >+ https://bugs.webkit.org/show_bug.cgi?id=186208 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Covered by existing tests. >+ Add an option in LibWebRTCProvider to restrict to localhost sockets. >+ Use that option when Internals is used. >+ >+ * platform/mediastream/libwebrtc/LibWebRTCProvider.h: >+ * testing/Internals.cpp: >+ (WebCore::Internals::resetToConsistentState): >+ > 2018-05-31 Youenn Fablet <youenn@apple.com> > > ServiceWorker registration should store any script fetched through importScripts >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index b21b5ea0cc20b0b2eca6720f278b795fc72f0a59..2eead6d5cd9b02594db6aa0f785f1cd4e2edac55 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,26 @@ >+2018-06-01 Youenn Fablet <youenn@apple.com> >+ >+ Add an option to restrict communication to localhost sockets >+ https://bugs.webkit.org/show_bug.cgi?id=186208 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Implement restriction to localhost sockets by setting any IP address to 127.0.0.1. >+ This is done on WebProcess side just before requesting to open the socket by NetworkProcess. >+ >+ * WebProcess/Network/webrtc/LibWebRTCNetwork.h: >+ (WebKit::LibWebRTCNetwork::disableNonLocalhostConnections): >+ * WebProcess/Network/webrtc/LibWebRTCProvider.cpp: >+ (WebKit::LibWebRTCProvider::disableNonLocalhostConnections): >+ (WebKit::LibWebRTCProvider::registerMDNSName): >+ * WebProcess/Network/webrtc/LibWebRTCProvider.h: >+ * WebProcess/Network/webrtc/LibWebRTCSocketFactory.cpp: >+ (WebKit::prepareSocketAddress): >+ (WebKit::LibWebRTCSocketFactory::CreateServerTcpSocket): >+ (WebKit::LibWebRTCSocketFactory::CreateUdpSocket): >+ (WebKit::LibWebRTCSocketFactory::CreateClientTcpSocket): >+ * WebProcess/Network/webrtc/LibWebRTCSocketFactory.h: >+ > 2018-05-31 Youenn Fablet <youenn@apple.com> > > ServiceWorker registration should store any script fetched through importScripts >diff --git a/Source/WebCore/platform/mediastream/libwebrtc/LibWebRTCProvider.h b/Source/WebCore/platform/mediastream/libwebrtc/LibWebRTCProvider.h >index 2864f8d40aa6e81489d1fc7891f9630aeefcbcfa..553ba6c0971b7863c48bd795b6fbc3b0ee44a8e0 100644 >--- a/Source/WebCore/platform/mediastream/libwebrtc/LibWebRTCProvider.h >+++ b/Source/WebCore/platform/mediastream/libwebrtc/LibWebRTCProvider.h >@@ -107,6 +107,8 @@ public: > void disableEnumeratingAllNetworkInterfaces() { m_enableEnumeratingAllNetworkInterfaces = false; } > void enableEnumeratingAllNetworkInterfaces() { m_enableEnumeratingAllNetworkInterfaces = true; } > >+ virtual void disableNonLocalhostConnections() { }; >+ > protected: > LibWebRTCProvider() = default; > >diff --git a/Source/WebCore/testing/Internals.cpp b/Source/WebCore/testing/Internals.cpp >index 18da49eb8e220156a8b9e08c485d09c25bbe9e43..825c9f054bdb0929c05d5aebc5fa1f69c1bc2569 100644 >--- a/Source/WebCore/testing/Internals.cpp >+++ b/Source/WebCore/testing/Internals.cpp >@@ -493,7 +493,9 @@ void Internals::resetToConsistentState(Page& page) > printContextForTesting() = nullptr; > > #if USE(LIBWEBRTC) >- WebCore::useRealRTCPeerConnectionFactory(page.libWebRTCProvider()); >+ auto& rtcProvider = page.libWebRTCProvider(); >+ WebCore::useRealRTCPeerConnectionFactory(rtcProvider); >+ rtcProvider.disableNonLocalhostConnections(); > #endif > > page.settings().setStorageAccessAPIEnabled(false); >diff --git a/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCNetwork.h b/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCNetwork.h >index 72d42ea04df85658b3ca6c36cad7f87fcc4f140e..375b260471c7864e468ead40944f711ddf992383 100644 >--- a/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCNetwork.h >+++ b/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCNetwork.h >@@ -44,6 +44,8 @@ public: > WebRTCMonitor& monitor() { return m_webNetworkMonitor; } > LibWebRTCSocketFactory& socketFactory() { return m_socketFactory; } > >+ void disableNonLocalhostConnections() { socketFactory().disableNonLocalhostConnections(); } >+ > WebRTCSocket socket(uint64_t identifier) { return WebRTCSocket(socketFactory(), identifier); } > WebRTCResolver resolver(uint64_t identifier) { return WebRTCResolver(socketFactory(), identifier); } > #endif >diff --git a/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCProvider.cpp b/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCProvider.cpp >index 8910bcbe535a369d08eed884d1dd445c048cb357..5c5fef5e2f526f57e480304d5bf7731a96b1f585 100644 >--- a/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCProvider.cpp >+++ b/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCProvider.cpp >@@ -41,12 +41,17 @@ rtc::scoped_refptr<webrtc::PeerConnectionInterface> LibWebRTCProvider::createPee > return WebCore::LibWebRTCProvider::createPeerConnection(observer, WebProcess::singleton().libWebRTCNetwork().monitor(), WebProcess::singleton().libWebRTCNetwork().socketFactory(), WTFMove(configuration)); > } > >+void LibWebRTCProvider::disableNonLocalhostConnections() >+{ >+ WebProcess::singleton().libWebRTCNetwork().disableNonLocalhostConnections(); >+} >+ > void LibWebRTCProvider::unregisterMDNSNames(uint64_t documentIdentifier) > { > WebProcess::singleton().libWebRTCNetwork().mdnsRegister().unregisterMDNSNames(documentIdentifier); > } > >- void LibWebRTCProvider::registerMDNSName(PAL::SessionID sessionID, uint64_t documentIdentifier, const String& ipAddress, CompletionHandler<void(MDNSNameOrError&&)>&& callback) >+void LibWebRTCProvider::registerMDNSName(PAL::SessionID sessionID, uint64_t documentIdentifier, const String& ipAddress, CompletionHandler<void(MDNSNameOrError&&)>&& callback) > { > WebProcess::singleton().libWebRTCNetwork().mdnsRegister().registerMDNSName(sessionID, documentIdentifier, ipAddress, WTFMove(callback)); > } >diff --git a/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCProvider.h b/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCProvider.h >index 580362f10b4bec89c499661c98f85dbab80c6a53..e32ae4f2207bd8e6baffde1888e3e1656e5f07ab 100644 >--- a/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCProvider.h >+++ b/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCProvider.h >@@ -51,6 +51,7 @@ private: > void unregisterMDNSNames(uint64_t documentIdentifier) final; > void registerMDNSName(PAL::SessionID, uint64_t documentIdentifier, const String& ipAddress, CompletionHandler<void(MDNSNameOrError&&)>&&) final; > void resolveMDNSName(PAL::SessionID, const String& name, CompletionHandler<void(IPAddressOrError&&)>&&) final; >+ void disableNonLocalhostConnections() final; > }; > #else > using LibWebRTCProvider = WebCore::LibWebRTCProvider; >diff --git a/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCSocketFactory.cpp b/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCSocketFactory.cpp >index f44efdb6283ca0b0a055c85c10dde73383493b93..d778d577ea8efc1b356df1d7c017ecdf3188106a 100644 >--- a/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCSocketFactory.cpp >+++ b/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCSocketFactory.cpp >@@ -40,12 +40,20 @@ namespace WebKit { > uint64_t LibWebRTCSocketFactory::s_uniqueSocketIdentifier = 0; > uint64_t LibWebRTCSocketFactory::s_uniqueResolverIdentifier = 0; > >+static inline rtc::SocketAddress prepareSocketAddress(const rtc::SocketAddress& address, bool disableNonLocalhostConnections) >+{ >+ auto result = RTCNetwork::isolatedCopy(address); >+ if (disableNonLocalhostConnections) >+ result.SetIP("127.0.0.1"); >+ return result; >+} >+ > rtc::AsyncPacketSocket* LibWebRTCSocketFactory::CreateServerTcpSocket(const rtc::SocketAddress& address, uint16_t minPort, uint16_t maxPort, int options) > { > auto socket = std::make_unique<LibWebRTCSocket>(*this, ++s_uniqueSocketIdentifier, LibWebRTCSocket::Type::ServerTCP, address, rtc::SocketAddress()); > m_sockets.set(socket->identifier(), socket.get()); > >- callOnMainThread([identifier = socket->identifier(), address = RTCNetwork::isolatedCopy(address), minPort, maxPort, options]() { >+ callOnMainThread([identifier = socket->identifier(), address = prepareSocketAddress(address, m_disableNonLocalhostConnections), minPort, maxPort, options]() { > if (!WebProcess::singleton().ensureNetworkProcessConnection().connection().send(Messages::NetworkRTCProvider::CreateServerTCPSocket(identifier, RTCNetwork::SocketAddress(address), minPort, maxPort, options), 0)) { > // FIXME: Set error back to socket > return; >@@ -61,7 +69,7 @@ rtc::AsyncPacketSocket* LibWebRTCSocketFactory::CreateUdpSocket(const rtc::Socke > auto socket = std::make_unique<LibWebRTCSocket>(*this, ++s_uniqueSocketIdentifier, LibWebRTCSocket::Type::UDP, address, rtc::SocketAddress()); > m_sockets.set(socket->identifier(), socket.get()); > >- callOnMainThread([identifier = socket->identifier(), address = RTCNetwork::isolatedCopy(address), minPort, maxPort]() { >+ callOnMainThread([identifier = socket->identifier(), address = prepareSocketAddress(address, m_disableNonLocalhostConnections), minPort, maxPort]() { > if (!WebProcess::singleton().ensureNetworkProcessConnection().connection().send(Messages::NetworkRTCProvider::CreateUDPSocket(identifier, RTCNetwork::SocketAddress(address), minPort, maxPort), 0)) { > // FIXME: Set error back to socket > return; >@@ -76,7 +84,7 @@ rtc::AsyncPacketSocket* LibWebRTCSocketFactory::CreateClientTcpSocket(const rtc: > socket->setState(LibWebRTCSocket::STATE_CONNECTING); > m_sockets.set(socket->identifier(), socket.get()); > >- callOnMainThread([identifier = socket->identifier(), localAddress = RTCNetwork::isolatedCopy(localAddress), remoteAddress = RTCNetwork::isolatedCopy(remoteAddress), options]() { >+ callOnMainThread([identifier = socket->identifier(), localAddress = prepareSocketAddress(localAddress, m_disableNonLocalhostConnections), remoteAddress = prepareSocketAddress(remoteAddress, m_disableNonLocalhostConnections), options]() { > if (!WebProcess::singleton().ensureNetworkProcessConnection().connection().send(Messages::NetworkRTCProvider::CreateClientTCPSocket(identifier, RTCNetwork::SocketAddress(localAddress), RTCNetwork::SocketAddress(remoteAddress), options), 0)) { > // FIXME: Set error back to socket > return; >diff --git a/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCSocketFactory.h b/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCSocketFactory.h >index d69d21735f657c57ab69c861588f72362054a770..8da49a3ad6f5b85606a5daf3cd51a147fa990a63 100644 >--- a/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCSocketFactory.h >+++ b/Source/WebKit/WebProcess/Network/webrtc/LibWebRTCSocketFactory.h >@@ -49,6 +49,8 @@ public: > > rtc::AsyncPacketSocket* createNewConnectionSocket(LibWebRTCSocket&, uint64_t newConnectionSocketIdentifier, const rtc::SocketAddress&); > >+ void disableNonLocalhostConnections() { m_disableNonLocalhostConnections = true; } >+ > private: > rtc::AsyncPacketSocket* CreateUdpSocket(const rtc::SocketAddress&, uint16_t minPort, uint16_t maxPort) final; > rtc::AsyncPacketSocket* CreateServerTcpSocket(const rtc::SocketAddress&, uint16_t min_port, uint16_t max_port, int options) final; >@@ -62,6 +64,7 @@ private: > // We can own resolvers as we control their Destroy method. > HashMap<uint64_t, std::unique_ptr<LibWebRTCResolver>> m_resolvers; > static uint64_t s_uniqueResolverIdentifier; >+ bool m_disableNonLocalhostConnections { false }; > }; > > } // namespace WebKit
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=341784">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186208
: 341784