162906 2016-10-04 09:04:24 -0700 [SOUP] Remove SSLPolicyFlags from SoupNetworkSession 2016-11-05 04:16:59 -0700 1 1 1 Unclassified WebKit Platform WebKit Local Build Unspecified Unspecified RESOLVED FIXED Gtk, Soup P2 Normal --- 1 cgarcia webkit-unassigned berto bugs-noreply commit-queue danw gustavo ivlev.igor mcatanzaro mrobinson oldest_to_newest 1236198 0 cgarcia 2016-10-04 09:04:24 -0700 All soup based ports are setting SSLUseSystemCAFile flag unconditionally, so we can just use that when creating the session like we do for all other construct parameters. 1236199 1 290604 cgarcia 2016-10-04 09:06:28 -0700 Created attachment 290604 Patch 1236215 2 290604 commit-queue 2016-10-04 09:56:11 -0700 Comment on attachment 290604 Patch Clearing flags on attachment: 290604 Committed r206772: <http://trac.webkit.org/changeset/206772> 1236216 3 commit-queue 2016-10-04 09:56:15 -0700 All reviewed patches have been landed. Closing bug. 1248469 4 ivlev.igor 2016-11-05 03:10:12 -0700 Hi Carlos, this patch is setting SOUP_SESSION_SSL_STRICT to FALSE in constructor and removing setSSLPolicy, so is it possible for a user to set it back to TRUE later? If not, does it look like a security issue? Thanks! 1248471 5 cgarcia 2016-11-05 03:59:49 -0700 (In reply to comment #4) > Hi Carlos, > > this patch is setting SOUP_SESSION_SSL_STRICT to FALSE in constructor and > removing setSSLPolicy, so is it possible for a user to set it back to TRUE > later? > If not, does it look like a security issue? > > Thanks! What user do you mean? All users of that API (GTK+ and EFL ports) were setting setSSLPolicy(SoupNetworkSession::SSLUseSystemCAFile); which sets SOUP_SESSION_SSL_STRICT to FALSE. There isn't any change in behavior in this patch. WE have always set that to FALSE, because we handle SSL errors ourselves in ResourceHandleSoup/NetworkDataTaskSoup. Loads will fail with an error in case of SSL errors even if SOUP_SESSION_SSL_STRICT is set to FALSE. 1248472 6 ivlev.igor 2016-11-05 04:16:59 -0700 (In reply to comment #5) > (In reply to comment #4) > > Hi Carlos, > > > > this patch is setting SOUP_SESSION_SSL_STRICT to FALSE in constructor and > > removing setSSLPolicy, so is it possible for a user to set it back to TRUE > > later? > > If not, does it look like a security issue? > > > > Thanks! > > What user do you mean? All users of that API (GTK+ and EFL ports) were > setting setSSLPolicy(SoupNetworkSession::SSLUseSystemCAFile); which sets > SOUP_SESSION_SSL_STRICT to FALSE. There isn't any change in behavior in this > patch. WE have always set that to FALSE, because we handle SSL errors > ourselves in ResourceHandleSoup/NetworkDataTaskSoup. Loads will fail with an > error in case of SSL errors even if SOUP_SESSION_SSL_STRICT is set to FALSE. Thank you for the explanation, sorry I didn't realize we're handling ssl errors in ResourceHandleSoup/NetworkDataTaskSoup. 290604 2016-10-04 09:06:28 -0700 2016-10-04 09:56:11 -0700 Patch wcore-soup-ssl-policy.diff text/plain 5541 cgarcia ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZwppbmRleCBkOWE1Njk1Li40NmY4ZTA0OSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSw1ICsxLDI0 IEBACiAyMDE2LTEwLTA0ICBDYXJsb3MgR2FyY2lhIENhbXBvcyAgPGNnYXJjaWFAaWdhbGlhLmNv bT4KIAorICAgICAgICBbU09VUF0gUmVtb3ZlIFNTTFBvbGljeUZsYWdzIGZyb20gU291cE5ldHdv cmtTZXNzaW9uCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9p ZD0xNjI5MDYKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAg ICBBbGwgc291cCBiYXNlZCBwb3J0cyBhcmUgc2V0dGluZyBTU0xVc2VTeXN0ZW1DQUZpbGUgZmxh ZyB1bmNvbmRpdGlvbmFsbHksIHNvIHdlIGNhbiBqdXN0IHVzZSB0aGF0IHdoZW4gY3JlYXRpbmcK KyAgICAgICAgdGhlIHNlc3Npb24gbGlrZSB3ZSBkbyBmb3IgYWxsIG90aGVyIGNvbnN0cnVjdCBw YXJhbWV0ZXJzLgorCisgICAgICAgICogcGxhdGZvcm0vbmV0d29yay9zb3VwL1NvdXBOZXR3b3Jr U2Vzc2lvbi5jcHA6CisgICAgICAgIChXZWJDb3JlOjpTb3VwTmV0d29ya1Nlc3Npb246OmNyZWF0 ZVRlc3RpbmdTZXNzaW9uKToKKyAgICAgICAgKFdlYkNvcmU6OlNvdXBOZXR3b3JrU2Vzc2lvbjo6 c2V0dXBMb2dnZXIpOgorICAgICAgICAoV2ViQ29yZTo6U291cE5ldHdvcmtTZXNzaW9uOjpTb3Vw TmV0d29ya1Nlc3Npb24pOiBEZWxldGVkLgorICAgICAgICAoV2ViQ29yZTo6U291cE5ldHdvcmtT ZXNzaW9uOjpjbGVhck9sZFNvdXBDYWNoZSk6IERlbGV0ZWQuCisgICAgICAgIChXZWJDb3JlOjpT b3VwTmV0d29ya1Nlc3Npb246OnNldEhUVFBQcm94eSk6IERlbGV0ZWQuCisgICAgICAgICogcGxh dGZvcm0vbmV0d29yay9zb3VwL1NvdXBOZXR3b3JrU2Vzc2lvbi5oOgorICAgICAgICAoV2ViQ29y ZTo6U291cE5ldHdvcmtTZXNzaW9uOjpzb3VwU2Vzc2lvbik6IERlbGV0ZWQuCisKKzIwMTYtMTAt MDQgIENhcmxvcyBHYXJjaWEgQ2FtcG9zICA8Y2dhcmNpYUBpZ2FsaWEuY29tPgorCiAgICAgICAg IFtTT1VQXSBNb3ZlIHJlcXVlc3QgSFRUUCBib2R5IGhhbmRsaW5nIHRvIFJlc291cmNlUmVxdWVz dFNvdXAgYW5kIHNpbXBsaWZ5IGl0CiAgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3No b3dfYnVnLmNnaT9pZD0xNjI4OTEKIApkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvcGxhdGZv cm0vbmV0d29yay9zb3VwL1NvdXBOZXR3b3JrU2Vzc2lvbi5jcHAgYi9Tb3VyY2UvV2ViQ29yZS9w bGF0Zm9ybS9uZXR3b3JrL3NvdXAvU291cE5ldHdvcmtTZXNzaW9uLmNwcAppbmRleCA2ZjUxZTc3 Li5lNjMyZGViIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9uZXR3b3JrL3Nv dXAvU291cE5ldHdvcmtTZXNzaW9uLmNwcAorKysgYi9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9u ZXR3b3JrL3NvdXAvU291cE5ldHdvcmtTZXNzaW9uLmNwcApAQCAtMTExLDYgKzExMSw4IEBAIFNv dXBOZXR3b3JrU2Vzc2lvbjo6U291cE5ldHdvcmtTZXNzaW9uKFNvdXBDb29raWVKYXIqIGNvb2tp ZUphcikKICAgICAgICAgU09VUF9TRVNTSU9OX0FERF9GRUFUVVJFX0JZX1RZUEUsIFNPVVBfVFlQ RV9QUk9YWV9SRVNPTFZFUl9ERUZBVUxULAogICAgICAgICBTT1VQX1NFU1NJT05fQUREX0ZFQVRV UkUsIGNvb2tpZUphciwKICAgICAgICAgU09VUF9TRVNTSU9OX1VTRV9USFJFQURfQ09OVEVYVCwg VFJVRSwKKyAgICAgICAgU09VUF9TRVNTSU9OX1NTTF9VU0VfU1lTVEVNX0NBX0ZJTEUsIFRSVUUs CisgICAgICAgIFNPVVBfU0VTU0lPTl9TU0xfU1RSSUNULCBGQUxTRSwKICAgICAgICAgbnVsbHB0 cik7CiAKICNpZiBTT1VQX0NIRUNLX1ZFUlNJT04oMiwgNTMsIDkyKQpAQCAtMTk1LDMwICsxOTcs NiBAQCB2b2lkIFNvdXBOZXR3b3JrU2Vzc2lvbjo6Y2xlYXJPbGRTb3VwQ2FjaGUoY29uc3QgU3Ry aW5nJiBjYWNoZURpcmVjdG9yeSkKICAgICB9CiB9CiAKLXZvaWQgU291cE5ldHdvcmtTZXNzaW9u OjpzZXRTU0xQb2xpY3koU1NMUG9saWN5IGZsYWdzKQotewotICAgIGdfb2JqZWN0X3NldChtX3Nv dXBTZXNzaW9uLmdldCgpLAotICAgICAgICBTT1VQX1NFU1NJT05fU1NMX1VTRV9TWVNURU1fQ0Ff RklMRSwgZmxhZ3MgJiBTU0xVc2VTeXN0ZW1DQUZpbGUgPyBUUlVFIDogRkFMU0UsCi0gICAgICAg IFNPVVBfU0VTU0lPTl9TU0xfU1RSSUNULCBmbGFncyAmIFNTTFN0cmljdCA/IFRSVUUgOiBGQUxT RSwKLSAgICAgICAgbnVsbHB0cik7Ci19Ci0KLVNvdXBOZXR3b3JrU2Vzc2lvbjo6U1NMUG9saWN5 IFNvdXBOZXR3b3JrU2Vzc2lvbjo6c3NsUG9saWN5KCkgY29uc3QKLXsKLSAgICBnYm9vbGVhbiB1 c2VTeXN0ZW1DQUZpbGUsIHN0cmljdDsKLSAgICBnX29iamVjdF9nZXQobV9zb3VwU2Vzc2lvbi5n ZXQoKSwKLSAgICAgICAgU09VUF9TRVNTSU9OX1NTTF9VU0VfU1lTVEVNX0NBX0ZJTEUsICZ1c2VT eXN0ZW1DQUZpbGUsCi0gICAgICAgIFNPVVBfU0VTU0lPTl9TU0xfU1RSSUNULCAmc3RyaWN0LAot ICAgICAgICBudWxscHRyKTsKLQotICAgIFNTTFBvbGljeSBmbGFncyA9IDA7Ci0gICAgaWYgKHVz ZVN5c3RlbUNBRmlsZSkKLSAgICAgICAgZmxhZ3MgfD0gU1NMVXNlU3lzdGVtQ0FGaWxlOwotICAg IGlmIChzdHJpY3QpCi0gICAgICAgIGZsYWdzIHw9IFNTTFN0cmljdDsKLSAgICByZXR1cm4gZmxh Z3M7Ci19Ci0KIHZvaWQgU291cE5ldHdvcmtTZXNzaW9uOjpzZXRIVFRQUHJveHkoY29uc3QgY2hh ciogaHR0cFByb3h5LCBjb25zdCBjaGFyKiBodHRwUHJveHlFeGNlcHRpb25zKQogewogI2lmIFBM QVRGT1JNKEVGTCkKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL25ldHdvcmsv c291cC9Tb3VwTmV0d29ya1Nlc3Npb24uaCBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL25ldHdv cmsvc291cC9Tb3VwTmV0d29ya1Nlc3Npb24uaAppbmRleCA3YWE3OWUzLi5iNzA0ODYwIDEwMDY0 NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9uZXR3b3JrL3NvdXAvU291cE5ldHdvcmtT ZXNzaW9uLmgKKysrIGIvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vbmV0d29yay9zb3VwL1NvdXBO ZXR3b3JrU2Vzc2lvbi5oCkBAIC00NywxMiArNDcsNiBAQCBwdWJsaWM6CiAgICAgc3RhdGljIHN0 ZDo6dW5pcXVlX3B0cjxTb3VwTmV0d29ya1Nlc3Npb24+IGNyZWF0ZVRlc3RpbmdTZXNzaW9uKCk7 CiAgICAgc3RhdGljIHN0ZDo6dW5pcXVlX3B0cjxTb3VwTmV0d29ya1Nlc3Npb24+IGNyZWF0ZUZv clNvdXBTZXNzaW9uKFNvdXBTZXNzaW9uKik7CiAKLSAgICBlbnVtIFNTTFBvbGljeUZsYWdzIHsK LSAgICAgICAgU1NMU3RyaWN0ID0gMSA8PCAwLAotICAgICAgICBTU0xVc2VTeXN0ZW1DQUZpbGUg PSAxIDw8IDEKLSAgICB9OwotICAgIHR5cGVkZWYgdW5zaWduZWQgU1NMUG9saWN5OwotCiAgICAg U291cFNlc3Npb24qIHNvdXBTZXNzaW9uKCkgY29uc3QgeyByZXR1cm4gbV9zb3VwU2Vzc2lvbi5n ZXQoKTsgfQogCiAgICAgdm9pZCBzZXRDb29raWVKYXIoU291cENvb2tpZUphciopOwpAQCAtNjAs OSArNTQsNiBAQCBwdWJsaWM6CiAKICAgICBzdGF0aWMgdm9pZCBjbGVhck9sZFNvdXBDYWNoZShj b25zdCBTdHJpbmcmIGNhY2hlRGlyZWN0b3J5KTsKIAotICAgIHZvaWQgc2V0U1NMUG9saWN5KFNT TFBvbGljeSk7Ci0gICAgU1NMUG9saWN5IHNzbFBvbGljeSgpIGNvbnN0OwotCiAgICAgdm9pZCBz ZXR1cEhUVFBQcm94eUZyb21FbnZpcm9ubWVudCgpOwogCiAgICAgdm9pZCBzZXRBY2NlcHRMYW5n dWFnZXMoY29uc3QgVmVjdG9yPFN0cmluZz4mKTsKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJLaXQy L0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQyL0NoYW5nZUxvZwppbmRleCBmYTllMDQzLi4yMjAx M2YxIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViS2l0Mi9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dl YktpdDIvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTMgQEAKKzIwMTYtMTAtMDQgIENhcmxvcyBHYXJj aWEgQ2FtcG9zICA8Y2dhcmNpYUBpZ2FsaWEuY29tPgorCisgICAgICAgIFtTT1VQXSBSZW1vdmUg U1NMUG9saWN5RmxhZ3MgZnJvbSBTb3VwTmV0d29ya1Nlc3Npb24KKyAgICAgICAgaHR0cHM6Ly9i dWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE2MjkwNgorCisgICAgICAgIFJldmlld2Vk IGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICogTmV0d29ya1Byb2Nlc3Mvc291cC9OZXR3 b3JrUHJvY2Vzc01haW5Tb3VwLmNwcDoKKyAgICAgICAgKFdlYktpdDo6TmV0d29ya1Byb2Nlc3NN YWluVW5peCk6CisKIDIwMTYtMTAtMDMgIEtlaXRoIFJvbGxpbiAgPGtyb2xsaW5AYXBwbGUuY29t PgogCiAgICAgICAgIE1vcmUgbG9nZ2luZyB0byBkaWFnbm9zZSAiV2ViS2l0IGVuY291bnRlcmVk IGFuIGludGVybmFsIGVycm9yIiBtZXNzYWdlcwpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYktpdDIv TmV0d29ya1Byb2Nlc3Mvc291cC9OZXR3b3JrUHJvY2Vzc01haW5Tb3VwLmNwcCBiL1NvdXJjZS9X ZWJLaXQyL05ldHdvcmtQcm9jZXNzL3NvdXAvTmV0d29ya1Byb2Nlc3NNYWluU291cC5jcHAKaW5k ZXggNGU2OGQ0ZS4uZDUwODFhYyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYktpdDIvTmV0d29ya1By b2Nlc3Mvc291cC9OZXR3b3JrUHJvY2Vzc01haW5Tb3VwLmNwcAorKysgYi9Tb3VyY2UvV2ViS2l0 Mi9OZXR3b3JrUHJvY2Vzcy9zb3VwL05ldHdvcmtQcm9jZXNzTWFpblNvdXAuY3BwCkBAIC0yOSwy NSArMjksMTIgQEAKIAogI2luY2x1ZGUgIkNoaWxkUHJvY2Vzc01haW4uaCIKICNpbmNsdWRlICJO ZXR3b3JrUHJvY2Vzc01haW5Vbml4LmgiCi0jaW5jbHVkZSA8V2ViQ29yZS9Tb3VwTmV0d29ya1Nl c3Npb24uaD4KLSNpbmNsdWRlIDxsaWJzb3VwL3NvdXAuaD4KLQotdXNpbmcgbmFtZXNwYWNlIFdl YkNvcmU7CiAKIG5hbWVzcGFjZSBXZWJLaXQgewogCi1jbGFzcyBOZXR3b3JrUHJvY2Vzc01haW4g ZmluYWw6IHB1YmxpYyBDaGlsZFByb2Nlc3NNYWluQmFzZSB7Ci1wdWJsaWM6Ci0gICAgYm9vbCBw bGF0Zm9ybUluaXRpYWxpemUoKSBvdmVycmlkZQotICAgIHsKLSAgICAgICAgU291cE5ldHdvcmtT ZXNzaW9uOjpkZWZhdWx0U2Vzc2lvbigpLnNldFNTTFBvbGljeShTb3VwTmV0d29ya1Nlc3Npb246 OlNTTFVzZVN5c3RlbUNBRmlsZSk7Ci0gICAgICAgIHJldHVybiB0cnVlOwotICAgIH0KLX07Ci0K IGludCBOZXR3b3JrUHJvY2Vzc01haW5Vbml4KGludCBhcmdjLCBjaGFyKiogYXJndikKIHsKLSAg ICByZXR1cm4gQ2hpbGRQcm9jZXNzTWFpbjxOZXR3b3JrUHJvY2VzcywgTmV0d29ya1Byb2Nlc3NN YWluPihhcmdjLCBhcmd2KTsKKyAgICByZXR1cm4gQ2hpbGRQcm9jZXNzTWFpbjxOZXR3b3JrUHJv Y2VzcywgQ2hpbGRQcm9jZXNzTWFpbkJhc2U+KGFyZ2MsIGFyZ3YpOwogfQogCiB9IC8vIG5hbWVz cGFjZSBXZWJLaXQK