Summary: | [SOUP] Remove SSLPolicyFlags from SoupNetworkSession | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Carlos Garcia Campos <cgarcia> | ||||
Component: | Platform | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | berto, bugs-noreply, commit-queue, danw, gustavo, ivlev.igor, mcatanzaro, mrobinson | ||||
Priority: | P2 | Keywords: | Gtk, Soup | ||||
Version: | WebKit Local Build | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Attachments: |
|
Description
Carlos Garcia Campos
2016-10-04 09:04:24 PDT
Created attachment 290604 [details]
Patch
Comment on attachment 290604 [details] Patch Clearing flags on attachment: 290604 Committed r206772: <http://trac.webkit.org/changeset/206772> All reviewed patches have been landed. Closing bug. Hi Carlos, this patch is setting SOUP_SESSION_SSL_STRICT to FALSE in constructor and removing setSSLPolicy, so is it possible for a user to set it back to TRUE later? If not, does it look like a security issue? Thanks! (In reply to comment #4) > Hi Carlos, > > this patch is setting SOUP_SESSION_SSL_STRICT to FALSE in constructor and > removing setSSLPolicy, so is it possible for a user to set it back to TRUE > later? > If not, does it look like a security issue? > > Thanks! What user do you mean? All users of that API (GTK+ and EFL ports) were setting setSSLPolicy(SoupNetworkSession::SSLUseSystemCAFile); which sets SOUP_SESSION_SSL_STRICT to FALSE. There isn't any change in behavior in this patch. WE have always set that to FALSE, because we handle SSL errors ourselves in ResourceHandleSoup/NetworkDataTaskSoup. Loads will fail with an error in case of SSL errors even if SOUP_SESSION_SSL_STRICT is set to FALSE. (In reply to comment #5) > (In reply to comment #4) > > Hi Carlos, > > > > this patch is setting SOUP_SESSION_SSL_STRICT to FALSE in constructor and > > removing setSSLPolicy, so is it possible for a user to set it back to TRUE > > later? > > If not, does it look like a security issue? > > > > Thanks! > > What user do you mean? All users of that API (GTK+ and EFL ports) were > setting setSSLPolicy(SoupNetworkSession::SSLUseSystemCAFile); which sets > SOUP_SESSION_SSL_STRICT to FALSE. There isn't any change in behavior in this > patch. WE have always set that to FALSE, because we handle SSL errors > ourselves in ResourceHandleSoup/NetworkDataTaskSoup. Loads will fail with an > error in case of SSL errors even if SOUP_SESSION_SSL_STRICT is set to FALSE. Thank you for the explanation, sorry I didn't realize we're handling ssl errors in ResourceHandleSoup/NetworkDataTaskSoup. |