WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
193718
CVE-2019-11070
[GStreamer] HLS, DASH, and Smooth Streaming implementations ignore proxy settings
https://bugs.webkit.org/show_bug.cgi?id=193718
Summary
[GStreamer] HLS, DASH, and Smooth Streaming implementations ignore proxy sett...
Michael Catanzaro
Reported
2019-01-23 07:44:45 PST
When removing the web process's access to network proxy settings, I thought to wonder how HLS could use them if HLS accesses the network in the web process. Answer must be that it has never used our proxy settings. This is a major security bug of the sort that requires a CVE at least, to inform users who may have been affected. Proper solution is to route the HLS implementation through the network process, so our sandbox can disable the web process's ability to access the network altogether. If we don't have time for that, we could add a GStreamer-specific way to move the proxy information from the UI process to the web process, and keep it in sync when it changes. (The previous method for sending proxy data to the web process is being removed, because it was unused.) And if we don't have time for THAT, then I dunno, we need to handle it somehow.
Attachments
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2019-01-23 07:44:59 PST
<
rdar://problem/47480760
>
Philippe Normand
Comment 2
2019-03-05 07:26:28 PST
See
https://bugs.webkit.org/show_bug.cgi?id=189967#c3
Philippe Normand
Comment 3
2019-03-22 08:10:21 PDT
So what's left to be done for this?
Michael Catanzaro
Comment 4
2019-03-22 09:57:25 PDT
Make sure GStreamer is using the SoupNetworkSession in the NetworkProcess to download stuff. Then nothing more should be required. You've already succeeded at that, right? So we can close this now? We should also request a CVE, because this is a deanonymization issue.
Philippe Normand
Comment 5
2019-03-22 10:23:06 PDT
(In reply to Michael Catanzaro from
comment #4
)
> Make sure GStreamer is using the SoupNetworkSession in the NetworkProcess to > download stuff.
Looks like it does! A single SoupNetworkSession is created in the NetworkProcess during HLS playback, and souphttpsrc is no longer used for fragments downloading.
> Then nothing more should be required. You've already > succeeded at that, right? So we can close this now? >
I suppose, yes.
> We should also request a CVE, because this is a deanonymization issue.
If you say so :)
Michael Catanzaro
Comment 6
2019-03-24 10:50:42 PDT
I'll handle the CVE request. Is
r243197
the commit that fixed this? Please help me find the commit that fixed it. :) Note: I wrote some recommendations
https://trac.webkit.org/wiki/WebKitGTK/MaintenanceTips#CVERequests
about when we should request CVEs.
Philippe Normand
Comment 7
2019-03-24 10:55:42 PDT
Yes,
r243197
, which depends on
r243140
and
r243058
Michael Catanzaro
Comment 8
2019-04-10 09:18:16 PDT
https://trac.webkit.org/changeset/243197/webkit
is the commit that fixed this.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug