diff options
author | Alex Rudenko <alexrudenko@chromium.org> | 2022-12-21 07:54:07 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-04-04 10:07:00 +0000 |
commit | 0717211ca9d7ee2dcc17a7964170d633aafcfb98 (patch) | |
tree | 9e1fc4c58a58d313143b307341f86ce7839e4180 | |
parent | a2a695e382ec345f1f5da6380b262f04a6e7d295 (diff) | |
download | qtwebengine-chromium-0717211ca9d7ee2dcc17a7964170d633aafcfb98.tar.gz |
[Backport] CVE-2023-0704: Insufficient policy enforcement in DevTools
Manual cherry-pick of patch originaly reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4106102:
DevTools: reject debugging web socket connections with a defined Origin header
Unless the browser is started with a new flag `--remote-allow-origins=<origin>[,<origin>, ...]`. The star origin `*` allows all origins.
This CL should not affect non-browser clients such as Puppeteer and WebDriver. It affects DevTools e2e tests in the hosted mode which is fixed in [1]. It should not affect features like remote debugging that
don't use web sockets.
[1]: https://crrev.com/c/4112007
Bug: chromium:1385982
Change-Id: I721f7db3167ebab63416c8a1f48281735f063e48
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4106102
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Alex Rudenko <alexrudenko@chromium.org>
Reviewed-by: Andrey Kosyakov <caseq@chromium.org>
Reviewed-by: Danil Somsikov <dsv@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1085812}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/461071
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
4 files changed, 37 insertions, 0 deletions
diff --git a/chromium/content/browser/devtools/devtools_http_handler.cc b/chromium/content/browser/devtools/devtools_http_handler.cc index 78e4d0a6b13..6da55042282 100644 --- a/chromium/content/browser/devtools/devtools_http_handler.cc +++ b/chromium/content/browser/devtools/devtools_http_handler.cc @@ -10,6 +10,7 @@ #include <utility> #include "base/bind.h" +#include "base/command_line.h" #include "base/compiler_specific.h" #include "base/files/file_util.h" #include "base/guid.h" @@ -38,6 +39,7 @@ #include "content/public/browser/devtools_manager_delegate.h" #include "content/public/browser/devtools_socket_factory.h" #include "content/public/common/content_client.h" +#include "content/public/common/content_switches.h" #include "content/public/common/url_constants.h" #include "content/public/common/user_agent.h" #include "net/base/io_buffer.h" @@ -752,6 +754,13 @@ void DevToolsHttpHandler::OnWebSocketRequest( if (!thread_) return; + if (request.headers.count("origin") && + !remote_allow_origins_.count(request.headers.at("origin")) && + !remote_allow_origins_.count("*")) { + Send403(connection_id); + return; + } + if (base::StartsWith(request.path, browser_guid_, base::CompareCase::SENSITIVE)) { scoped_refptr<DevToolsAgentHost> browser_agent = @@ -823,6 +832,14 @@ DevToolsHttpHandler::DevToolsHttpHandler( output_directory, debug_frontend_dir, browser_guid_, delegate_->HasBundledFrontendResources())); } + std::string remote_allow_origins = base::ToLowerASCII( + base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII( + switches::kRemoteAllowOrigins)); + + auto origins = + base::SplitString(remote_allow_origins, ",", base::TRIM_WHITESPACE, + base::SPLIT_WANT_NONEMPTY); + remote_allow_origins_.insert(origins.begin(), origins.end()); } void DevToolsHttpHandler::ServerStarted( @@ -882,6 +899,18 @@ void DevToolsHttpHandler::Send404(int connection_id) { base::Unretained(server_wrapper_.get()), connection_id)); } +void DevToolsHttpHandler::Send403(int connection_id) { + if (!thread_) { + return; + } + net::HttpServerResponseInfo response(net::HTTP_FORBIDDEN); + response.SetBody(std::string(), "text/html"); + thread_->task_runner()->PostTask( + FROM_HERE, base::BindOnce(&ServerWrapper::SendResponse, + base::Unretained(server_wrapper_.get()), + connection_id, response)); +} + void DevToolsHttpHandler::Send500(int connection_id, const std::string& message) { if (!thread_) diff --git a/chromium/content/browser/devtools/devtools_http_handler.h b/chromium/content/browser/devtools/devtools_http_handler.h index 04a4905eb43..088e6c6c065 100644 --- a/chromium/content/browser/devtools/devtools_http_handler.h +++ b/chromium/content/browser/devtools/devtools_http_handler.h @@ -7,6 +7,7 @@ #include <map> #include <memory> +#include <set> #include <string> #include "base/files/file_path.h" @@ -90,6 +91,7 @@ class DevToolsHttpHandler { const std::string& data, const std::string& mime_type); void Send404(int connection_id); + void Send403(int connection_id); void Send500(int connection_id, const std::string& message); void AcceptWebSocket(int connection_id, @@ -106,6 +108,7 @@ class DevToolsHttpHandler { base::Value SerializeDescriptor(scoped_refptr<DevToolsAgentHost> agent_host, const std::string& host); + std::set<std::string> remote_allow_origins_; // The thread used by the devtools handler to run server socket. std::unique_ptr<base::Thread> thread_; std::string browser_guid_; diff --git a/chromium/content/public/common/content_switches.cc b/chromium/content/public/common/content_switches.cc index 663327f0bae..9ed247ee1f4 100644 --- a/chromium/content/public/common/content_switches.cc +++ b/chromium/content/public/common/content_switches.cc @@ -673,6 +673,10 @@ const char kRemoteDebuggingPipe[] = "remote-debugging-pipe"; // Enables remote debug over HTTP on the specified port. const char kRemoteDebuggingPort[] = "remote-debugging-port"; +// Enables web socket connections from the specified origins only. '*' allows +// any origin. +const char kRemoteAllowOrigins[] = "remote-allow-origins"; + const char kRendererClientId[] = "renderer-client-id"; // The contents of this flag are prepended to the renderer command line. diff --git a/chromium/content/public/common/content_switches.h b/chromium/content/public/common/content_switches.h index f520e6f25de..f28b45ab83f 100644 --- a/chromium/content/public/common/content_switches.h +++ b/chromium/content/public/common/content_switches.h @@ -195,6 +195,7 @@ CONTENT_EXPORT extern const char kReduceUserAgentPlatformOsCpu[]; CONTENT_EXPORT extern const char kRegisterPepperPlugins[]; CONTENT_EXPORT extern const char kRemoteDebuggingPipe[]; CONTENT_EXPORT extern const char kRemoteDebuggingPort[]; +CONTENT_EXPORT extern const char kRemoteAllowOrigins[]; CONTENT_EXPORT extern const char kRendererClientId[]; extern const char kRendererCmdPrefix[]; CONTENT_EXPORT extern const char kRendererProcess[]; |