From 8abd05a0ce1260bc85d1d407a1f768580fd452c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Br=C3=BCning?= <michael.bruning@qt.io>
Date: Sat, 18 Feb 2023 02:26:24 +0100
Subject: Revert "[Backport] CVE-2023-0704: Insufficient policy enforcement in
 DevTools"

It is causing trouble with the inspector and it is low impact and should not
matter for production use cases.

This reverts commit aecb8093dd91f09f0333eb634fe6f0db38f6f48f.

Change-Id: I19cca67617ea0e43914a71f3b7fc97a9cbefaf7b
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/461212
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 .../browser/devtools/devtools_http_handler.cc      | 29 ----------------------
 .../browser/devtools/devtools_http_handler.h       |  3 ---
 chromium/content/public/common/content_switches.cc |  4 ---
 chromium/content/public/common/content_switches.h  |  1 -
 4 files changed, 37 deletions(-)

diff --git a/chromium/content/browser/devtools/devtools_http_handler.cc b/chromium/content/browser/devtools/devtools_http_handler.cc
index c1bfd5ac351..f539e36ba12 100644
--- a/chromium/content/browser/devtools/devtools_http_handler.cc
+++ b/chromium/content/browser/devtools/devtools_http_handler.cc
@@ -10,7 +10,6 @@
 #include <utility>
 
 #include "base/bind.h"
-#include "base/command_line.h"
 #include "base/compiler_specific.h"
 #include "base/files/file_util.h"
 #include "base/guid.h"
@@ -37,7 +36,6 @@
 #include "content/public/browser/devtools_manager_delegate.h"
 #include "content/public/browser/devtools_socket_factory.h"
 #include "content/public/common/content_client.h"
-#include "content/public/common/content_switches.h"
 #include "content/public/common/url_constants.h"
 #include "content/public/common/user_agent.h"
 #include "net/base/escape.h"
@@ -721,13 +719,6 @@ void DevToolsHttpHandler::OnWebSocketRequest(
   if (!thread_)
     return;
 
-  if (request.headers.count("origin") &&
-      !remote_allow_origins_.count(request.headers.at("origin")) &&
-      !remote_allow_origins_.count("*")) {
-    Send403(connection_id);
-    return;
-  }
-
   if (base::StartsWith(request.path, browser_guid_,
                        base::CompareCase::SENSITIVE)) {
     scoped_refptr<DevToolsAgentHost> browser_agent =
@@ -799,14 +790,6 @@ DevToolsHttpHandler::DevToolsHttpHandler(
                        output_directory, debug_frontend_dir, browser_guid_,
                        delegate_->HasBundledFrontendResources()));
   }
-  std::string remote_allow_origins = base::ToLowerASCII(
-      base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
-          switches::kRemoteAllowOrigins));
-
-  auto origins =
-      base::SplitString(remote_allow_origins, ",", base::TRIM_WHITESPACE,
-                        base::SPLIT_WANT_NONEMPTY);
-  remote_allow_origins_.insert(origins.begin(), origins.end());
 }
 
 void DevToolsHttpHandler::ServerStarted(
@@ -866,18 +849,6 @@ void DevToolsHttpHandler::Send404(int connection_id) {
                      base::Unretained(server_wrapper_.get()), connection_id));
 }
 
-void DevToolsHttpHandler::Send403(int connection_id) {
-  if (!thread_) {
-    return;
-  }
-  net::HttpServerResponseInfo response(net::HTTP_FORBIDDEN);
-  response.SetBody(std::string(), "text/html");
-  thread_->task_runner()->PostTask(
-      FROM_HERE, base::BindOnce(&ServerWrapper::SendResponse,
-                                base::Unretained(server_wrapper_.get()),
-                                connection_id, response));
-}
-
 void DevToolsHttpHandler::Send500(int connection_id,
                                   const std::string& message) {
   if (!thread_)
diff --git a/chromium/content/browser/devtools/devtools_http_handler.h b/chromium/content/browser/devtools/devtools_http_handler.h
index 1110228d5c0..e12f1b54d0e 100644
--- a/chromium/content/browser/devtools/devtools_http_handler.h
+++ b/chromium/content/browser/devtools/devtools_http_handler.h
@@ -7,7 +7,6 @@
 
 #include <map>
 #include <memory>
-#include <set>
 #include <string>
 
 #include "base/files/file_path.h"
@@ -91,7 +90,6 @@ class DevToolsHttpHandler {
                const std::string& data,
                const std::string& mime_type);
   void Send404(int connection_id);
-  void Send403(int connection_id);
   void Send500(int connection_id,
                const std::string& message);
   void AcceptWebSocket(int connection_id,
@@ -108,7 +106,6 @@ class DevToolsHttpHandler {
   base::Value SerializeDescriptor(scoped_refptr<DevToolsAgentHost> agent_host,
                                   const std::string& host);
 
-  std::set<std::string> remote_allow_origins_;
   // The thread used by the devtools handler to run server socket.
   std::unique_ptr<base::Thread> thread_;
   std::string browser_guid_;
diff --git a/chromium/content/public/common/content_switches.cc b/chromium/content/public/common/content_switches.cc
index 5cd23bb291b..0ff8b5dcc8d 100644
--- a/chromium/content/public/common/content_switches.cc
+++ b/chromium/content/public/common/content_switches.cc
@@ -665,10 +665,6 @@ const char kRemoteDebuggingPipe[] = "remote-debugging-pipe";
 // Enables remote debug over HTTP on the specified port.
 const char kRemoteDebuggingPort[]           = "remote-debugging-port";
 
-// Enables web socket connections from the specified origins only. '*' allows
-// any origin.
-const char kRemoteAllowOrigins[] = "remote-allow-origins";
-
 const char kRendererClientId[] = "renderer-client-id";
 
 // The contents of this flag are prepended to the renderer command line.
diff --git a/chromium/content/public/common/content_switches.h b/chromium/content/public/common/content_switches.h
index a3e3610420f..0d7b82f9ea5 100644
--- a/chromium/content/public/common/content_switches.h
+++ b/chromium/content/public/common/content_switches.h
@@ -191,7 +191,6 @@ CONTENT_EXPORT extern const char kReduceUserAgentMinorVersion[];
 CONTENT_EXPORT extern const char kRegisterPepperPlugins[];
 CONTENT_EXPORT extern const char kRemoteDebuggingPipe[];
 CONTENT_EXPORT extern const char kRemoteDebuggingPort[];
-CONTENT_EXPORT extern const char kRemoteAllowOrigins[];
 CONTENT_EXPORT extern const char kRendererClientId[];
 extern const char kRendererCmdPrefix[];
 CONTENT_EXPORT extern const char kRendererProcess[];
-- 
cgit v1.2.1