mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
bug 528288 - disallow spdy from http created in nsNSSCallbacks to avoid OSCP/CRL loops with alternate-protocol sr=biesi r=honzab
patch 15
This commit is contained in:
parent
2e74f3e2e2
commit
db6da0efcf
@ -80,6 +80,7 @@ HttpBaseChannel::HttpBaseChannel()
|
||||
, mChannelIsForDownload(false)
|
||||
, mTracingEnabled(true)
|
||||
, mTimingEnabled(false)
|
||||
, mAllowSpdy(true)
|
||||
, mSuspendCount(0)
|
||||
, mRedirectedCachekeys(nsnull)
|
||||
{
|
||||
@ -1310,6 +1311,22 @@ HttpBaseChannel::HTTPUpgrade(const nsACString &aProtocolName,
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
HttpBaseChannel::GetAllowSpdy(bool *aAllowSpdy)
|
||||
{
|
||||
NS_ENSURE_ARG_POINTER(aAllowSpdy);
|
||||
|
||||
*aAllowSpdy = mAllowSpdy;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
HttpBaseChannel::SetAllowSpdy(bool aAllowSpdy)
|
||||
{
|
||||
mAllowSpdy = aAllowSpdy;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
//-----------------------------------------------------------------------------
|
||||
// HttpBaseChannel::nsISupportsPriority
|
||||
//-----------------------------------------------------------------------------
|
||||
@ -1619,6 +1636,8 @@ HttpBaseChannel::SetupReplacementChannel(nsIURI *newURI,
|
||||
if (httpInternal) {
|
||||
// convey the mForceAllowThirdPartyCookie flag
|
||||
httpInternal->SetForceAllowThirdPartyCookie(mForceAllowThirdPartyCookie);
|
||||
// convey the spdy flag
|
||||
httpInternal->SetAllowSpdy(mAllowSpdy);
|
||||
|
||||
// update the DocumentURI indicator since we are being redirected.
|
||||
// if this was a top-level document channel, then the new channel
|
||||
|
@ -167,6 +167,9 @@ public:
|
||||
NS_IMETHOD GetLocalPort(PRInt32* port);
|
||||
NS_IMETHOD GetRemoteAddress(nsACString& addr);
|
||||
NS_IMETHOD GetRemotePort(PRInt32* port);
|
||||
NS_IMETHOD GetAllowSpdy(bool *aAllowSpdy);
|
||||
NS_IMETHOD SetAllowSpdy(bool aAllowSpdy);
|
||||
|
||||
inline void CleanRedirectCacheChainIfNecessary()
|
||||
{
|
||||
if (mRedirectedCachekeys) {
|
||||
@ -295,6 +298,7 @@ protected:
|
||||
PRUint32 mTracingEnabled : 1;
|
||||
// True if timing collection is enabled
|
||||
PRUint32 mTimingEnabled : 1;
|
||||
PRUint32 mAllowSpdy : 1;
|
||||
|
||||
// Current suspension depth for this channel object
|
||||
PRUint32 mSuspendCount;
|
||||
|
@ -1079,7 +1079,7 @@ HttpChannelChild::AsyncOpen(nsIStreamListener *listener, nsISupports *aContext)
|
||||
mPriority, mRedirectionLimit, mAllowPipelining,
|
||||
mForceAllowThirdPartyCookie, mSendResumeAt,
|
||||
mStartPos, mEntityID, mChooseApplicationCache,
|
||||
appCacheClientId);
|
||||
appCacheClientId, mAllowSpdy);
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
@ -143,7 +143,8 @@ HttpChannelParent::RecvAsyncOpen(const IPC::URI& aURI,
|
||||
const PRUint64& startPos,
|
||||
const nsCString& entityID,
|
||||
const bool& chooseApplicationCache,
|
||||
const nsCString& appCacheClientID)
|
||||
const nsCString& appCacheClientID,
|
||||
const bool& allowSpdy)
|
||||
{
|
||||
nsCOMPtr<nsIURI> uri(aURI);
|
||||
nsCOMPtr<nsIURI> originalUri(aOriginalURI);
|
||||
@ -203,6 +204,7 @@ HttpChannelParent::RecvAsyncOpen(const IPC::URI& aURI,
|
||||
httpChan->SetRedirectionLimit(redirectionLimit);
|
||||
httpChan->SetAllowPipelining(allowPipelining);
|
||||
httpChan->SetForceAllowThirdPartyCookie(forceAllowThirdPartyCookie);
|
||||
httpChan->SetAllowSpdy(allowSpdy);
|
||||
|
||||
nsCOMPtr<nsIApplicationCacheChannel> appCacheChan =
|
||||
do_QueryInterface(mChannel);
|
||||
|
@ -97,7 +97,8 @@ protected:
|
||||
const PRUint64& startPos,
|
||||
const nsCString& entityID,
|
||||
const bool& chooseApplicationCache,
|
||||
const nsCString& appCacheClientID);
|
||||
const nsCString& appCacheClientID,
|
||||
const bool& allowSpdy);
|
||||
|
||||
virtual bool RecvConnectChannel(const PRUint32& channelId);
|
||||
virtual bool RecvSetPriority(const PRUint16& priority);
|
||||
|
@ -81,7 +81,8 @@ parent:
|
||||
PRUint64 startPos,
|
||||
nsCString entityID,
|
||||
bool chooseApplicationCache,
|
||||
nsCString appCacheClientID);
|
||||
nsCString appCacheClientID,
|
||||
bool allowSpdy);
|
||||
|
||||
// Used to connect redirected-to channel on the parent with redirected-to
|
||||
// channel on the child.
|
||||
|
@ -211,7 +211,7 @@ nsHttpChannel::Connect(bool firstTime)
|
||||
}
|
||||
|
||||
// Check for a previous SPDY Alternate-Protocol directive
|
||||
if (gHttpHandler->IsSpdyEnabled()) {
|
||||
if (gHttpHandler->IsSpdyEnabled() && mAllowSpdy) {
|
||||
nsCAutoString hostPort;
|
||||
|
||||
if (NS_SUCCEEDED(mURI->GetHostPort(hostPort)) &&
|
||||
@ -519,6 +519,9 @@ nsHttpChannel::SetupTransaction()
|
||||
}
|
||||
}
|
||||
|
||||
if (!mAllowSpdy)
|
||||
mCaps |= NS_HTTP_DISALLOW_SPDY;
|
||||
|
||||
// use the URI path if not proxying (transparent proxying such as SSL proxy
|
||||
// does not count here). also, figure out what version we should be speaking.
|
||||
nsCAutoString buf, path;
|
||||
@ -4104,7 +4107,7 @@ nsHttpChannel::OnStartRequest(nsIRequest *request, nsISupports *ctxt)
|
||||
}
|
||||
|
||||
if (gHttpHandler->IsSpdyEnabled() && !mCachePump && NS_FAILED(mStatus) &&
|
||||
(mLoadFlags & LOAD_REPLACE) && mOriginalURI) {
|
||||
(mLoadFlags & LOAD_REPLACE) && mOriginalURI && mAllowSpdy) {
|
||||
// For sanity's sake we may want to cancel an alternate protocol
|
||||
// redirection involving the original host name
|
||||
|
||||
|
@ -53,7 +53,7 @@ interface nsIProxyInfo;
|
||||
* The callback interface for nsIHttpChannelInternal::HTTPUpgrade()
|
||||
*/
|
||||
|
||||
[scriptable, uuid(5644af88-09e1-4fbd-83da-f012b3b30180)]
|
||||
[scriptable, uuid(4b967b6d-cd1c-49ae-a457-23ff76f5a2e8)]
|
||||
interface nsIHttpUpgradeListener : nsISupports
|
||||
{
|
||||
void onTransportAvailable(in nsISocketTransport aTransport,
|
||||
@ -181,4 +181,11 @@ interface nsIHttpChannelInternal : nsISupports
|
||||
void HTTPUpgrade(in ACString aProtocolName,
|
||||
in nsIHttpUpgradeListener aListener);
|
||||
|
||||
/**
|
||||
* Enable/Disable Spdy negotiation on per channel basis.
|
||||
* The network.http.spdy.enabled preference is still a pre-requisite
|
||||
* for starting spdy.
|
||||
*/
|
||||
attribute boolean allowSpdy;
|
||||
|
||||
};
|
||||
|
@ -53,6 +53,7 @@
|
||||
#include "nsProxyRelease.h"
|
||||
#include "PSMRunnable.h"
|
||||
#include "nsIConsoleService.h"
|
||||
#include "nsIHttpChannelInternal.h"
|
||||
|
||||
#include "ssl.h"
|
||||
#include "ocsp.h"
|
||||
@ -133,6 +134,16 @@ nsHTTPDownloadEvent::Run()
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
}
|
||||
|
||||
// Do not use SPDY for internal security operations. It could result
|
||||
// in the silent upgrade to ssl, which in turn could require an SSL
|
||||
// operation to fufill something like a CRL fetch, which is an
|
||||
// endless loop.
|
||||
nsCOMPtr<nsIHttpChannelInternal> internalChannel = do_QueryInterface(chan);
|
||||
if (internalChannel) {
|
||||
rv = internalChannel->SetAllowSpdy(false);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIHttpChannel> hchan = do_QueryInterface(chan);
|
||||
NS_ENSURE_STATE(hchan);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user