[Webkit-unassigned] [Bug 126384] [SOUP] WebSockets must use system proxy settings

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 8 04:30:45 PST 2018


https://bugs.webkit.org/show_bug.cgi?id=126384

--- Comment #29 from Carlos Garcia Campos <cgarcia at igalia.com> ---
(In reply to Michael Catanzaro from comment #27)
> Comment on attachment 330537 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=330537&action=review
> 
> Thanks for fixing this exceptionally serious issue.
> 
> We definitely need to request a CVE. I can handle that.
> 
> How hard would it be to extend testWebContextProxySettings in
> TestWebKitWebContext.cpp to test this?
> 
> > Source/WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp:58
> > +#if SOUP_CHECK_VERSION(2, 61, 2)
> 
> I see a few different options here:
> 
>  (a) We could stick with what you implemented. But I suggest we do not allow
> web socket connections to ignore proxy settings under any circumstances,
> certainly not just because libsoup is too old.
>  (b) We could ignore our usual dependency policy and require newer libsoup.
> This would be justified by the severity of this issue. We'd have to send a
> notice and apology to distributors-list and inform them of the need to
> update libsoup. Debian would probably refuse. Not great.
>  (c) We could disable WebSocket support if libsoup is not new enough. This
> will break loads of websites.
>  (d) We could disable WebSocket support if libsoup is not new enough *and* a
> system proxy is configured. Websites only break if a proxy is configured.
> 
> (d) seems like the best approach to me. What do you think? If we go with (a)
> or (b) or (c), then we'll certainly need to be backport your new API to
> libsoup 2.60. But I'm OK with temporarily breaking web sockets for proxy
> users, so we wouldn't need to do that if we take approach (d).

I don't think we should backport any new API to libsoup stable branches. I'm not sure it's possible to do d) either, there might be proxy settings that are acceptable, for example if the websockets host used is blacklisted, or if only https proxy is used. We would need to check the actual proxy settings to decide whether to allow the websocket connection or not.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180108/6103e175/attachment.html>


More information about the webkit-unassigned mailing list