Block port 443 for all protocols other than HTTPS or WSS.

net/base/net_util.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/net_util.h"
 
 #include <errno.h>
 #include <string.h>
 
 #include <algorithm>
@@ skipping 89 matching lines @@
   113,  // auth
   115,  // sftp
   117,  // uucp-path
   119,  // nntp
   123,  // NTP
   135,  // loc-srv /epmap
   139,  // netbios
   143,  // imap2
   179,  // BGP
   389,  // ldap
+  443,  // https / wss

[davidben, 2014/12/03 20:16:11]

Would be good to have a comment or bug reference here and/or at line 148.
Without knowing (or having forgotten) the context, it would be very confusing to
me why http://blah:443 is forbidden, but https://blah:80 isn't.

I dunno what our story is for CLs (which are public once landed) having
explanations of security-relevant bugs in the comments. You may need to ask
someone on security. I suppose a bug reference isn't going to be any more
interesting than the commit message. (Also your commit message explains the bug
anyway.)

[lgarron, 2014/12/04 01:16:12]

After talking with Chris Palmer/Mike West, I'm going to make this patch (and the
corresponding issue) public

Adding a comment to this line, though.

   465,  // smtp+ssl
   512,  // print / exec
   513,  // login
   514,  // shell
   515,  // printer
   526,  // tempo
   530,  // courier
   531,  // chat
   532,  // netnews
   540,  // uucp
@@ skipping 17 matching lines @@
           // third_party/WebKit/Source/platform/weborigin/KURL.cpp,
           // KURL::port())
 };
 
 // FTP overrides the following restricted ports.
 static const int kAllowedFtpPorts[] = {
   21,   // ftp data
   22,   // ssh
 };
 
+// HTTPS and WSS override the following restricted port.
+static const int kAllowedHttpsOrWssPorts[] = {
+  443,  // https / wss
+};
+
 bool IPNumberPrefixCheck(const IPAddressNumber& ip_number,
                          const unsigned char* ip_prefix,
                          size_t prefix_length_in_bits) {
   // Compare all the bytes that fall entirely within the prefix.
   int num_entire_bytes_in_prefix = prefix_length_in_bits / 8;
   for (int i = 0; i < num_entire_bytes_in_prefix; ++i) {
     if (ip_number[i] != ip_prefix[i])
       return false;
   }
 
@@ skipping 156 matching lines @@
   int array_size = arraysize(kAllowedFtpPorts);
   for (int i = 0; i < array_size; i++) {
     if (kAllowedFtpPorts[i] == port) {
         return true;
     }
   }
   // Port not explicitly allowed by FTP, so return the default restrictions.
   return IsPortAllowedByDefault(port);
 }
 
+bool IsPortAllowedByHttpsOrWss(int port) {
+  int array_size = arraysize(kAllowedHttpsOrWssPorts);
+  for (int i = 0; i < array_size; i++) {
+    if (kAllowedHttpsOrWssPorts[i] == port) {
+        return true;

[davidben, 2014/12/03 20:16:11]

Nit: 2 spaces.

+    }
+  }
+  // Port not explicitly allowed by HTTPS or WSS, so return the default
+  // restrictions.
+  return IsPortAllowedByDefault(port);
+}
+
+bool IsEffectivePortAllowedByScheme(const GURL& url) {
+  int port = url.EffectiveIntPort();
+  if (url.SchemeIs("ftp")) {
+    return IsPortAllowedByFtp(port);
+  } else if (url.SchemeIs("https") || url.SchemeIs("wss")) {
+    return IsPortAllowedByHttpsOrWss(port);
+  } else {
+    return IsPortAllowedByDefault(port);
+  }
+}
+
 bool IsPortAllowedByOverride(int port) {
   if (g_explicitly_allowed_ports.Get().empty())
     return false;
 
   return g_explicitly_allowed_ports.Get().count(port) > 0;
 }
 
 int SetNonBlocking(int fd) {
 #if defined(OS_WIN)
   unsigned long no_block = 1;
@@ skipping 723 matching lines @@
 
 unsigned MaskPrefixLength(const IPAddressNumber& mask) {
   IPAddressNumber all_ones(mask.size(), 0xFF);
   return CommonPrefixLength(mask, all_ones);
 }
 
 ScopedWifiOptions::~ScopedWifiOptions() {
 }
 
 }  // namespace net