Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(146)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/net_util.cc

Issue 770343003: Block port 443 for all protocols other than HTTPS or WSS. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Add link to issue in comment next to port 443 on the (default) blocked list. Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/base/net_util.h ('k') | net/http/http_stream_factory_impl_job.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/net_util.h" 5 #include "net/base/net_util.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <string.h> 8 #include <string.h>
9 9
10 #include <algorithm> 10 #include <algorithm>
(...skipping 89 matching lines...) Expand 10 before | Expand all | Expand 10 after
100 113, // auth 100 113, // auth
101 115, // sftp 101 115, // sftp
102 117, // uucp-path 102 117, // uucp-path
103 119, // nntp 103 119, // nntp
104 123, // NTP 104 123, // NTP
105 135, // loc-srv /epmap 105 135, // loc-srv /epmap
106 139, // netbios 106 139, // netbios
107 143, // imap2 107 143, // imap2
108 179, // BGP 108 179, // BGP
109 389, // ldap 109 389, // ldap
110 443, // https / wss (see https://crbug.com/436451)
110 465, // smtp+ssl 111 465, // smtp+ssl
111 512, // print / exec 112 512, // print / exec
112 513, // login 113 513, // login
113 514, // shell 114 514, // shell
114 515, // printer 115 515, // printer
115 526, // tempo 116 526, // tempo
116 530, // courier 117 530, // courier
117 531, // chat 118 531, // chat
118 532, // netnews 119 532, // netnews
119 540, // uucp 120 540, // uucp
120 556, // remotefs 121 556, // remotefs
121 563, // nntp+ssl 122 563, // nntp+ssl
122 587, // stmp? 123 587, // stmp?
123 601, // ?? 124 601, // ??
124 636, // ldap+ssl 125 636, // ldap+ssl
125 993, // ldap+ssl 126 993, // ldap+ssl
126 995, // pop3+ssl 127 995, // pop3+ssl
mmenke 2014/12/05 21:44:40 Per discussion on the bug, wonder if we should be
davidben 2014/12/05 21:48:07 That would probably break stuff. I know of at leas
mmenke 2014/12/05 21:54:29 We could have a "This link is in direct violation
127 2049, // nfs 128 2049, // nfs
128 3659, // apple-sasl / PasswordServer 129 3659, // apple-sasl / PasswordServer
129 4045, // lockd 130 4045, // lockd
130 6000, // X11 131 6000, // X11
131 6665, // Alternate IRC [Apple addition] 132 6665, // Alternate IRC [Apple addition]
132 6666, // Alternate IRC [Apple addition] 133 6666, // Alternate IRC [Apple addition]
133 6667, // Standard IRC [Apple addition] 134 6667, // Standard IRC [Apple addition]
134 6668, // Alternate IRC [Apple addition] 135 6668, // Alternate IRC [Apple addition]
135 6669, // Alternate IRC [Apple addition] 136 6669, // Alternate IRC [Apple addition]
136 0xFFFF, // Used to block all invalid port numbers (see 137 0xFFFF, // Used to block all invalid port numbers (see
137 // third_party/WebKit/Source/platform/weborigin/KURL.cpp, 138 // third_party/WebKit/Source/platform/weborigin/KURL.cpp,
138 // KURL::port()) 139 // KURL::port())
139 }; 140 };
140 141
141 // FTP overrides the following restricted ports. 142 // FTP overrides the following restricted ports.
142 static const int kAllowedFtpPorts[] = { 143 static const int kAllowedFtpPorts[] = {
143 21, // ftp data 144 21, // ftp data
144 22, // ssh 145 22, // ssh
145 }; 146 };
146 147
148 // HTTPS and WSS override the following restricted port.
149 static const int kAllowedHttpsOrWssPorts[] = {
150 443, // https / wss
151 };
152
147 bool IPNumberPrefixCheck(const IPAddressNumber& ip_number, 153 bool IPNumberPrefixCheck(const IPAddressNumber& ip_number,
148 const unsigned char* ip_prefix, 154 const unsigned char* ip_prefix,
149 size_t prefix_length_in_bits) { 155 size_t prefix_length_in_bits) {
150 // Compare all the bytes that fall entirely within the prefix. 156 // Compare all the bytes that fall entirely within the prefix.
151 int num_entire_bytes_in_prefix = prefix_length_in_bits / 8; 157 int num_entire_bytes_in_prefix = prefix_length_in_bits / 8;
152 for (int i = 0; i < num_entire_bytes_in_prefix; ++i) { 158 for (int i = 0; i < num_entire_bytes_in_prefix; ++i) {
153 if (ip_number[i] != ip_prefix[i]) 159 if (ip_number[i] != ip_prefix[i])
154 return false; 160 return false;
155 } 161 }
156 162
(...skipping 156 matching lines...) Expand 10 before | Expand all | Expand 10 after
313 int array_size = arraysize(kAllowedFtpPorts); 319 int array_size = arraysize(kAllowedFtpPorts);
314 for (int i = 0; i < array_size; i++) { 320 for (int i = 0; i < array_size; i++) {
315 if (kAllowedFtpPorts[i] == port) { 321 if (kAllowedFtpPorts[i] == port) {
316 return true; 322 return true;
317 } 323 }
318 } 324 }
319 // Port not explicitly allowed by FTP, so return the default restrictions. 325 // Port not explicitly allowed by FTP, so return the default restrictions.
320 return IsPortAllowedByDefault(port); 326 return IsPortAllowedByDefault(port);
321 } 327 }
322 328
329 bool IsPortAllowedByHttpsOrWss(int port) {
330 int array_size = arraysize(kAllowedHttpsOrWssPorts);
PhistucK 2014/12/05 09:02:30 Just a drive by - Should this (and similar cases)
331 for (int i = 0; i < array_size; i++) {
332 if (kAllowedHttpsOrWssPorts[i] == port) {
333 return true;
mmenke 2014/12/05 21:44:40 Indent here is wrong.
334 }
335 }
336 // Port not explicitly allowed by HTTPS or WSS, so return the default
337 // restrictions.
338 return IsPortAllowedByDefault(port);
339 }
340
341 bool IsEffectivePortAllowedByScheme(const GURL& url) {
342 int port = url.EffectiveIntPort();
343 if (url.SchemeIs("ftp")) {
344 return IsPortAllowedByFtp(port);
345 } else if (url.SchemeIs("https") || url.SchemeIs("wss")) {
346 return IsPortAllowedByHttpsOrWss(port);
347 } else {
348 return IsPortAllowedByDefault(port);
349 }
350 }
351
323 bool IsPortAllowedByOverride(int port) { 352 bool IsPortAllowedByOverride(int port) {
324 if (g_explicitly_allowed_ports.Get().empty()) 353 if (g_explicitly_allowed_ports.Get().empty())
325 return false; 354 return false;
326 355
327 return g_explicitly_allowed_ports.Get().count(port) > 0; 356 return g_explicitly_allowed_ports.Get().count(port) > 0;
328 } 357 }
329 358
330 int SetNonBlocking(int fd) { 359 int SetNonBlocking(int fd) {
331 #if defined(OS_WIN) 360 #if defined(OS_WIN)
332 unsigned long no_block = 1; 361 unsigned long no_block = 1;
(...skipping 723 matching lines...) Expand 10 before | Expand all | Expand 10 after
1056 1085
1057 unsigned MaskPrefixLength(const IPAddressNumber& mask) { 1086 unsigned MaskPrefixLength(const IPAddressNumber& mask) {
1058 IPAddressNumber all_ones(mask.size(), 0xFF); 1087 IPAddressNumber all_ones(mask.size(), 0xFF);
1059 return CommonPrefixLength(mask, all_ones); 1088 return CommonPrefixLength(mask, all_ones);
1060 } 1089 }
1061 1090
1062 ScopedWifiOptions::~ScopedWifiOptions() { 1091 ScopedWifiOptions::~ScopedWifiOptions() {
1063 } 1092 }
1064 1093
1065 } // namespace net 1094 } // namespace net
OLDNEW
« no previous file with comments | « net/base/net_util.h ('k') | net/http/http_stream_factory_impl_job.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698