Changeset 185320 in webkit

Timestamp:

Jun 8, 2015 9:17:39 AM (9 years ago)

Author:

Michael Catanzaro

Message:

[SOUP] Performs DNS prefetch when a proxy is configured (information leak)
​https://bugs.webkit.org/show_bug.cgi?id=145542

Reviewed by Alexey Proskuryakov.

Source/WebCore:

No new tests, because it's hard to test whether a DNS request has been sent. We could do
this by adding new API to modify the GProxyResolver and GResolver used by the SoupSession in
the network process, but even if such API were desirable, it would be a big job. Tests
should not be allowed to dictate our public API.

• platform/network/DNSResolveQueue.cpp:

(WebCore::DNSResolveQueue::add): Do not check whether the system is using a proxy, since
this can't be determined for all ports here.
(WebCore::DNSResolveQueue::timerFired): Do not check whether the system is using a proxy,
since this can't be determined for all ports here.
(WebCore::DNSResolveQueue::DNSResolveQueue): Remove member variables and member functions
that are only needed by the CF backend. Rename platformResolve to
platformMaybeResolveHost.
(WebCore::DNSResolveQueue::isUsingProxy): Moved to DNSCFNet.cpp.

• platform/network/DNSResolveQueue.h: Remove member variables that are only needed by the

CF backend.

• platform/network/cf/DNSCFNet.cpp:

(WebCore::proxyIsEnabledInSystemPreferences): Renamed from
platformProxyIsEnabledInSystemPreferences.
(WebCore::isUsingProxy): Moved from DNSResolveQueue.cpp. The member variables removed from
DNSResolveQueue are not static here. This is safe since it's a singleton.
(WebCore::DNSResolveQueue::platformMaybeResolveHost): Renamed from platformResolve.
Bail early from here if a proxy is configured.
(WebCore::DNSResolveQueue::platformProxyIsEnabledInSystemPreferences): Renamed to
proxyIsEnabledInSystemPreferences.
(WebCore::DNSResolveQueue::platformResolve): Renamed to platformMaybeResolveHost.

• platform/network/soup/DNSSoup.cpp:

(WebCore::gotProxySettingsCallback): Added. Call soup_session_prefetch_dns from here only
if a proxy would not be used to resolve the host.
(WebCore::DNSResolveQueue::platformMaybeResolveHost): Renamed from platformResolve.
Look up proxy settings using g_proxy_resolver_lookup_async rather than calling
soup_session_prefetch_dns directly.
(WebCore::DNSResolveQueue::platformProxyIsEnabledInSystemPreferences): Deleted.
(WebCore::DNSResolveQueue::platformResolve): Renamed to platformMaybeResolveHost.

Source/WebKit2:

Add documentation to webkit_web_context_prefetch_dns to indicate that the function does
nothing if the system configuration indicates we should use a proxy to resolve the host.

• UIProcess/API/gtk/WebKitWebContext.cpp:

Source/WTF:

Add template specialization for GUniquePtr<char*>. This smart pointer will free its data
with g_strfreev() (as opposed to g_free(), which is used for GUniquePtr<char>).

• wtf/gobject/GUniquePtr.h:

Location:

trunk/Source

Files:

• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/gobject/GUniquePtr.h (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/platform/network/DNSResolveQueue.cpp (modified) (5 diffs)
• WebCore/platform/network/DNSResolveQueue.h (modified) (2 diffs)
• WebCore/platform/network/cf/DNSCFNet.cpp (modified) (4 diffs)
• WebCore/platform/network/soup/DNSSoup.cpp (modified) (2 diffs)
• WebKit2/ChangeLog (modified) (1 diff)
• WebKit2/UIProcess/API/gtk/WebKitWebContext.cpp (modified) (1 diff)

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2015-06-08  Michael Catanzaro  <mcatanzaro@igalia.com>
+
+        [SOUP] Performs DNS prefetch when a proxy is configured (information leak)
+        https://bugs.webkit.org/show_bug.cgi?id=145542
+
+        Reviewed by Alexey Proskuryakov.
+
+        Add template specialization for GUniquePtr<char*>. This smart pointer will free its data
+        with g_strfreev() (as opposed to g_free(), which is used for GUniquePtr<char>).
+
+        * wtf/gobject/GUniquePtr.h:
+
 2015-06-05  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WTF/wtf/gobject/GUniquePtr.h

@@ -44 +44 @@
     macro(GDir, g_dir_close) \
     macro(GTimer, g_timer_destroy) \
-    macro(GKeyFile, g_key_file_free)
+    macro(GKeyFile, g_key_file_free) \
+    macro(char*, g_strfreev)
 
 #define WTF_DEFINE_GPTR_DELETER(typeName, deleterFunc) \

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2015-06-08  Michael Catanzaro  <mcatanzaro@igalia.com>
+
+        [SOUP] Performs DNS prefetch when a proxy is configured (information leak)
+        https://bugs.webkit.org/show_bug.cgi?id=145542
+
+        Reviewed by Alexey Proskuryakov.
+
+        No new tests, because it's hard to test whether a DNS request has been sent. We could do
+        this by adding new API to modify the GProxyResolver and GResolver used by the SoupSession in
+        the network process, but even if such API were desirable, it would be a big job. Tests
+        should not be allowed to dictate our public API.
+
+        * platform/network/DNSResolveQueue.cpp:
+        (WebCore::DNSResolveQueue::add): Do not check whether the system is using a proxy, since
+        this can't be determined for all ports here.
+        (WebCore::DNSResolveQueue::timerFired): Do not check whether the system is using a proxy,
+        since this can't be determined for all ports here.
+        (WebCore::DNSResolveQueue::DNSResolveQueue): Remove member variables and member functions
+        that are only needed by the CF backend. Rename platformResolve to
+        platformMaybeResolveHost.
+        (WebCore::DNSResolveQueue::isUsingProxy): Moved to DNSCFNet.cpp.
+        * platform/network/DNSResolveQueue.h: Remove member variables that are only needed by the
+        CF backend.
+        * platform/network/cf/DNSCFNet.cpp:
+        (WebCore::proxyIsEnabledInSystemPreferences): Renamed from
+        platformProxyIsEnabledInSystemPreferences.
+        (WebCore::isUsingProxy): Moved from DNSResolveQueue.cpp. The member variables removed from
+        DNSResolveQueue are not static here. This is safe since it's a singleton.
+        (WebCore::DNSResolveQueue::platformMaybeResolveHost): Renamed from platformResolve.
+        Bail early from here if a proxy is configured.
+        (WebCore::DNSResolveQueue::platformProxyIsEnabledInSystemPreferences): Renamed to
+        proxyIsEnabledInSystemPreferences.
+        (WebCore::DNSResolveQueue::platformResolve): Renamed to platformMaybeResolveHost.
+        * platform/network/soup/DNSSoup.cpp:
+        (WebCore::gotProxySettingsCallback): Added. Call soup_session_prefetch_dns from here only
+        if a proxy would not be used to resolve the host.
+        (WebCore::DNSResolveQueue::platformMaybeResolveHost): Renamed from platformResolve.
+        Look up proxy settings using g_proxy_resolver_lookup_async rather than calling
+        soup_session_prefetch_dns directly.
+        (WebCore::DNSResolveQueue::platformProxyIsEnabledInSystemPreferences): Deleted.
+        (WebCore::DNSResolveQueue::platformResolve): Renamed to platformMaybeResolveHost.
+
 2015-06-08  Hunseop Jeong  <hs85.jeong@samsung.com>
 

trunk/Source/WebCore/platform/network/DNSResolveQueue.cpp

@@ -28 +28 @@
 #include "DNSResolveQueue.h"
 
-#include <wtf/CurrentTime.h>
 #include <wtf/NeverDestroyed.h>
 
@@ -61 +60 @@
     : m_timer(*this, &DNSResolveQueue::timerFired)
     , m_requestsInFlight(0)
-    , m_cachedProxyEnabledStatus(false)
-    , m_lastProxyEnabledStatusCheckTime(0)
 {
-}
-
-bool DNSResolveQueue::isUsingProxy()
-{
-    double time = monotonicallyIncreasingTime();
-    static const double minimumProxyCheckDelay = 5;
-    if (time - m_lastProxyEnabledStatusCheckTime > minimumProxyCheckDelay) {
-        m_lastProxyEnabledStatusCheckTime = time;
-        m_cachedProxyEnabledStatus = platformProxyIsEnabledInSystemPreferences();
-    }
-    return m_cachedProxyEnabledStatus;
 }
 
@@ -81 +67 @@
     // If there are no names queued, and few enough are in flight, resolve immediately (the mouse may be over a link).
     if (!m_names.size()) {
-        if (isUsingProxy())
-            return;
         if (++m_requestsInFlight <= gNamesToResolveImmediately) {
-            platformResolve(hostname);
+            platformMaybeResolveHost(hostname);
             return;
         }
@@ -101 +85 @@
 void DNSResolveQueue::timerFired()
 {
-    if (isUsingProxy()) {
-        m_names.clear();
-        return;
-    }
-
     int requestsAllowed = gMaxSimultaneousRequests - m_requestsInFlight;
 
@@ -111 +90 @@
         ++m_requestsInFlight;
         HashSet<String>::iterator currentName = m_names.begin();
-        platformResolve(*currentName);
+        platformMaybeResolveHost(*currentName);
         m_names.remove(currentName);
     }

trunk/Source/WebCore/platform/network/DNSResolveQueue.h

@@ -51 +51 @@
     DNSResolveQueue();
 
-    bool isUsingProxy();
-
-    bool platformProxyIsEnabledInSystemPreferences();
-    void platformResolve(const String&);
+    // This function performs the actual DNS prefetch. Platforms must ensure that performing the
+    // prefetch will not violate the user's expectations of privacy; for example, if an HTTP proxy
+    // is in use, then performing a DNS lookup would be inappropriate, but this may be acceptable
+    // for other types of proxies (e.g. SOCKS proxies).
+    void platformMaybeResolveHost(const String&);
 
     void timerFired();
@@ -62 +63 @@
     HashSet<String> m_names;
     std::atomic<int> m_requestsInFlight;
-    bool m_cachedProxyEnabledStatus;
-    double m_lastProxyEnabledStatusCheckTime;
 };
 

trunk/Source/WebCore/platform/network/cf/DNSCFNet.cpp

@@ -32 +32 @@
 #include "URL.h"
 #include "Timer.h"
+#include <wtf/CurrentTime.h>
 #include <wtf/HashSet.h>
 #include <wtf/MainThread.h>
@@ -49 +50 @@
 namespace WebCore {
 
-bool DNSResolveQueue::platformProxyIsEnabledInSystemPreferences()
+static bool proxyIsEnabledInSystemPreferences()
 {
     // Don't do DNS prefetch if proxies are involved. For many proxy types, the user agent is never exposed
@@ -76 +77 @@
 }
 
+static bool isUsingProxy()
+{
+    static bool cachedProxyEnabledStatus = false;
+    static double lastProxyEnabledStatusCheckTime = 0;
+    static const double minimumProxyCheckDelay = 5;
+    double time = monotonicallyIncreasingTime();
+    if (time - lastProxyEnabledStatusCheckTime > minimumProxyCheckDelay) {
+        lastProxyEnabledStatusCheckTime = time;
+        cachedProxyEnabledStatus = proxyIsEnabledInSystemPreferences();
+    }
+    return cachedProxyEnabledStatus;
+}
+
 static void clientCallback(CFHostRef theHost, CFHostInfoType, const CFStreamError*, void*)
 {
@@ -82 +96 @@
 }
 
-void DNSResolveQueue::platformResolve(const String& hostname)
+void DNSResolveQueue::platformMaybeResolveHost(const String& hostname)
 {
     ASSERT(isMainThread());
 
     RetainPtr<CFHostRef> host = adoptCF(CFHostCreateWithName(0, hostname.createCFString().get()));
-    if (!host) {
+    if (!host || isUsingProxy()) {
         decrementRequestCount();
         return;

trunk/Source/WebCore/platform/network/soup/DNSSoup.cpp

@@ -1 +1 @@
 /*
  * Copyright (C) 2008 Apple Inc.  All rights reserved.
- * Copyright (C) 2009, 2012 Igalia S.L.
+ * Copyright (C) 2009, 2012, 2015 Igalia S.L.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34 +34 @@
 #include <libsoup/soup.h>
 #include <wtf/MainThread.h>
+#include <wtf/gobject/GRefPtr.h>
+#include <wtf/gobject/GUniquePtr.h>
 #include <wtf/text/CString.h>
 
 namespace WebCore {
 
-// There is no current reliable way to know if we're behind a proxy at
-// this level. We'll have to implement it in
-// SoupSession/SoupProxyURIResolver/GProxyResolver
-bool DNSResolveQueue::platformProxyIsEnabledInSystemPreferences()
+static void gotProxySettingsCallback(GObject* sourceObject, GAsyncResult* result, void* userData)
 {
-    return false;
+    GProxyResolver* resolver = G_PROXY_RESOLVER(sourceObject);
+    GUniquePtr<char> hostname(static_cast<char*>(userData));
+    GUniqueOutPtr<GError> error;
+
+    GUniquePtr<char*> uris(g_proxy_resolver_lookup_finish(resolver, result, &error.outPtr()));
+    if (error) {
+        WTFLogAlways("Error determining proxy to use for %s: %s", hostname.get(), error->message);
+        return;
+    }
+
+    // We have a list of possible proxies to use for the URI. If the first item in the list is
+    // direct:// (the usual case), then the user prefers not to use a proxy. This is similar to
+    // resolving hostnames: there could be many possibilities returned in order of preference, and
+    // if we're trying to connect we should attempt each one in order, but here we are not trying
+    // to connect, merely to decide whether a proxy "should" be used.
+    if (uris && *uris.get() && !strcmp(*uris.get(), "direct://")) {
+        soup_session_prefetch_dns(SoupNetworkSession::defaultSession().soupSession(), hostname.get(), nullptr, [](SoupAddress*, guint, void*) {
+            DNSResolveQueue::singleton().decrementRequestCount();
+        }, nullptr);
+    }
 }
 
-static void resolvedCallback(SoupAddress*, guint, void*)
-{
-    DNSResolveQueue::singleton().decrementRequestCount();
-}
-
-void DNSResolveQueue::platformResolve(const String& hostname)
+void DNSResolveQueue::platformMaybeResolveHost(const String& hostname)
 {
     ASSERT(isMainThread());
 
-    soup_session_prefetch_dns(SoupNetworkSession::defaultSession().soupSession(), hostname.utf8().data(), nullptr, resolvedCallback, nullptr);
+    GRefPtr<GProxyResolver> resolver;
+    g_object_get(SoupNetworkSession::defaultSession().soupSession(), "proxy-resolver", &resolver.outPtr(), nullptr);
+    ASSERT_WITH_SECURITY_IMPLICATION(resolver);
+
+    char* uri = g_strdup(hostname.utf8().data()); // Freed by gotProxySettingsCallback.
+    g_proxy_resolver_lookup_async(resolver.get(), uri, nullptr, gotProxySettingsCallback, uri);
 }
 

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2015-06-08  Michael Catanzaro  <mcatanzaro@igalia.com>
+
+        [SOUP] Performs DNS prefetch when a proxy is configured (information leak)
+        https://bugs.webkit.org/show_bug.cgi?id=145542
+
+        Reviewed by Alexey Proskuryakov.
+
+        Add documentation to webkit_web_context_prefetch_dns to indicate that the function does
+        nothing if the system configuration indicates we should use a proxy to resolve the host.
+
+        * UIProcess/API/gtk/WebKitWebContext.cpp:
+
 2015-06-08  Carlos Garcia Campos  <cgarcia@igalia.com>
 

trunk/Source/WebKit2/UIProcess/API/gtk/WebKitWebContext.cpp

@@ -1045 +1045 @@
  *
  * Resolve the domain name of the given @hostname in advance, so that if a URI
- * of @hostname is requested the load will be performed more quickly.
+ * of @hostname is requested the load will be performed more quickly. This
+ * function does nothing if the system has been configured to use a proxy to
+ * resolve @hostname.
  */
 void webkit_web_context_prefetch_dns(WebKitWebContext* context, const char* hostname)