From d3c3d7483efc6da75e40f37c1f36525b8663d3c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Br=C3=BCning?= <michael.bruning@qt.io>
Date: Tue, 18 Apr 2023 14:49:55 +0000
Subject: Revert "[Backport] CVE-2023-0704: Insufficient policy enforcement in
 DevTools"

This reverts commit 0717211ca9d7ee2dcc17a7964170d633aafcfb98.

Reason for revert: It is causing trouble with the inspector and it is low impact and should not matter for production use cases.

Change-Id: If85063ed8cfa8b8cf754d4c958da6e540d87e44a
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/472951
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 .../browser/devtools/devtools_http_handler.cc      | 29 ----------------------
 .../browser/devtools/devtools_http_handler.h       |  3 ---
 chromium/content/public/common/content_switches.cc |  4 ---
 chromium/content/public/common/content_switches.h  |  1 -
 4 files changed, 37 deletions(-)

diff --git a/chromium/content/browser/devtools/devtools_http_handler.cc b/chromium/content/browser/devtools/devtools_http_handler.cc
index 6da55042282..78e4d0a6b13 100644
--- a/chromium/content/browser/devtools/devtools_http_handler.cc
+++ b/chromium/content/browser/devtools/devtools_http_handler.cc
@@ -10,7 +10,6 @@
 #include <utility>
 
 #include "base/bind.h"
-#include "base/command_line.h"
 #include "base/compiler_specific.h"
 #include "base/files/file_util.h"
 #include "base/guid.h"
@@ -39,7 +38,6 @@
 #include "content/public/browser/devtools_manager_delegate.h"
 #include "content/public/browser/devtools_socket_factory.h"
 #include "content/public/common/content_client.h"
-#include "content/public/common/content_switches.h"
 #include "content/public/common/url_constants.h"
 #include "content/public/common/user_agent.h"
 #include "net/base/io_buffer.h"
@@ -754,13 +752,6 @@ void DevToolsHttpHandler::OnWebSocketRequest(
   if (!thread_)
     return;
 
-  if (request.headers.count("origin") &&
-      !remote_allow_origins_.count(request.headers.at("origin")) &&
-      !remote_allow_origins_.count("*")) {
-    Send403(connection_id);
-    return;
-  }
-
   if (base::StartsWith(request.path, browser_guid_,
                        base::CompareCase::SENSITIVE)) {
     scoped_refptr<DevToolsAgentHost> browser_agent =
@@ -832,14 +823,6 @@ DevToolsHttpHandler::DevToolsHttpHandler(
                        output_directory, debug_frontend_dir, browser_guid_,
                        delegate_->HasBundledFrontendResources()));
   }
-  std::string remote_allow_origins = base::ToLowerASCII(
-      base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
-          switches::kRemoteAllowOrigins));
-
-  auto origins =
-      base::SplitString(remote_allow_origins, ",", base::TRIM_WHITESPACE,
-                        base::SPLIT_WANT_NONEMPTY);
-  remote_allow_origins_.insert(origins.begin(), origins.end());
 }
 
 void DevToolsHttpHandler::ServerStarted(
@@ -899,18 +882,6 @@ void DevToolsHttpHandler::Send404(int connection_id) {
                      base::Unretained(server_wrapper_.get()), connection_id));
 }
 
-void DevToolsHttpHandler::Send403(int connection_id) {
-  if (!thread_) {
-    return;
-  }
-  net::HttpServerResponseInfo response(net::HTTP_FORBIDDEN);
-  response.SetBody(std::string(), "text/html");
-  thread_->task_runner()->PostTask(
-      FROM_HERE, base::BindOnce(&ServerWrapper::SendResponse,
-                                base::Unretained(server_wrapper_.get()),
-                                connection_id, response));
-}
-
 void DevToolsHttpHandler::Send500(int connection_id,
                                   const std::string& message) {
   if (!thread_)
diff --git a/chromium/content/browser/devtools/devtools_http_handler.h b/chromium/content/browser/devtools/devtools_http_handler.h
index 088e6c6c065..04a4905eb43 100644
--- a/chromium/content/browser/devtools/devtools_http_handler.h
+++ b/chromium/content/browser/devtools/devtools_http_handler.h
@@ -7,7 +7,6 @@
 
 #include <map>
 #include <memory>
-#include <set>
 #include <string>
 
 #include "base/files/file_path.h"
@@ -91,7 +90,6 @@ class DevToolsHttpHandler {
                const std::string& data,
                const std::string& mime_type);
   void Send404(int connection_id);
-  void Send403(int connection_id);
   void Send500(int connection_id,
                const std::string& message);
   void AcceptWebSocket(int connection_id,
@@ -108,7 +106,6 @@ class DevToolsHttpHandler {
   base::Value SerializeDescriptor(scoped_refptr<DevToolsAgentHost> agent_host,
                                   const std::string& host);
 
-  std::set<std::string> remote_allow_origins_;
   // The thread used by the devtools handler to run server socket.
   std::unique_ptr<base::Thread> thread_;
   std::string browser_guid_;
diff --git a/chromium/content/public/common/content_switches.cc b/chromium/content/public/common/content_switches.cc
index 9ed247ee1f4..663327f0bae 100644
--- a/chromium/content/public/common/content_switches.cc
+++ b/chromium/content/public/common/content_switches.cc
@@ -673,10 +673,6 @@ const char kRemoteDebuggingPipe[] = "remote-debugging-pipe";
 // Enables remote debug over HTTP on the specified port.
 const char kRemoteDebuggingPort[]           = "remote-debugging-port";
 
-// Enables web socket connections from the specified origins only. '*' allows
-// any origin.
-const char kRemoteAllowOrigins[] = "remote-allow-origins";
-
 const char kRendererClientId[] = "renderer-client-id";
 
 // The contents of this flag are prepended to the renderer command line.
diff --git a/chromium/content/public/common/content_switches.h b/chromium/content/public/common/content_switches.h
index f28b45ab83f..f520e6f25de 100644
--- a/chromium/content/public/common/content_switches.h
+++ b/chromium/content/public/common/content_switches.h
@@ -195,7 +195,6 @@ CONTENT_EXPORT extern const char kReduceUserAgentPlatformOsCpu[];
 CONTENT_EXPORT extern const char kRegisterPepperPlugins[];
 CONTENT_EXPORT extern const char kRemoteDebuggingPipe[];
 CONTENT_EXPORT extern const char kRemoteDebuggingPort[];
-CONTENT_EXPORT extern const char kRemoteAllowOrigins[];
 CONTENT_EXPORT extern const char kRendererClientId[];
 extern const char kRendererCmdPrefix[];
 CONTENT_EXPORT extern const char kRendererProcess[];
-- 
cgit v1.2.1