From 500a65993b8054feec5ff74a57f446722c2564de Mon Sep 17 00:00:00 2001
From: s30028044 <sunhai10@huawei.com>
Date: Sat, 9 Mar 2024 21:43:47 +0800
Subject: [PATCH] CVE-2023-23602

---
 dom/websocket/WebSocket.cpp | 37 ++++++++++++++++++++++++-------------
 1 file changed, 24 insertions(+), 13 deletions(-)

diff --git a/dom/websocket/WebSocket.cpp b/dom/websocket/WebSocket.cpp
index 741f7b4c05..3786788f9e 100644
--- a/dom/websocket/WebSocket.cpp
+++ b/dom/websocket/WebSocket.cpp
@@ -152,7 +152,8 @@ class WebSocketImpl final : public nsIInterfaceRequestor,
   bool IsTargetThread() const;
 
   nsresult Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal,
-                nsIPrincipal* aPrincipal, bool aIsServerSide,
+                nsIPrincipal* aPrincipal, const Maybe<ClientInfo>& aClientInfo,
+                nsICSPEventListener* aCSPEventListener, bool aIsServerSide,
                 const nsAString& aURL, nsTArray<nsString>& aProtocolArray,
                 const nsACString& aScriptFile, uint32_t aScriptLine,
                 uint32_t aScriptColumn);
@@ -1082,12 +1083,14 @@ class WebSocketMainThreadRunnable : public WorkerMainThreadRunnable {
 class InitRunnable final : public WebSocketMainThreadRunnable {
  public:
   InitRunnable(WorkerPrivate* aWorkerPrivate, WebSocketImpl* aImpl,
+               const Maybe<mozilla::dom::ClientInfo>& aClientInfo,
                bool aIsServerSide, const nsAString& aURL,
                nsTArray<nsString>& aProtocolArray,
                const nsACString& aScriptFile, uint32_t aScriptLine,
                uint32_t aScriptColumn)
       : WebSocketMainThreadRunnable(aWorkerPrivate, "WebSocket :: init"_ns),
         mImpl(aImpl),
+        mClientInfo(aClientInfo),
         mIsServerSide(aIsServerSide),
         mURL(aURL),
         mProtocolArray(aProtocolArray),
@@ -1117,10 +1120,10 @@ class InitRunnable final : public WebSocketMainThreadRunnable {
       return true;
     }
 
-    mErrorCode =
-        mImpl->Init(jsapi.cx(), mWorkerPrivate->GetPrincipal(),
-                    doc->NodePrincipal(), mIsServerSide, mURL, mProtocolArray,
-                    mScriptFile, mScriptLine, mScriptColumn);
+    mErrorCode = mImpl->Init(
+        jsapi.cx(), mWorkerPrivate->GetPrincipal(), doc->NodePrincipal(),
+        mClientInfo, mWorkerPrivate->CSPEventListener(), mIsServerSide, mURL,
+        mProtocolArray, mScriptFile, mScriptLine, mScriptColumn);
     return true;
   }
 
@@ -1130,7 +1133,8 @@ class InitRunnable final : public WebSocketMainThreadRunnable {
 
     mErrorCode =
         mImpl->Init(nullptr, mWorkerPrivate->GetPrincipal(),
-                    aTopLevelWorkerPrivate->GetPrincipal(), mIsServerSide, mURL,
+                    aTopLevelWorkerPrivate->GetPrincipal(), mClientInfo,
+                    mWorkerPrivate->CSPEventListener(), mIsServerSide, mURL,
                     mProtocolArray, mScriptFile, mScriptLine, mScriptColumn);
     return true;
   }
@@ -1138,6 +1142,7 @@ class InitRunnable final : public WebSocketMainThreadRunnable {
   // Raw pointer. This worker runnable runs synchronously.
   WebSocketImpl* mImpl;
 
+  Maybe<ClientInfo> mClientInfo;
   bool mIsServerSide;
   const nsAString& mURL;
   nsTArray<nsString>& mProtocolArray;
@@ -1318,8 +1323,8 @@ already_AddRefed<WebSocket> WebSocket::ConstructorCommon(
     }
 
     aRv = webSocketImpl->Init(aGlobal.Context(), loadingPrincipal, principal,
-                              !!aTransportProvider, aUrl, protocolArray, ""_ns,
-                              0, 0);
+                              Nothing(), nullptr, !!aTransportProvider, aUrl,
+                              protocolArray, ""_ns, 0, 0);
 
     if (NS_WARN_IF(aRv.Failed())) {
       return nullptr;
@@ -1344,8 +1349,9 @@ already_AddRefed<WebSocket> WebSocket::ConstructorCommon(
     }
 
     RefPtr<InitRunnable> runnable = new InitRunnable(
-        workerPrivate, webSocketImpl, !!aTransportProvider, aUrl, protocolArray,
-        nsDependentCString(file.get()), lineno, column);
+        workerPrivate, webSocketImpl,
+        workerPrivate->GlobalScope()->GetClientInfo(), !!aTransportProvider,
+        aUrl, protocolArray, nsDependentCString(file.get()), lineno, column);
     runnable->Dispatch(Canceling, aRv);
     if (NS_WARN_IF(aRv.Failed())) {
       return nullptr;
@@ -1526,8 +1532,10 @@ void WebSocket::DisconnectFromOwner() {
 //-----------------------------------------------------------------------------
 
 nsresult WebSocketImpl::Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal,
-                             nsIPrincipal* aPrincipal, bool aIsServerSide,
-                             const nsAString& aURL,
+                             nsIPrincipal* aPrincipal,
+                             const Maybe<ClientInfo>& aClientInfo,
+                             nsICSPEventListener* aCSPEventListener,
+                             bool aIsServerSide, const nsAString& aURL
                              nsTArray<nsString>& aProtocolArray,
                              const nsACString& aScriptFile,
                              uint32_t aScriptLine, uint32_t aScriptColumn) {
@@ -1624,8 +1632,11 @@ nsresult WebSocketImpl::Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal,
         aPrincipal,  // loading principal
         aPrincipal,  // triggering principal
         originDoc, nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
-        nsIContentPolicy::TYPE_WEBSOCKET);
+        nsIContentPolicy::TYPE_WEBSOCKET, aClientInfo);
 
+    if (aCSPEventListener) {
+      secCheckLoadInfo->SetCspEventListener(aCSPEventListener);
+    }
     int16_t shouldLoad = nsIContentPolicy::ACCEPT;
     rv = NS_CheckContentLoadPolicy(uri, secCheckLoadInfo, ""_ns, &shouldLoad,
                                    nsContentUtils::GetContentPolicy());
-- 
2.27.0