mirror of
https://forge.fsky.io/oneflux/omegafox.git
synced 2026-02-10 06:52:04 -08:00
c5356e9e41
- Rename /dom/mask -> /camoucfg - Rename auto-pin-extensions.patch -> pin-addons.patch - Remove redundant comment in juggler/content/FrameTree.js
191 lines
7.1 KiB
Diff
191 lines
7.1 KiB
Diff
diff --git a/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp b/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp
|
|
index 5b70a58104..579a620c48 100644
|
|
--- a/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp
|
|
+++ b/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp
|
|
@@ -116,6 +116,8 @@
|
|
|
|
#include "mozilla/dom/BrowserChild.h"
|
|
#include "mozilla/net/WebrtcProxyConfig.h"
|
|
+#include "MaskConfig.hpp"
|
|
+#include "mozilla/RustRegex.h"
|
|
|
|
#ifdef XP_WIN
|
|
// We need to undef the MS macro again in case the windows include file
|
|
@@ -1705,7 +1707,15 @@ PeerConnectionImpl::SetLocalDescription(int32_t aAction, const char* aSDP) {
|
|
}
|
|
};
|
|
|
|
- mLocalRequestedSDP = aSDP;
|
|
+ // Sanitize the SDP to prevent IP leaks
|
|
+ std::string sanitizedSDP(aSDP);
|
|
+ nsresult sanitizeResult = SanitizeSDPForIPLeak(sanitizedSDP);
|
|
+ if (NS_FAILED(sanitizeResult)) {
|
|
+ CSFLogError(LOGTAG, "%s - Failed to sanitize SDP", __FUNCTION__);
|
|
+ return sanitizeResult;
|
|
+ }
|
|
+
|
|
+ mLocalRequestedSDP = sanitizedSDP;
|
|
|
|
SyncToJsep();
|
|
|
|
@@ -3275,12 +3285,22 @@ const std::string& PeerConnectionImpl::GetName() {
|
|
return mName;
|
|
}
|
|
|
|
-void PeerConnectionImpl::CandidateReady(const std::string& candidate,
|
|
+void PeerConnectionImpl::CandidateReady(const std::string& candidate_,
|
|
const std::string& transportId,
|
|
const std::string& ufrag) {
|
|
STAMP_TIMECARD(mTimeCard, "Ice Candidate gathered");
|
|
PC_AUTO_ENTER_API_CALL_VOID_RETURN(false);
|
|
|
|
+ const std::string& candidate = [&]() -> const std::string& {
|
|
+ if (ShouldSpoofCandidateIP()) {
|
|
+ static std::string spoofedCandidate;
|
|
+ spoofedCandidate = SpoofCandidateIP(candidate_);
|
|
+ return spoofedCandidate;
|
|
+ } else {
|
|
+ return candidate_;
|
|
+ }
|
|
+ }();
|
|
+
|
|
if (mForceIceTcp && std::string::npos != candidate.find(" UDP ")) {
|
|
CSFLogWarn(LOGTAG, "Blocking local UDP candidate: %s", candidate.c_str());
|
|
STAMP_TIMECARD(mTimeCard, "UDP Ice Candidate blocked");
|
|
@@ -3343,10 +3363,89 @@ void PeerConnectionImpl::SendLocalIceCandidateToContent(
|
|
uint16_t level, const std::string& mid, const std::string& candidate,
|
|
const std::string& ufrag) {
|
|
STAMP_TIMECARD(mTimeCard, "Send Ice Candidate to content");
|
|
- JSErrorResult rv;
|
|
- mPCObserver->OnIceCandidate(level, ObString(mid.c_str()),
|
|
- ObString(candidate.c_str()),
|
|
- ObString(ufrag.c_str()), rv);
|
|
+
|
|
+ // Check if IP spoofing is enabled
|
|
+ if (ShouldSpoofCandidateIP()) {
|
|
+ std::string spoofedCandidate = SpoofCandidateIP(candidate);
|
|
+ JSErrorResult rv;
|
|
+ mPCObserver->OnIceCandidate(level, ObString(mid.c_str()),
|
|
+ ObString(spoofedCandidate.c_str()),
|
|
+ ObString(ufrag.c_str()), rv);
|
|
+ } else {
|
|
+ JSErrorResult rv;
|
|
+ mPCObserver->OnIceCandidate(level, ObString(mid.c_str()),
|
|
+ ObString(candidate.c_str()),
|
|
+ ObString(ufrag.c_str()), rv);
|
|
+ }
|
|
+}
|
|
+
|
|
+bool PeerConnectionImpl::ShouldSpoofCandidateIP() const {
|
|
+ // Checks if either webrtc:ipv4 or webrtc:ipv6 is set in the config
|
|
+ return MaskConfig::GetString("webrtc:ipv4").has_value() ||
|
|
+ MaskConfig::GetString("webrtc:ipv6").has_value();
|
|
+}
|
|
+
|
|
+nsresult PeerConnectionImpl::SanitizeSDPForIPLeak(std::string& sdp) {
|
|
+ auto replaceIP = [&sdp](const char* pattern, const char* pref) {
|
|
+ if (auto value = MaskConfig::GetString(pref)) {
|
|
+ mozilla::RustRegex regex(pattern);
|
|
+ if (regex.IsValid()) {
|
|
+ std::string result;
|
|
+ auto iter = regex.IterMatches(sdp);
|
|
+ size_t lastEnd = 0;
|
|
+ while (auto match = iter.Next()) {
|
|
+ result.append(sdp, lastEnd, match->start - lastEnd);
|
|
+ result.append(value.value());
|
|
+ lastEnd = match->end;
|
|
+ }
|
|
+ result.append(sdp, lastEnd);
|
|
+ sdp = std::move(result);
|
|
+ }
|
|
+ }
|
|
+ };
|
|
+
|
|
+ replaceIP("\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b", "webrtc:ipv4");
|
|
+ replaceIP("\\b(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4}\\b", "webrtc:ipv6");
|
|
+
|
|
+ return NS_OK;
|
|
+}
|
|
+
|
|
+std::string PeerConnectionImpl::SpoofCandidateIP(const std::string& candidate) {
|
|
+ CSFLogDebug(LOGTAG, "Original candidate: %s", candidate.c_str());
|
|
+
|
|
+ std::istringstream iss(candidate);
|
|
+ std::vector<std::string> tokens{std::istream_iterator<std::string>{iss},
|
|
+ std::istream_iterator<std::string>{}};
|
|
+
|
|
+ bool spoofed = false;
|
|
+ // Check for IPv4 or .local address
|
|
+ if (tokens.size() >= 8) {
|
|
+ if (tokens[4].find('.') != std::string::npos) { // IPv4 or .local
|
|
+ if (auto value = MaskConfig::GetString("webrtc:ipv4")) {
|
|
+ tokens[4] = value.value();
|
|
+ spoofed = true;
|
|
+ }
|
|
+ }
|
|
+ // Check for IPv6
|
|
+ else if (tokens[4].find(':') != std::string::npos) {
|
|
+ if (auto value = MaskConfig::GetString("webrtc:ipv6")) {
|
|
+ tokens[4] = value.value();
|
|
+ spoofed = true;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (spoofed) {
|
|
+ std::ostringstream oss;
|
|
+ std::copy(tokens.begin(), tokens.end(),
|
|
+ std::ostream_iterator<std::string>(oss, " "));
|
|
+ std::string result = oss.str();
|
|
+ CSFLogDebug(LOGTAG, "Spoofed candidate: %s", result.c_str());
|
|
+ return result;
|
|
+ }
|
|
+
|
|
+ CSFLogDebug(LOGTAG, "Candidate not spoofed: %s", candidate.c_str());
|
|
+ return candidate;
|
|
}
|
|
|
|
void PeerConnectionImpl::IceConnectionStateChange(
|
|
@@ -4446,8 +4545,10 @@ bool PeerConnectionImpl::GetPrefDefaultAddressOnly() const {
|
|
|
|
uint64_t winId = mWindow->WindowID();
|
|
|
|
- bool default_address_only = Preferences::GetBool(
|
|
- "media.peerconnection.ice.default_address_only", false);
|
|
+ bool default_address_only =
|
|
+ Preferences::GetBool("media.peerconnection.ice.default_address_only",
|
|
+ false) ||
|
|
+ ShouldSpoofCandidateIP();
|
|
default_address_only |=
|
|
!MediaManager::Get()->IsActivelyCapturingOrHasAPermission(winId);
|
|
return default_address_only;
|
|
diff --git a/dom/media/webrtc/jsapi/PeerConnectionImpl.h b/dom/media/webrtc/jsapi/PeerConnectionImpl.h
|
|
index d7b54ad721..8d8e92d14b 100644
|
|
--- a/dom/media/webrtc/jsapi/PeerConnectionImpl.h
|
|
+++ b/dom/media/webrtc/jsapi/PeerConnectionImpl.h
|
|
@@ -624,8 +624,12 @@ class PeerConnectionImpl final
|
|
RefPtr<MediaPipeline> GetMediaPipelineForTrack(
|
|
dom::MediaStreamTrack& aRecvTrack);
|
|
|
|
- void CandidateReady(const std::string& candidate,
|
|
+ void CandidateReady(const std::string& candidate_,
|
|
const std::string& transportId, const std::string& ufrag);
|
|
+
|
|
+ bool ShouldSpoofCandidateIP() const;
|
|
+ nsresult SanitizeSDPForIPLeak(std::string& sdp);
|
|
+ std::string SpoofCandidateIP(const std::string& candidate);
|
|
void SendLocalIceCandidateToContent(uint16_t level, const std::string& mid,
|
|
const std::string& candidate,
|
|
const std::string& ufrag);
|
|
diff --git a/dom/media/webrtc/jsapi/moz.build b/dom/media/webrtc/jsapi/moz.build
|
|
index 05920fc151..34dcf3b9a1 100644
|
|
--- a/dom/media/webrtc/jsapi/moz.build
|
|
+++ b/dom/media/webrtc/jsapi/moz.build
|
|
@@ -62,3 +62,6 @@ EXPORTS.mozilla.dom += [
|
|
]
|
|
|
|
FINAL_LIBRARY = "xul"
|
|
+
|
|
+# DOM Mask
|
|
+LOCAL_INCLUDES += ["/camoucfg"]
|
|
\ No newline at end of file
|