From 09cd706b37d396636546c8a402fe8ca7438716c4 Mon Sep 17 00:00:00 2001
From: s30028044 <sunhai10@huawei.com>
Date: Mon, 8 Apr 2024 20:02:38 +0800
Subject: [PATCH] CVE-2023-23602

---
 dom/websocket/WebSocket.cpp | 39 ++++++++++++++++++++++++-------------
 1 file changed, 25 insertions(+), 14 deletions(-)

diff --git a/dom/websocket/WebSocket.cpp b/dom/websocket/WebSocket.cpp
index caa60d9cd5..59aca1d227 100644
--- a/dom/websocket/WebSocket.cpp
+++ b/dom/websocket/WebSocket.cpp
@@ -120,7 +120,8 @@ class WebSocketImpl final : public nsIInterfaceRequestor,
   bool IsTargetThread() const;
 
   nsresult Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal,
-                nsIPrincipal* aPrincipal, bool aIsServerSide,
+                nsIPrincipal* aPrincipal, const Maybe<ClientInfo>& aClientInfo,
+                nsICSPEventListener* aCSPEventListener, bool aIsServerSide,
                 const nsAString& aURL, nsTArray<nsString>& aProtocolArray,
                 const nsACString& aScriptFile, uint32_t aScriptLine,
                 uint32_t aScriptColumn);
@@ -979,6 +980,7 @@ class WebSocketMainThreadRunnable : public WorkerMainThreadRunnable {
 class InitRunnable final : public WebSocketMainThreadRunnable {
  public:
   InitRunnable(WorkerPrivate* aWorkerPrivate, WebSocketImpl* aImpl,
+               const Maybe<mozilla::dom::ClientInfo>& aClientInfo,
                bool aIsServerSide, const nsAString& aURL,
                nsTArray<nsString>& aProtocolArray,
                const nsACString& aScriptFile, uint32_t aScriptLine,
@@ -986,6 +988,7 @@ class InitRunnable final : public WebSocketMainThreadRunnable {
       : WebSocketMainThreadRunnable(aWorkerPrivate,
                                     NS_LITERAL_CSTRING("WebSocket :: init")),
         mImpl(aImpl),
+        mClientInfo(aClientInfo),
         mIsServerSide(aIsServerSide),
         mURL(aURL),
         mProtocolArray(aProtocolArray),
@@ -1015,10 +1018,10 @@ class InitRunnable final : public WebSocketMainThreadRunnable {
       return true;
     }
 
-    mErrorCode =
-        mImpl->Init(jsapi.cx(), mWorkerPrivate->GetPrincipal(),
-                    doc->NodePrincipal(), mIsServerSide, mURL, mProtocolArray,
-                    mScriptFile, mScriptLine, mScriptColumn);
+    mErrorCode = mImpl->Init(
+        jsapi.cx(), mWorkerPrivate->GetPrincipal(), doc->NodePrincipal(),
+        mClientInfo, mWorkerPrivate->CSPEventListener(), mIsServerSide, mURL,
+        mProtocolArray, mScriptFile, mScriptLine, mScriptColumn);
     return true;
   }
 
@@ -1028,7 +1031,8 @@ class InitRunnable final : public WebSocketMainThreadRunnable {
 
     mErrorCode =
         mImpl->Init(nullptr, mWorkerPrivate->GetPrincipal(),
-                    aTopLevelWorkerPrivate->GetPrincipal(), mIsServerSide, mURL,
+                    aTopLevelWorkerPrivate->GetPrincipal(), mClientInfo,
+                    mWorkerPrivate->CSPEventListener(), mIsServerSide, mURL,
                     mProtocolArray, mScriptFile, mScriptLine, mScriptColumn);
     return true;
   }
@@ -1036,6 +1040,7 @@ class InitRunnable final : public WebSocketMainThreadRunnable {
   // Raw pointer. This worker runnable runs synchronously.
   WebSocketImpl* mImpl;
 
+  Maybe<ClientInfo> mClientInfo;
   bool mIsServerSide;
   const nsAString& mURL;
   nsTArray<nsString>& mProtocolArray;
@@ -1230,9 +1235,8 @@ already_AddRefed<WebSocket> WebSocket::ConstructorCommon(
     }
 
     aRv = webSocketImpl->Init(aGlobal.Context(), loadingPrincipal, principal,
-                              !!aTransportProvider, aUrl, protocolArray,
-                              EmptyCString(), 0, 0);
-
+                              Nothing(), nullptr, !!aTransportProvider, aUrl,
+                              protocolArray, ""_ns, 0, 0);
     if (NS_WARN_IF(aRv.Failed())) {
       return nullptr;
     }
@@ -1256,8 +1260,9 @@ already_AddRefed<WebSocket> WebSocket::ConstructorCommon(
     }
 
     RefPtr<InitRunnable> runnable = new InitRunnable(
-        workerPrivate, webSocketImpl, !!aTransportProvider, aUrl, protocolArray,
-        nsDependentCString(file.get()), lineno, column);
+        workerPrivate, webSocketImpl,
+        workerPrivate->GlobalScope()->GetClientInfo(), !!aTransportProvider,
+        aUrl, protocolArray, nsDependentCString(file.get()), lineno, column);
     runnable->Dispatch(Canceling, aRv);
     if (NS_WARN_IF(aRv.Failed())) {
       return nullptr;
@@ -1443,8 +1448,10 @@ void WebSocket::DisconnectFromOwner() {
 //-----------------------------------------------------------------------------
 
 nsresult WebSocketImpl::Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal,
-                             nsIPrincipal* aPrincipal, bool aIsServerSide,
-                             const nsAString& aURL,
+                             nsIPrincipal* aPrincipal,
+                             const Maybe<ClientInfo>& aClientInfo,
+                             nsICSPEventListener* aCSPEventListener,
+                             bool aIsServerSide, const nsAString& aURL,
                              nsTArray<nsString>& aProtocolArray,
                              const nsACString& aScriptFile,
                              uint32_t aScriptLine, uint32_t aScriptColumn) {
@@ -1537,7 +1544,11 @@ nsresult WebSocketImpl::Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal,
         aPrincipal,  // loading principal
         aPrincipal,  // triggering principal
         originDoc, nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
-        nsIContentPolicy::TYPE_WEBSOCKET);
+         nsIContentPolicy::TYPE_WEBSOCKET, aClientInfo);
+
+    if (aCSPEventListener) {
+      secCheckLoadInfo->SetCspEventListener(aCSPEventListener);
+    }
 
     int16_t shouldLoad = nsIContentPolicy::ACCEPT;
     rv = NS_CheckContentLoadPolicy(uri, secCheckLoadInfo, EmptyCString(),
-- 
2.27.0