From f3a571eb5e92b749553fcd8afb9f5f180daf328a Mon Sep 17 00:00:00 2001 From: Mehmet Fidanboylu Date: Sat, 8 Feb 2020 14:35:18 -0800 Subject: [PATCH 1/2] Draft PR for introducing a way to ban http --- sdk/lib/_http/http.dart | 8 ++++++++ sdk/lib/_http/http_impl.dart | 8 ++++++++ sdk/lib/_http/overrides.dart | 18 ++++++++++++++++-- 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/sdk/lib/_http/http.dart b/sdk/lib/_http/http.dart index 855234bf46fe..4f05a8006826 100644 --- a/sdk/lib/_http/http.dart +++ b/sdk/lib/_http/http.dart @@ -1763,6 +1763,14 @@ abstract class HttpClient { return overrides.findProxyFromEnvironment(url, environment); } + static bool get isHttpAllowed { + HttpOverrides overrides = HttpOverrides.current; + if (overrides == null) { + return _HttpClient._isHttpAllowedByDefault; + } + return overrides.isHttpAllowed(); + } + /** * Sets the function to be called when a proxy is requesting * authentication. Information on the proxy in use and the security diff --git a/sdk/lib/_http/http_impl.dart b/sdk/lib/_http/http_impl.dart index 336c6d0d8441..5738e9f321bd 100644 --- a/sdk/lib/_http/http_impl.dart +++ b/sdk/lib/_http/http_impl.dart @@ -2126,6 +2126,8 @@ class _ConnectionTarget { typedef bool BadCertificateCallback(X509Certificate cr, String host, int port); class _HttpClient implements HttpClient { + static const bool _isHttpAllowedByDefault = true; + bool _closing = false; bool _closingForcefully = false; final Map _connectionTargets = @@ -2136,6 +2138,7 @@ class _HttpClient implements HttpClient { Function _authenticate; Function _authenticateProxy; Function _findProxy = HttpClient.findProxyFromEnvironment; + bool _isHttpAllowed = HttpClient.isHttpAllowed; Duration _idleTimeout = const Duration(seconds: 15); BadCertificateCallback _badCertificateCallback; @@ -2285,6 +2288,11 @@ class _HttpClient implements HttpClient { } bool isSecure = (uri.scheme == "https"); + bool isMobileClient = Platform.isAndroid || Platform.isIOS; + if (isMobileClient && !_isHttpAllowed && !isSecure) { + throw new ArgumentError("HTTP traffic is not supported in this client. Please use HTTPS."); + } + int port = uri.port; if (port == 0) { port = diff --git a/sdk/lib/_http/overrides.dart b/sdk/lib/_http/overrides.dart index 4112c3c56d76..f13e2810193c 100644 --- a/sdk/lib/_http/overrides.dart +++ b/sdk/lib/_http/overrides.dart @@ -52,10 +52,11 @@ abstract class HttpOverrides { {HttpClient Function(SecurityContext) createHttpClient, String Function(Uri uri, Map environment) findProxyFromEnvironment, + bool allowHttp, ZoneSpecification zoneSpecification, Function onError}) { HttpOverrides overrides = - new _HttpOverridesScope(createHttpClient, findProxyFromEnvironment); + new _HttpOverridesScope(createHttpClient, findProxyFromEnvironment, allowHttp); return _asyncRunZoned(body, zoneValues: {_httpOverridesToken: overrides}, zoneSpecification: zoneSpecification, @@ -89,6 +90,11 @@ abstract class HttpOverrides { String findProxyFromEnvironment(Uri url, Map environment) { return _HttpClient._findProxyFromEnvironment(url, environment); } + + /// Specifies whether HTTP communication in cleartext is allowed. + bool isHttpAllowed() { + return _HttpClient._isHttpAllowedByDefault; + } } class _HttpOverridesScope extends HttpOverrides { @@ -97,8 +103,16 @@ class _HttpOverridesScope extends HttpOverrides { final HttpClient Function(SecurityContext) _createHttpClient; final String Function(Uri uri, Map environment) _findProxyFromEnvironment; + final bool _allowHttp; + + _HttpOverridesScope(this._createHttpClient, this._findProxyFromEnvironment, this._allowHttp); - _HttpOverridesScope(this._createHttpClient, this._findProxyFromEnvironment); + @override + bool isHttpAllowed() { + if (_allowHttp != null) return _allowHttp; + if (_previous != null) return _previous.isHttpAllowed(); + return super.isHttpAllowed(); + } @override HttpClient createHttpClient(SecurityContext context) { From ce0c32256a15fcd18b5c251a2bf798c70b75aa06 Mon Sep 17 00:00:00 2001 From: Mehmet Fidanboylu Date: Sun, 9 Feb 2020 06:16:19 -0800 Subject: [PATCH 2/2] Have platform specific defaults --- sdk/lib/_http/http_impl.dart | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/sdk/lib/_http/http_impl.dart b/sdk/lib/_http/http_impl.dart index 5738e9f321bd..081fcbfe5f7b 100644 --- a/sdk/lib/_http/http_impl.dart +++ b/sdk/lib/_http/http_impl.dart @@ -2126,8 +2126,6 @@ class _ConnectionTarget { typedef bool BadCertificateCallback(X509Certificate cr, String host, int port); class _HttpClient implements HttpClient { - static const bool _isHttpAllowedByDefault = true; - bool _closing = false; bool _closingForcefully = false; final Map _connectionTargets = @@ -2154,6 +2152,13 @@ class _HttpClient implements HttpClient { _HttpClient(this._context); + static bool get _isHttpAllowedByDefault { + if (Platform.isIOS) return true; + if (Platform.isAndroid) return true; + // Add any more Platform specific defaults here. + return true; + } + void set idleTimeout(Duration timeout) { _idleTimeout = timeout; for (var c in _connectionTargets.values) { @@ -2288,8 +2293,7 @@ class _HttpClient implements HttpClient { } bool isSecure = (uri.scheme == "https"); - bool isMobileClient = Platform.isAndroid || Platform.isIOS; - if (isMobileClient && !_isHttpAllowed && !isSecure) { + if (!_isHttpAllowed && !isSecure) { throw new ArgumentError("HTTP traffic is not supported in this client. Please use HTTPS."); }