LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-12-28 13:43:45 +03:00
Code Issues Packages Projects Releases Wiki Activity
bba53441ef
ladybird/Userland/Services/RequestServer/GeminiProtocol.cpp
MacDue a1d669fe63 RequestServer: Make pre-connection job refcounted 
Fixes #22582

Previously, the job and the (cache of them) would lead to a UAF, as
after `.start()` was called on the job it'd be immediately destroyed.

Example of previous bug:

```
// Note due to the cache &jobA == &jobB
auto& jobA = Job::ensure("https://r.bing.com/");
auto& jobB = Job::ensure("https://r.bing.com/");
// Previously, the first .start() free'd the job
jobA.start();
// So the second .start() was a UAF
jobB.start();
```
2024-01-05 04:03:32 +03:30

40 lines
1.2 KiB
C++
Raw Blame History

/*
* Copyright (c) 2020, the SerenityOS developers.
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#include "ConnectionCache.h"
#include <LibGemini/GeminiRequest.h>
#include <LibGemini/Job.h>
#include <RequestServer/GeminiProtocol.h>
#include <RequestServer/GeminiRequest.h>
namespace RequestServer {
GeminiProtocol::GeminiProtocol()
: Protocol("gemini")
{
}
OwnPtr<Request> GeminiProtocol::start_request(ConnectionFromClient& client, ByteString const&, const URL& url, HashMap<ByteString, ByteString> const&, ReadonlyBytes, Core::ProxyData proxy_data)
{
Gemini::GeminiRequest request;
request.set_url(url);
auto pipe_result = get_pipe_for_request();
if (pipe_result.is_error())
return {};
auto output_stream = MUST(Core::File::adopt_fd(pipe_result.value().write_fd, Core::File::OpenMode::Write));
auto job = Gemini::Job::construct(request, *output_stream);
auto protocol_request = GeminiRequest::create_with_job({}, client, *job, move(output_stream));
protocol_request->set_request_fd(pipe_result.value().read_fd);
ConnectionCache::get_or_create_connection(ConnectionCache::g_tls_connection_cache, url, job, proxy_data);
return protocol_request;
}
}
Reference in New Issue View Git Blame Copy Permalink