Bug 13028: Prevent potential proxy bypass cases.

It looks like these cases should only be invoked in the NSS command line tools, and not the browser, but I decided to patch them anyway because there literally is a maze of network function pointers being passed around, and it's very hard to tell if some random code might not pass in the proper proxied versions of the networking code here by accident. Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1433509

Bug 13028: Prevent potential proxy bypass cases.
73ba0be0 · Mike Perry · Pier Angelo Vendrame · 6add3873 · 73ba0be0 · 73ba0be0
Verified Commit 73ba0be0 authored Sep 29, 2014 by Mike Perry Committed by Pier Angelo Vendrame Feb 8, 2023
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -2927,6 +2927,9 @@ loser:
 static PRFileDesc *
 ocsp_ConnectToHost(const char *host, PRUint16 port)
 {
+#ifdef MOZ_PROXY_BYPASS_PROTECTION
+    return NULL;
+#else
    PRFileDesc *sock = NULL;
    PRIntervalTime timeout;
    PRNetAddr addr;
@@ -2985,6 +2988,7 @@ loser:
    if (netdbbuf != NULL)
        PORT_Free(netdbbuf);
    return NULL;
+#endif
 }

 /*

--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
@@ -1322,6 +1322,9 @@ pkix_pl_Socket_Create(
        PKIX_PL_Socket **pSocket,
        void *plContext)
 {
+#ifdef MOZ_PROXY_BYPASS_PROTECTION
+        PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
+#else
        PKIX_PL_Socket *socket = NULL;

        PKIX_ENTER(SOCKET, "pkix_pl_Socket_Create");
@@ -1369,6 +1372,7 @@ cleanup:
        }

        PKIX_RETURN(SOCKET);
+#endif
 }

 /*
@@ -1418,6 +1422,9 @@ pkix_pl_Socket_CreateByName(
        PKIX_PL_Socket **pSocket,
        void *plContext)
 {
+#ifdef MOZ_PROXY_BYPASS_PROTECTION
+        PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
+#else
        PRNetAddr netAddr;
        PKIX_PL_Socket *socket = NULL;
        char *sepPtr = NULL;
@@ -1520,6 +1527,7 @@ cleanup:
        }

        PKIX_RETURN(SOCKET);
+#endif
 }

 /*
@@ -1571,6 +1579,9 @@ pkix_pl_Socket_CreateByHostAndPort(
        PKIX_PL_Socket **pSocket,
        void *plContext)
 {
+#ifdef MOZ_PROXY_BYPASS_PROTECTION
+        PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
+#else
        PRNetAddr netAddr;
        PKIX_PL_Socket *socket = NULL;
        char *sepPtr = NULL;
@@ -1658,6 +1669,7 @@ cleanup:
        }

        PKIX_RETURN(SOCKET);
+#endif
 }

 /*