-
-
Notifications
You must be signed in to change notification settings - Fork 828
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core: Use proper sandbox type per SWF #17756
Conversation
this sounds good, how does this help? |
I am really quite curious about how this is going to work in practice. e.g. can SWFs with localWithNetwork load SWFs with localWithFile? I am mostly thinking about the boundary between different SWFs with different sandbox levels. |
@@ -92,30 +104,38 @@ impl SwfMovie { | |||
/// `LoaderInfo.bytesTotal` is set to the actual value, but no data is available, | |||
/// and `LoaderInfo.parameters` is empty. | |||
pub fn fake_with_compressed_len(swf_version: u8, compressed_len: usize) -> Self { | |||
let url = "file:///".to_string(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pretty sure this is going to be a problem in the future. We need something like #17717.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's right, added TODOs for now, but this will need a lot more tests for sure
e2d83c2
to
ef9dc21
Compare
From my testing (if I remember correctly):
I'll be adding some tests (known failures) related to these behaviors along with the thrown exceptions so hopefully I'll cover these cases and even some more. In AVM1 IIRC no exceptions are thrown, actions are canceled/prevented and security sandbox messages are traced. |
It's the first step of implementing the security sandbox and its filesystem/network separation policy. Before that Ruffle assigned `localTrusted` sandbox type for all movies except web, where `remote` was used. The sandbox type also was assigned to the player, and not SWFs as it should. This patch does not introduce any sandbox policies based on the sandbox type, just the proper sandbox type detection. It is also not possible to specify trusted movies, and AIR applications don't use the `application` type yet.
Verifies the sandbox type of a local SWF with network disabled.
Verifies the sandbox type of a local SWF with network enabled.
Verifies the sandbox type of SWFs loaded through network.
Verifies the sandbox type of a local SWF with network disabled.
Verifies the sandbox type of a local SWF with network enabled.
Verifies the sandbox type of SWFs loaded through network.
ef9dc21
to
ec84f19
Compare
It's the first step of implementing the security sandbox and its filesystem/network separation policy. Before that Ruffle assigned
localTrusted
sandbox type for all movies except web, whereremote
was used. The sandbox type also was assigned to the player, and not SWFs as it should. This PR does not introduce any sandbox policies based on the sandbox type, just the proper sandbox type detection. It is also not possible to specify trusted movies, and AIR applications don't use theapplication
type yet.The logic goes as follows. It is detected whether a SWF is local or remote based on its URL (URLs with scheme
file
are treated as local). Every remote SWF receives theremote
sandbox type. For local SWFs, their FileAttributes are checked foruseNetwork
, which if true will assignlocalWithNetwork
and if false will assignlocalWithFile
sandbox type.This behavior is covered by the following set of tests:
avm*/sandbox_type_local_network
–localWithNetwork
type in AVM1/AVM2,avm*/sandbox_type_local_file
–localWithFile
type in AVM1/AVM2,avm*/sandbox_type_remote
–remote
type in AVM1/AVM2, alocalWithNetwork
SWF loads another one from the network.The cases from the tests above were the only cases I found where implementing sandbox policies was not needed for the test to pass.