diff --git a/src/main/main.cpp b/src/main/main.cpp index 16d91b0a..2f597b8b 100644 --- a/src/main/main.cpp +++ b/src/main/main.cpp @@ -69,6 +69,7 @@ #include "qt/TailsOS.h" #include "qt/KeysFiles.h" #include "qt/MoneroSettings.h" +#include "qt/NetworkAccessBlockingFactory.h" // IOS exclusions #ifndef Q_OS_IOS @@ -403,6 +404,7 @@ Verify update binary using 'shasum'-compatible (SHA256 algo) output signed by tw QQmlApplicationEngine engine; + engine.setNetworkAccessManagerFactory(new NetworkAccessBlockingFactory); OSCursor cursor; engine.rootContext()->setContextProperty("globalCursor", &cursor); OSHelper osHelper; diff --git a/src/qt/NetworkAccessBlockingFactory.h b/src/qt/NetworkAccessBlockingFactory.h new file mode 100644 index 00000000..16cbc7f5 --- /dev/null +++ b/src/qt/NetworkAccessBlockingFactory.h @@ -0,0 +1,67 @@ +/* Ricochet - https://ricochet.im/ + * Copyright (C) 2014, John Brooks + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following disclaimer + * in the documentation and/or other materials provided with the + * distribution. + * + * * Neither the names of the copyright owners nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* Through the QQmlNetworkAccessManagerFactory below, all network requests + * created via QML will be passed to this object; including, for example, + * tags parsed in rich Text items. + * + * Ricochet's UI does not directly cause network requests for any reason. These + * are always a potentially deanonymizing bug. This object will block them, + * and assert if appropriate. + */ +#include + +class BlockedNetworkAccessManager : public QNetworkAccessManager +{ +public: + BlockedNetworkAccessManager(QObject *parent) + : QNetworkAccessManager(parent) + { + setProxy(QNetworkProxy(QNetworkProxy::Socks5Proxy, QLatin1String("0.0.0.0"), 0)); + } + +protected: + virtual QNetworkReply *createRequest(Operation op, const QNetworkRequest &req, QIODevice *outgoingData = 0) + { + qCritical() << "QML attempted to load a network resource from" << req.url() << " - this is potentially an input sanitization flaw."; + return QNetworkAccessManager::createRequest(op, QNetworkRequest(), outgoingData); + } +}; + +class NetworkAccessBlockingFactory : public QQmlNetworkAccessManagerFactory +{ +public: + virtual QNetworkAccessManager *create(QObject *parent) + { + return new BlockedNetworkAccessManager(parent); + } +};