Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: P1: Critical
Fix Version/s: 5.15.18, 6.2.13, 6.5.7, 6.7.3, 6.8.0 Beta2, 6.9.0 FF
Affects Version/s: 6.5, 6.7
Component/s: Network: HTTP
Labels:
- SecurityIssue

Platform/s:

All
Commits:
b1e75376c (dev), 0fb43e439 (6.8), 2b1e36e18 (6.7), 2b3048b35 (tqtc/lts-6.5), db8bd4ea2 (tqtc/lts-6.2), bb1006b78 (tqtc/lts-5.15)

Description

Evertime we start a TLS connection we check for our own tls verification and abort the connection in QNetworkReply::encrypted if it is not valid. Usual case....
But if the server supports HTTP2 and send some HTTP stuff Qt will send data even if QNetworkReply::abort was called.

In our case we manually follow a Redirect until an address matches. If the address matches check the TLS certificate only and aborts the QNetworkReply.
As you can see in the screenshot the server will send HTTP2 SETTINGS and Qt will send the HTTP GET even the QNetworkReply was aborted.

This helps as a work-around at the moment.
request.setAttribute(QNetworkRequest::Http2AllowedAttribute, false);

void dummy:example()
{
	QNetworkRequest request(mUrl);
	mReply = Env::getSingleton<NetworkManager>()->get(request);

	connect(mReply.data(), &QNetworkReply::sslErrors, this, &dummy::onSslErrors);
	connect(mReply.data(), &QNetworkReply::encrypted, this, &dummy::onSslHandshakeDone);
}

void dummy:onSslHandshakeDone()
{
   // do some stuff
   mReply->abort();
}