(DWF-2016-89001) Validate TLS certificates
@mcatanzaro
Submitted by Michael Catanzaro Link to original bug (#754488)
Description
Seems Shotwell logs into Facebook, etc. without validating TLS certificates. First reported in bug #751709.
Since you use WebKit1 you're responsible not just for all security bugs since security updates ended a year ago, but also for validating TLS certificates on the SoupSession used by your WebKitWebView, before sending any HTTP headers. I've never done this before, but I think the right way is to connect to WebKitWebView:resource-request-starting, grab the WebKitNetworkRequest, get the SoupMessage property from it, then connect to notify::tls-errors and cancel the message immediately in the signal handler (not sure how to do that). I think you also have to somehow tell libsoup to check for TLS errors in the first place; should be easy if you can find a way to get the SoupSession from WebKit (see below), but I'm not sure how to do that (CCing a couple people who might know).
Much better to just upgrade to WebKit2 (bug #751709), which is secure by default.
Also, since you use SoupSessionAsync outside of WebKit, you need to validate them there too, either by upgrading to plain SoupSession or by setting its ssl-use-system-ca-file property to TRUE, regardless of the version of WebKit in use. But that is easy.
Version: 0.22.x
Resolution: RESOLVED FIXED