fix: default to NTLM v2 in the network service for POSIX platforms (#23933)

* fix: default to NTLM v2 in the network service for POSIX platforms * chore: update patch
2026-04-10 03:01:51 -04:00 · 2020-06-03 11:48:37 -07:00
parent 0aa7b7f712
commit 38f0a8e85b
7 changed files with 43 additions and 2 deletions
--- a/docs/api/command-line-switches.md
+++ b/docs/api/command-line-switches.md
@@ -28,6 +28,10 @@ Disables the disk cache for HTTP requests.

 Disable HTTP/2 and SPDY/3.1 protocols.

+### --disable-ntlm-v2
+
+Disables NTLM v2 for posix platforms, no effect elsewhere.
+
 ## --lang

 Set a custom locale.
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@@ -104,3 +104,4 @@ fix_hunspell_crash.patch
 avoid_nullptr_dereference_in_rtcpeerconnectionhandler.patch
 reland_onstate_handler_is_allowed_to_close_a_peerconnection.patch
 fix_swap_global_proxies_before_initializing_the_windows_proxies.patch
+fix_default_to_ntlm_v2_in_network_service.patch
--- a/patches/chromium/fix_default_to_ntlm_v2_in_network_service.patch
+++ b/patches/chromium/fix_default_to_ntlm_v2_in_network_service.patch
@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: deepak1556 <hop2deep@gmail.com>
+Date: Mon, 1 Jun 2020 20:36:16 +0000
+Subject: fix: default to NTLM v2 in network service for POSIX platforms
+
+NTLM always defaults to NTLM v2 at the //net layer for quite
+sometime now https://crbug.com/22532.
+
+Change-Id: I4ea2dedc10c63a7c4e00101c0acc6d8a713c5054
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2222116
+Auto-Submit: Deepak Mohan <hop2deep@gmail.com>
+Reviewed-by: Tom Sepez <tsepez@chromium.org>
+Commit-Queue: Tom Sepez <tsepez@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#773809}
+
+diff --git a/services/network/public/mojom/network_service.mojom b/services/network/public/mojom/network_service.mojom
+index 1cafd4440108ccb8fe7f4f7c3d43a661dd626f15..8fdb75f76f5d9f207265c316e03818f36bcafbaa 100644
+--- a/services/network/public/mojom/network_service.mojom
+++ b/services/network/public/mojom/network_service.mojom
+@@ -113,7 +113,7 @@ struct HttpAuthDynamicParams {
+   bool enable_negotiate_port = true;
+ 
+   // Whether NTLM V2 is enabled on POSIX platforms. No effect elsewhere.
+-  bool ntlm_v2_enabled = false;
+  bool ntlm_v2_enabled = true;
+ 
+   // The AccountManager AccountManagerget.AccountsByTypeAndFeatures on Android
+   // when using Negotiate authentication.
--- a/shell/browser/api/electron_api_session.cc
+++ b/shell/browser/api/electron_api_session.cc
@@ -548,12 +548,14 @@ v8::Local<v8::Promise> Session::ClearAuthCache() {
 }

 void Session::AllowNTLMCredentialsForDomains(const std::string& domains) {
+  auto* command_line = base::CommandLine::ForCurrentProcess();
  network::mojom::HttpAuthDynamicParamsPtr auth_dynamic_params =
      network::mojom::HttpAuthDynamicParams::New();
  auth_dynamic_params->server_allowlist = domains;
  auth_dynamic_params->enable_negotiate_port =
-      base::CommandLine::ForCurrentProcess()->HasSwitch(
-          electron::switches::kEnableAuthNegotiatePort);
+      command_line->HasSwitch(electron::switches::kEnableAuthNegotiatePort);
+  auth_dynamic_params->ntlm_v2_enabled =
+      !command_line->HasSwitch(electron::switches::kDisableNTLMv2);
  content::GetNetworkService()->ConfigureHttpAuthPrefs(
      std::move(auth_dynamic_params));
 }
--- a/shell/browser/net/system_network_context_manager.cc
+++ b/shell/browser/net/system_network_context_manager.cc
@@ -53,6 +53,8 @@ network::mojom::HttpAuthDynamicParamsPtr CreateHttpAuthDynamicParams() {
      electron::switches::kAuthNegotiateDelegateWhitelist);
  auth_dynamic_params->enable_negotiate_port =
      command_line->HasSwitch(electron::switches::kEnableAuthNegotiatePort);
+  auth_dynamic_params->ntlm_v2_enabled =
+      !command_line->HasSwitch(electron::switches::kDisableNTLMv2);

  return auth_dynamic_params;
 }
--- a/shell/common/options_switches.cc
+++ b/shell/common/options_switches.cc
@@ -278,6 +278,9 @@ const char kAuthNegotiateDelegateWhitelist[] =
 // If set, include the port in generated Kerberos SPNs.
 const char kEnableAuthNegotiatePort[] = "enable-auth-negotiate-port";

+// If set, NTLM v2 is disabled for POSIX platforms.
+const char kDisableNTLMv2[] = "disable-ntlm-v2";
+
 #if BUILDFLAG(ENABLE_BUILTIN_SPELLCHECKER)
 const char kEnableSpellcheck[] = "enable-spellcheck";
 #endif
--- a/shell/common/options_switches.h
+++ b/shell/common/options_switches.h
@@ -140,6 +140,7 @@ extern const char kIgnoreConnectionsLimit[];
 extern const char kAuthServerWhitelist[];
 extern const char kAuthNegotiateDelegateWhitelist[];
 extern const char kEnableAuthNegotiatePort[];
+extern const char kDisableNTLMv2[];

 #if BUILDFLAG(ENABLE_BUILTIN_SPELLCHECKER)
 extern const char kEnableSpellcheck[];