Reject stun urls with query parameters

for consistency with Chromium behavior, in particular stun:host?transport=udp gets rejected. BUG=chromium:1385735 Change-Id: I85a141ecf72480bfa09d8354d6dcaef8ca0cdcff Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/299943 Reviewed-by: Harald Alvestrand <hta@webrtc.org> Reviewed-by: Guido Urdaneta <guidou@webrtc.org> Commit-Queue: Philipp Hancke <phancke@microsoft.com> Cr-Commit-Position: refs/heads/main@{#39916}
2025-05-12 21:30:45 +01:00 · 2023-04-03 12:48:05 +02:00 · 2023-04-03 12:48:05 +02:00 · ff6cd53303
commit ff6cd53303
parent 7aa6a72dc6
2 changed files with 11 additions and 0 deletions
--- a/pc/ice_server_parsing.cc
+++ b/pc/ice_server_parsing.cc
@ -220,6 +220,15 @@ RTCError ParseIceServerUrl(
  // GetServiceTypeAndHostnameFromUri should never give an empty hoststring
  RTC_DCHECK(!hoststring.empty());

+  // stun with ?transport (or any ?) is not valid.
+  if ((service_type == ServiceType::STUN ||
+       service_type == ServiceType::STUNS) &&
+      tokens.size() > 1) {
+    LOG_AND_RETURN_ERROR(
+        RTCErrorType::SYNTAX_ERROR,
+        "ICE server parsing failed: Invalid stun url with query parameters");
+  }
+
  int default_port = kDefaultStunPort;
  if (service_type == ServiceType::TURNS) {
    default_port = kDefaultStunTlsPort;
--- a/pc/ice_server_parsing_unittest.cc
+++ b/pc/ice_server_parsing_unittest.cc
@ -188,6 +188,8 @@ TEST_F(IceServerParsingTest, ParseHostnameAndPort) {
  EXPECT_FALSE(ParseUrl("stun:/hostname"));  // / is not allowed
  EXPECT_FALSE(ParseUrl("stun:?hostname"));  // ? is not allowed
  EXPECT_FALSE(ParseUrl("stun:#hostname"));  // # is not allowed
+  // STUN explicitly forbids query parameters.
+  EXPECT_FALSE(ParseUrl("stun:hostname?transport=udp"));
 }

 // Test parsing the "?transport=xxx" part of the URL.