Allow a non-200 (or non-407) response for a CONNECT request from an HTTPS pro...

net/http/http_proxy_client_socket.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_proxy_client_socket.h"
 
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "googleurl/src/gurl.h"
 #include "net/base/auth.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_log.h"
 #include "net/base/net_util.h"
+#include "net/http/connect_response_http_stream.h"

[vandebo (ex-Chrome), 2010/12/04 00:30:37]

Is this header needed?

[Ryan Hamilton, 2010/12/09 21:19:35]

Done.

 #include "net/http/http_net_log_params.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_proxy_utils.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_stream_parser.h"
 #include "net/socket/client_socket_handle.h"
 
 namespace net {
 
 HttpProxyClientSocket::HttpProxyClientSocket(
     ClientSocketHandle* transport_socket,
     const GURL& request_url,
     const std::string& user_agent,
     const HostPortPair& endpoint,
     const HostPortPair& proxy_server,
     HttpAuthCache* http_auth_cache,
     HttpAuthHandlerFactory* http_auth_handler_factory,
     bool tunnel,
-    bool using_spdy)
+    bool using_spdy,
+    bool is_https_proxy)
     : ALLOW_THIS_IN_INITIALIZER_LIST(
           io_callback_(this, &HttpProxyClientSocket::OnIOComplete)),
       next_state_(STATE_NONE),
       user_callback_(NULL),
       transport_(transport_socket),
       endpoint_(endpoint),
       auth_(tunnel ?
           new HttpAuthController(HttpAuth::AUTH_PROXY,
                                  GURL("http://" + proxy_server.ToString()),
                                  http_auth_cache,
                                  http_auth_handler_factory)
           : NULL),
       tunnel_(tunnel),
       using_spdy_(using_spdy),
+      is_https_proxy_(is_https_proxy),
       net_log_(transport_socket->socket()->NetLog()) {
   // Synthesize the bits of a request that we actually use.
   request_.url = request_url;
   request_.method = "GET";
   if (!user_agent.empty())
     request_.extra_headers.SetHeader(HttpRequestHeaders::kUserAgent,
                                      user_agent);
 }
 
 HttpProxyClientSocket::~HttpProxyClientSocket() {
@@ skipping 79 matching lines @@
   return OK;
 }
 
 void HttpProxyClientSocket::LogBlockedTunnelResponse(int response_code) const {
   LOG(WARNING) << "Blocked proxy response with status " << response_code
                << " to CONNECT request for "
                << GetHostAndPort(request_.url) << ".";
 }
 
 void HttpProxyClientSocket::Disconnect() {
-  transport_->socket()->Disconnect();
+  if (transport_->socket())

[vandebo (ex-Chrome), 2010/12/04 00:30:37]

When is this false?

[Ryan Hamilton, 2010/12/09 21:19:35]

So I think this was somewhat of a bug which I describe in my response to your
"recoverable error" comment.  However, I had to change this code to check for
transport_ to be non-null, since it will be null after
GetConnectResponseStream() is called.  Nice catch.

+    transport_->socket()->Disconnect();
 
   // Reset other states to make sure they aren't mistakenly used later.
   // These are the states initialized by Connect().
   next_state_ = STATE_NONE;
   user_callback_ = NULL;
 }
 
 bool HttpProxyClientSocket::IsConnected() const {
   return next_state_ == STATE_DONE && transport_->socket()->IsConnected();
 }
@@ skipping 239 matching lines @@
       // client is expecting an SSL protected response.
       // See http://crbug.com/7338.
     case 407:  // Proxy Authentication Required
       // We need this status code to allow proxy authentication.  Our
       // authentication code is smart enough to avoid being tricked by an
       // active network attacker.
       // The next state is intentionally not set as it should be STATE_NONE;
       return HandleAuthChallenge();
 
     default:
-      // For all other status codes, we conservatively fail the CONNECT
-      // request.
-      // We lose something by doing this.  We have seen proxy 403, 404, and
-      // 501 response bodies that contain a useful error message.  For
-      // example, Squid uses a 404 response to report the DNS error: "The
-      // domain name does not exist."
       LogBlockedTunnelResponse(response_.headers->response_code());

[vandebo (ex-Chrome), 2010/12/04 00:30:37]

Shouldn't this Log call be in the else clause?

[Ryan Hamilton, 2010/12/09 21:19:35]

Done.

-      return ERR_TUNNEL_CONNECTION_FAILED;
+      if (is_https_proxy_) {
+        return ERR_HTTPS_PROXY_TUNNEL_CONNECTION_RESPONSE;
+      } else {
+        // For all other status codes, we conservatively fail the CONNECT
+        // request.
+        // We lose something by doing this.  We have seen proxy 403, 404, and
+        // 501 response bodies that contain a useful error message.  For
+        // example, Squid uses a 404 response to report the DNS error: "The
+        // domain name does not exist."
+        return ERR_TUNNEL_CONNECTION_FAILED;
+      }
   }
 }
 
 int HttpProxyClientSocket::DoDrainBody() {
   DCHECK(drain_buf_);
   DCHECK(transport_->is_initialized());
   next_state_ = STATE_DRAIN_BODY_COMPLETE;
   return http_stream_parser_->ReadResponseBody(drain_buf_, kDrainBodyBufferSize,
                                                &io_callback_);
 }
@@ skipping 28 matching lines @@
 
   int rv = auth_->HandleAuthChallenge(response_.headers, false, true, net_log_);
   response_.auth_challenge = auth_->auth_info();
   if (rv == OK)
     return ERR_PROXY_AUTH_REQUESTED;
 
   return rv;
 }
 
 }  // namespace net