Allow a non-200 (or non-407) response for a CONNECT request from an HTTPS pro...

net/http/http_proxy_client_socket.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_proxy_client_socket.h"
 
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "googleurl/src/gurl.h"
 #include "net/base/auth.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_log.h"
 #include "net/base/net_util.h"
+#include "net/http/http_basic_stream.h"
 #include "net/http/http_net_log_params.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_proxy_utils.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_stream_parser.h"
 #include "net/socket/client_socket_handle.h"
 
 namespace net {
 
 HttpProxyClientSocket::HttpProxyClientSocket(
     ClientSocketHandle* transport_socket,
     const GURL& request_url,
     const std::string& user_agent,
     const HostPortPair& endpoint,
     const HostPortPair& proxy_server,
     HttpAuthCache* http_auth_cache,
     HttpAuthHandlerFactory* http_auth_handler_factory,
     bool tunnel,
-    bool using_spdy)
+    bool using_spdy,
+    bool is_https_proxy)
     : ALLOW_THIS_IN_INITIALIZER_LIST(
           io_callback_(this, &HttpProxyClientSocket::OnIOComplete)),
       next_state_(STATE_NONE),
       user_callback_(NULL),
       transport_(transport_socket),
       endpoint_(endpoint),
       auth_(tunnel ?
           new HttpAuthController(HttpAuth::AUTH_PROXY,
                                  GURL("http://" + proxy_server.ToString()),
                                  http_auth_cache,
                                  http_auth_handler_factory)
           : NULL),
       tunnel_(tunnel),
       using_spdy_(using_spdy),
+      is_https_proxy_(is_https_proxy),
       net_log_(transport_socket->socket()->NetLog()) {
   // Synthesize the bits of a request that we actually use.
   request_.url = request_url;
   request_.method = "GET";
   if (!user_agent.empty())
     request_.extra_headers.SetHeader(HttpRequestHeaders::kUserAgent,
                                      user_agent);
 }
 
 HttpProxyClientSocket::~HttpProxyClientSocket() {
   Disconnect();
 }
 
+HttpStream* HttpProxyClientSocket::GetConnectResponseStream() {
+  return new HttpBasicStream(http_stream_parser_.release(),
+                             transport_.release());
+}
+
+
 int HttpProxyClientSocket::Connect(CompletionCallback* callback) {
   DCHECK(transport_.get());
   DCHECK(transport_->socket());
   DCHECK(!user_callback_);
 
   // TODO(rch): figure out the right way to set up a tunnel with SPDY.
   // This approach sends the complete HTTPS request to the proxy
   // which allows the proxy to see "private" data.  Instead, we should
   // create an SSL tunnel to the origin server using the CONNECT method
   // inside a single SPDY stream.
@@ skipping 66 matching lines @@
   return OK;
 }
 
 void HttpProxyClientSocket::LogBlockedTunnelResponse(int response_code) const {
   LOG(WARNING) << "Blocked proxy response with status " << response_code
                << " to CONNECT request for "
                << GetHostAndPort(request_.url) << ".";
 }
 
 void HttpProxyClientSocket::Disconnect() {
-  transport_->socket()->Disconnect();
+  if (transport_.get())
+    transport_->socket()->Disconnect();
 
   // Reset other states to make sure they aren't mistakenly used later.
   // These are the states initialized by Connect().
   next_state_ = STATE_NONE;
   user_callback_ = NULL;
 }
 
 bool HttpProxyClientSocket::IsConnected() const {
   return next_state_ == STATE_DONE && transport_->socket()->IsConnected();
 }
@@ skipping 239 matching lines @@
       // client is expecting an SSL protected response.
       // See http://crbug.com/7338.
     case 407:  // Proxy Authentication Required
       // We need this status code to allow proxy authentication.  Our
       // authentication code is smart enough to avoid being tricked by an
       // active network attacker.
       // The next state is intentionally not set as it should be STATE_NONE;
       return HandleAuthChallenge();
 
     default:
+      if (is_https_proxy_)
+        return ERR_HTTPS_PROXY_TUNNEL_CONNECTION_RESPONSE;

[vandebo (ex-Chrome), 2010/12/14 00:30:23]

Should you call response_.headers.RemoveHeader("KeepAlive") here to ensure that
the socket is not reused?

[Ryan Hamilton, 2010/12/15 20:14:17]

I'm not sure I follow.  Are you concerned about the SSL & TCP sockets (to the
proxy) being reused, or the Http|SpdyProxyClientSockets?  In the case of the
former, we send a valid HTTP request (CONNECT) to the proxy, and received a
valid (though non 200) HTTP response.  As such, it seems perfectly fine to reuse
the connection to the proxy.  Do you agree?

In the case of the Spdy|HttpProxyClientSocket, you're right that we don't want
them to be reused.  Of course, since the have released their transport sockets,
the're definitely not reusable :>  Does that sound right?

[vandebo (ex-Chrome), 2010/12/15 22:52:38]

You're right about this.  I wasn't thinking that this was a recoverable
condition, but of course it is.  The proxy connection can be reused for a
different CONNECT request.  The SSL socket is never set up, so there's no way
for it to get reused.

       // For all other status codes, we conservatively fail the CONNECT
       // request.
       // We lose something by doing this.  We have seen proxy 403, 404, and
       // 501 response bodies that contain a useful error message.  For
       // example, Squid uses a 404 response to report the DNS error: "The
       // domain name does not exist."
       LogBlockedTunnelResponse(response_.headers->response_code());
       return ERR_TUNNEL_CONNECTION_FAILED;
   }
 }
@@ skipping 36 matching lines @@
 
   int rv = auth_->HandleAuthChallenge(response_.headers, false, true, net_log_);
   response_.auth_challenge = auth_->auth_info();
   if (rv == OK)
     return ERR_PROXY_AUTH_REQUESTED;
 
   return rv;
 }
 
 }  // namespace net