Allow a non-200 (or non-407) response for a CONNECT request from an HTTPS pro...

net/http/http_proxy_client_socket.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_proxy_client_socket.h"
 
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "googleurl/src/gurl.h"
 #include "net/base/auth.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_log.h"
 #include "net/base/net_util.h"
+#include "net/http/http_basic_stream.h"
 #include "net/http/http_net_log_params.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_proxy_utils.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_stream_parser.h"
 #include "net/socket/client_socket_handle.h"
 
 namespace net {
 
 HttpProxyClientSocket::HttpProxyClientSocket(
     ClientSocketHandle* transport_socket,
     const GURL& request_url,
     const std::string& user_agent,
     const HostPortPair& endpoint,
     const HostPortPair& proxy_server,
     HttpAuthCache* http_auth_cache,
     HttpAuthHandlerFactory* http_auth_handler_factory,
     bool tunnel,
-    bool using_spdy)
+    bool using_spdy,
+    bool is_https_proxy)
     : ALLOW_THIS_IN_INITIALIZER_LIST(
           io_callback_(this, &HttpProxyClientSocket::OnIOComplete)),
       next_state_(STATE_NONE),
       user_callback_(NULL),
       transport_(transport_socket),
       endpoint_(endpoint),
       auth_(tunnel ?
           new HttpAuthController(HttpAuth::AUTH_PROXY,
                                  GURL("http://" + proxy_server.ToString()),
                                  http_auth_cache,
                                  http_auth_handler_factory)
           : NULL),
       tunnel_(tunnel),
       using_spdy_(using_spdy),
+      is_https_proxy_(is_https_proxy),
       net_log_(transport_socket->socket()->NetLog()) {
   // Synthesize the bits of a request that we actually use.
   request_.url = request_url;
   request_.method = "GET";
   if (!user_agent.empty())
     request_.extra_headers.SetHeader(HttpRequestHeaders::kUserAgent,
                                      user_agent);
 }
 
 HttpProxyClientSocket::~HttpProxyClientSocket() {
   Disconnect();
 }
 
+HttpStream* HttpProxyClientSocket::CreateConnectResponseStream() {
+  return new HttpBasicStream(transport_.release(),
+                             http_stream_parser_.release(), false);
+}
+
+
 int HttpProxyClientSocket::Connect(CompletionCallback* callback) {
   DCHECK(transport_.get());
   DCHECK(transport_->socket());
   DCHECK(!user_callback_);
 
   // TODO(rch): figure out the right way to set up a tunnel with SPDY.
   // This approach sends the complete HTTPS request to the proxy
   // which allows the proxy to see "private" data.  Instead, we should
   // create an SSL tunnel to the origin server using the CONNECT method
   // inside a single SPDY stream.
@@ skipping 66 matching lines @@
   return OK;
 }
 
 void HttpProxyClientSocket::LogBlockedTunnelResponse(int response_code) const {
   LOG(WARNING) << "Blocked proxy response with status " << response_code
                << " to CONNECT request for "
                << GetHostAndPort(request_.url) << ".";
 }
 
 void HttpProxyClientSocket::Disconnect() {
-  transport_->socket()->Disconnect();
+  if (transport_.get())
+    transport_->socket()->Disconnect();
 
   // Reset other states to make sure they aren't mistakenly used later.
   // These are the states initialized by Connect().
   next_state_ = STATE_NONE;
   user_callback_ = NULL;
 }
 
 bool HttpProxyClientSocket::IsConnected() const {
   return next_state_ == STATE_DONE && transport_->socket()->IsConnected();
 }
@@ skipping 239 matching lines @@
       // client is expecting an SSL protected response.
       // See http://crbug.com/7338.
     case 407:  // Proxy Authentication Required
       // We need this status code to allow proxy authentication.  Our
       // authentication code is smart enough to avoid being tricked by an
       // active network attacker.
       // The next state is intentionally not set as it should be STATE_NONE;
       return HandleAuthChallenge();
 
     default:
+      if (is_https_proxy_)
+        return ERR_HTTPS_PROXY_TUNNEL_RESPONSE;
       // For all other status codes, we conservatively fail the CONNECT
       // request.
       // We lose something by doing this.  We have seen proxy 403, 404, and
       // 501 response bodies that contain a useful error message.  For
       // example, Squid uses a 404 response to report the DNS error: "The
       // domain name does not exist."
       LogBlockedTunnelResponse(response_.headers->response_code());
       return ERR_TUNNEL_CONNECTION_FAILED;
   }
 }
@@ skipping 36 matching lines @@
 
   int rv = auth_->HandleAuthChallenge(response_.headers, false, true, net_log_);
   response_.auth_challenge = auth_->auth_info();
   if (rv == OK)
     return ERR_PROXY_AUTH_REQUESTED;
 
   return rv;
 }
 
 }  // namespace net