net: limit HSTS ages to one year.

net/base/transport_security_state.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/transport_security_state.h"
 
 #include "base/base64.h"
 #include "base/json/json_reader.h"
 #include "base/json/json_writer.h"
 #include "base/logging.h"
 #include "base/scoped_ptr.h"
 #include "base/sha2.h"
 #include "base/string_number_conversions.h"
 #include "base/string_tokenizer.h"
 #include "base/string_util.h"
 #include "base/utf_string_conversions.h"
 #include "base/values.h"
 #include "googleurl/src/gurl.h"
 #include "net/base/dns_util.h"
 
 namespace net {
 
+const long int TransportSecurityState::kMaxHSTSAgeSecs = 86400 * 365;  // 1 year
+
 TransportSecurityState::TransportSecurityState()
     : delegate_(NULL) {
 }
 
 void TransportSecurityState::EnableHost(const std::string& host,
                                         const DomainState& state) {
   const std::string canonicalised_host = CanonicaliseHost(host);
   if (canonicalised_host.empty())
     return;
 
@@ skipping 58 matching lines @@
     // include_subdomains is.
     if (i == 0)
       return true;
 
     return j->second.include_subdomains;
   }
 
   return false;
 }
 
+// MaxAgeToInt converts a string representation of a number of seconds into a
+// int. We use strtol in order to handle overflow correctly. The string may
+// contain an arbitary number which we should truncate correctly rather than
+// throwing a parse failure.
+static bool MaxAgeToInt(std::string::const_iterator begin,
+                        std::string::const_iterator end,
+                        int* result) {
+  const std::string s(begin, end);
+  char* endptr;
+  long int i = strtol(s.data(), &endptr, 10 /* base */);
+  if (*endptr || i < 0)
+    return false;
+  if (i > TransportSecurityState::kMaxHSTSAgeSecs)
+    i = TransportSecurityState::kMaxHSTSAgeSecs;
+  *result = i;
+  return true;
+}
+
 // "Strict-Transport-Security" ":"
 //     "max-age" "=" delta-seconds [ ";" "includeSubDomains" ]
 bool TransportSecurityState::ParseHeader(const std::string& value,
                                          int* max_age,
                                          bool* include_subdomains) {
   DCHECK(max_age);
   DCHECK(include_subdomains);
 
-  int max_age_candidate;
+  int max_age_candidate = 0;
 
   enum ParserState {
     START,
     AFTER_MAX_AGE_LABEL,
     AFTER_MAX_AGE_EQUALS,
     AFTER_MAX_AGE,
     AFTER_MAX_AGE_INCLUDE_SUB_DOMAINS_DELIMITER,
     AFTER_INCLUDE_SUBDOMAINS,
   } state = START;
 
@@ skipping 15 matching lines @@
           continue;
         if (*tokenizer.token_begin() != '=')
           return false;
         DCHECK(tokenizer.token().length() ==  1);
         state = AFTER_MAX_AGE_EQUALS;
         break;
 
       case AFTER_MAX_AGE_EQUALS:
         if (IsAsciiWhitespace(*tokenizer.token_begin()))
           continue;
-        if (!base::StringToInt(tokenizer.token_begin(),
-                               tokenizer.token_end(),
-                               &max_age_candidate))
-          return false;
-        if (max_age_candidate < 0)
+        if (!MaxAgeToInt(tokenizer.token_begin(),
+                         tokenizer.token_end(),
+                         &max_age_candidate))
           return false;
         state = AFTER_MAX_AGE;
         break;
 
       case AFTER_MAX_AGE:
         if (IsAsciiWhitespace(*tokenizer.token_begin()))
           continue;
         if (*tokenizer.token_begin() != ';')
           return false;
         state = AFTER_MAX_AGE_INCLUDE_SUB_DOMAINS_DELIMITER;
@@ skipping 263 matching lines @@
         *include_subdomains = kPreloadedSTS[j].include_subdomains;
         return true;
       }
     }
   }
 
   return false;
 }
 
 }  // namespace