Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(72)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/http_auth_controller.cc

Issue 9307093: Don't use IDENT_SRC_URL for HttpAuth challenges. IE hasn't supported it for years, and at worst ... (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: '' Created 8 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | net/http/http_network_transaction_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/http/http_auth_controller.h" 5 #include "net/http/http_auth_controller.h"
6 6
7 #include "base/bind.h" 7 #include "base/bind.h"
8 #include "base/bind_helpers.h" 8 #include "base/bind_helpers.h"
9 #include "base/metrics/histogram.h" 9 #include "base/metrics/histogram.h"
10 #include "base/string_util.h" 10 #include "base/string_util.h"
(...skipping 432 matching lines...) Expand 10 before | Expand all | Expand 10 after
443 // since the entry in the cache may be newer than what we used last time. 443 // since the entry in the cache may be newer than what we used last time.
444 http_auth_cache_->Remove(auth_origin_, handler_->realm(), 444 http_auth_cache_->Remove(auth_origin_, handler_->realm(),
445 handler_->auth_scheme(), identity_.credentials); 445 handler_->auth_scheme(), identity_.credentials);
446 } 446 }
447 447
448 bool HttpAuthController::SelectNextAuthIdentityToTry() { 448 bool HttpAuthController::SelectNextAuthIdentityToTry() {
449 DCHECK(CalledOnValidThread()); 449 DCHECK(CalledOnValidThread());
450 DCHECK(handler_.get()); 450 DCHECK(handler_.get());
451 DCHECK(identity_.invalid); 451 DCHECK(identity_.invalid);
452 452
453 // Try to use the username:password encoded into the URL first. 453 // Do not try to use the username:password encoded into the URL. At worst,
454 // this represents a session fixation attack against basic auth, and as it
455 // turns out, IE hasn't supported this for years. If a caller really wants
456 // to use embedded identities, the can add an URLRequest::Delegate that
457 // inspects the URL and supplies the username/password at OnAuthRequired()
458 // time. Past data shows this is used extremely infrequently in web pages,
459 // but continue to collect this data.
454 if (target_ == HttpAuth::AUTH_SERVER && auth_url_.has_username() && 460 if (target_ == HttpAuth::AUTH_SERVER && auth_url_.has_username() &&
cbentzel 2012/02/06 21:18:58 Should this entire block be removed? Or do you wan
Tom Sepez 2012/02/06 21:22:02 I wants to keep the histogram.
455 !embedded_identity_used_) { 461 !embedded_identity_used_) {
456 identity_.source = HttpAuth::IDENT_SRC_URL;
457 identity_.invalid = false;
458 // Extract the username:password from the URL.
459 string16 username;
460 string16 password;
461 GetIdentityFromURL(auth_url_, &username, &password);
462 identity_.credentials.Set(username, password);
463 embedded_identity_used_ = true; 462 embedded_identity_used_ = true;
464 // TODO(eroman): If the password is blank, should we also try combining
465 // with a password from the cache?
466 UMA_HISTOGRAM_BOOLEAN("net.HttpIdentSrcURL", true); 463 UMA_HISTOGRAM_BOOLEAN("net.HttpIdentSrcURL", true);
467 return true;
468 } 464 }
469 465
470 // Check the auth cache for a realm entry. 466 // Check the auth cache for a realm entry.
471 HttpAuthCache::Entry* entry = 467 HttpAuthCache::Entry* entry =
472 http_auth_cache_->Lookup(auth_origin_, handler_->realm(), 468 http_auth_cache_->Lookup(auth_origin_, handler_->realm(),
473 handler_->auth_scheme()); 469 handler_->auth_scheme());
474 470
475 if (entry) { 471 if (entry) {
476 identity_.source = HttpAuth::IDENT_SRC_REALM_LOOKUP; 472 identity_.source = HttpAuth::IDENT_SRC_REALM_LOOKUP;
477 identity_.invalid = false; 473 identity_.invalid = false;
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after
557 DCHECK(CalledOnValidThread()); 553 DCHECK(CalledOnValidThread());
558 return disabled_schemes_.find(scheme) != disabled_schemes_.end(); 554 return disabled_schemes_.find(scheme) != disabled_schemes_.end();
559 } 555 }
560 556
561 void HttpAuthController::DisableAuthScheme(HttpAuth::Scheme scheme) { 557 void HttpAuthController::DisableAuthScheme(HttpAuth::Scheme scheme) {
562 DCHECK(CalledOnValidThread()); 558 DCHECK(CalledOnValidThread());
563 disabled_schemes_.insert(scheme); 559 disabled_schemes_.insert(scheme);
564 } 560 }
565 561
566 } // namespace net 562 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | net/http/http_network_transaction_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698