Don't process HSTS/HPKP headers when host is an IP address
HSTS/HPKP headers should only be parsed when the host is not an IP
address. This change requires fixing the HSTS/HPKP tests to use
localhost test server URLs instead of 127.0.0.1, with a corresponding
cert.
BUG=456712
Committed: https://crrev.com/8488b5886ccec4820578905acd42f95cf42f5b17
Cr-Commit-Position: refs/heads/master@{#323913}
Committed: https://crrev.com/a5da7670ab3e46bfc6c0bc0e3d73c9d7eb835ed9
Cr-Commit-Position: refs/heads/master@{#324359}
Chris, Ryan, could you please take a look? This is the simplified approach to crbug.com/456712 ...
5 years, 8 months ago
(2015-04-03 19:41:16 UTC)
#2
Chris, Ryan, could you please take a look? This is the simplified approach to
crbug.com/456712 where I'm just using localhost for the HSTS/HPKP tests.
In follow-up CLs I'll apply some of the cleanup from crrev.com/1058573002 (using
MockCertVerifiers, fixing tests that hardcode 127.0.0.1).
palmer
LGTM. Thanks! https://codereview.chromium.org/1059303002/diff/40001/net/data/ssl/scripts/generate-test-certs.sh File net/data/ssl/scripts/generate-test-certs.sh (right): https://codereview.chromium.org/1059303002/diff/40001/net/data/ssl/scripts/generate-test-certs.sh#newcode16 net/data/ssl/scripts/generate-test-certs.sh:16: "$@" || exit 1 Idea (take it ...
5 years, 8 months ago
(2015-04-03 21:04:51 UTC)
#3
suggestion from Chris to retain exit code of a failed command in |try|
5 years, 8 months ago
(2015-04-03 21:27:36 UTC)
#5
suggestion from Chris to retain exit code of a failed command in |try|
Ryan Sleevi
Mostly LGTM, but it wouldn't be a review w/o nits. https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/ee.cnf File net/data/ssl/scripts/ee.cnf (right): https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/ee.cnf#newcode41 ...
5 years, 8 months ago
(2015-04-04 00:35:24 UTC)
#6
Thanks rsleevi, quick question inline before I address your nits. https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/generate-cross-signed-certs.sh File net/data/ssl/scripts/generate-cross-signed-certs.sh (right): https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/generate-cross-signed-certs.sh#newcode22 ...
5 years, 8 months ago
(2015-04-04 00:40:18 UTC)
#7
Thanks rsleevi, quick question inline before I address your nits.
https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/g...
File net/data/ssl/scripts/generate-cross-signed-certs.sh (right):
https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/g...
net/data/ssl/scripts/generate-cross-signed-certs.sh:22: "$@" || (e=$?; echo "$@"
> /dev/stderr && exit $e)
On 2015/04/04 00:35:24, Ryan Sleevi wrote:
> bash-dog says "I have no idea what's this doing" (Guessing it mutes output
> unless there's an error, in which case, it spits out the command and then
passes
> the error code through?)
>
> go back to try()? *shrug*
So you like try/quiet_try better? My goal is to call do `blah openssl x509 -text
> ..." which means that |blah| can't print to stdout without messing up the
output file.
5 years, 8 months ago
(2015-04-04 00:46:43 UTC)
#8
https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/g...
File net/data/ssl/scripts/generate-cross-signed-certs.sh (right):
https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/g...
net/data/ssl/scripts/generate-cross-signed-certs.sh:22: "$@" || (e=$?; echo "$@"
> /dev/stderr && exit $e)
On 2015/04/04 00:40:18, emily wrote:
> So you like try/quiet_try better? My goal is to call do `blah openssl x509
-text
> > ..." which means that |blah| can't print to stdout without messing up the
> output file.
Oh, right, fair point.
Mostly my comment was alternatively phrased "I have no idea what this is doing,
so I'm relying on palmer, who I know has validated that this is valid sh syntax
per line 1 and not some crazy dialect of zsh/bash/fooblahwhateversh" and "I
really like consistency in these scripts, and this changes the expectations for
what 'try' means, so maybe we shouldn't do it, or, if we're going to do it,
update the other scripts to be consistent'
5 years, 8 months ago
(2015-04-04 01:48:56 UTC)
#9
https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/g...
File net/data/ssl/scripts/generate-cross-signed-certs.sh (right):
https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/g...
net/data/ssl/scripts/generate-cross-signed-certs.sh:22: "$@" || (e=$?; echo "$@"
> /dev/stderr && exit $e)
Yes, this is all standard POSIX shell syntax, no modern day crazyshell magic. It
means:
run the args as a command
if the exit code was not 0, start a subshell
in which we save the exit code,
print the failed command to stderr,
and if printing succeeded, exit with the exit code the command exited with,
rather than an arbitrary choice like 1 (else exit with echo's error code!)
That said, I would do:
"$@" || (e=$?; echo "$@" > /dev/stderr; exit $e)
I.e. replace the "&&" with ";". That way, even if echo were to fail for some
reason :) we'd still exit with the saved error code.
We are deep into the nit-weeds on a Friday, and it makes me feel giddy
estark
https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/ee.cnf File net/data/ssl/scripts/ee.cnf (right): https://codereview.chromium.org/1059303002/diff/100001/net/data/ssl/scripts/ee.cnf#newcode41 net/data/ssl/scripts/ee.cnf:41: [req_extensions_none] On 2015/04/04 00:35:24, Ryan Sleevi wrote: > Nah, ...
5 years, 8 months ago
(2015-04-06 16:41:13 UTC)
#10
rsleevi, palmer: is the cause of this test failure obvious to either of you? https://build.chromium.org/p/chromium.mac/builders/Mac10.6%20Tests/builds/758 ...
5 years, 8 months ago
(2015-04-06 20:15:59 UTC)
#17
5 years, 8 months ago
(2015-04-07 00:34:41 UTC)
#18
Patchset #10 (id:180001) has been deleted
estark
Okay, so it turns out this test failure is probably due to a Mac 10.6 ...
5 years, 8 months ago
(2015-04-07 00:50:46 UTC)
#19
Okay, so it turns out this test failure is probably due to a Mac 10.6
bug/weirdness where |getaddrinfo("localhost", 0)| just fails:
https://bugs.python.org/issue20605, https://www.ruby-forum.com/topic/207745
I uploaded a patchset with an ugly workaround (the python test server will
insist on using 127.0.0.1 instead of localhost when creating websockets servers
with port=0). Could you please take a look and let me know if anything better
comes to mind, rsleevi/palmer?
estark
On 2015/04/07 00:50:46, emily wrote: > Okay, so it turns out this test failure is ...
5 years, 8 months ago
(2015-04-08 22:19:54 UTC)
#20
On 2015/04/07 00:50:46, emily wrote:
> Okay, so it turns out this test failure is probably due to a Mac 10.6
> bug/weirdness where |getaddrinfo("localhost", 0)| just fails:
> https://bugs.python.org/issue20605, https://www.ruby-forum.com/topic/207745
>
> I uploaded a patchset with an ugly workaround (the python test server will
> insist on using 127.0.0.1 instead of localhost when creating websockets
servers
> with port=0). Could you please take a look and let me know if anything better
> comes to mind, rsleevi/palmer?
ping -- anyone have objections to or suggestions about avoiding
getaddrinfo("localhost", 0) when spawning the test server? This is the hacky
workaround in question:
https://codereview.chromium.org/1059303002/diff2/200001:220001/net/tools/test...
palmer
Your workaround seems OK to me.
5 years, 8 months ago
(2015-04-08 23:01:49 UTC)
#21
Your workaround seems OK to me.
Ryan Sleevi
On 2015/04/08 23:01:49, palmer wrote: > Your workaround seems OK to me. Sorry for the ...
5 years, 8 months ago
(2015-04-09 00:35:43 UTC)
#22
On 2015/04/08 23:01:49, palmer wrote:
> Your workaround seems OK to me.
Sorry for the delay - ditto. Thanks for digging in.
estark
The CQ bit was checked by estark@chromium.org
5 years, 8 months ago
(2015-04-09 00:38:07 UTC)
#23
Issue 1059303002: Don't process HSTS/HPKP headers when host is an IP address
(Closed)
Created 5 years, 8 months ago by estark
Modified 5 years, 8 months ago
Reviewers: Ryan Sleevi, palmer
Base URL: https://chromium.googlesource.com/chromium/src.git@master
Comments: 22