Add histograms for a number of hacks in the HTTP header parsing logic.

net/http/http_stream_parser.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_stream_parser.h"
 
 #include "base/bind.h"
 #include "base/compiler_specific.h"
 #include "base/logging.h"
+#include "base/metrics/histogram_macros.h"
 #include "base/profiler/scoped_tracker.h"
 #include "base/strings/string_util.h"
 #include "base/values.h"
 #include "net/base/io_buffer.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/upload_data_stream.h"
 #include "net/http/http_chunked_decoder.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_util.h"
 #include "net/socket/client_socket_handle.h"
 #include "net/socket/ssl_client_socket.h"
 
 namespace net {
 
 namespace {
 
+enum HttpHeaderParserEvent {
+  HEADER_PARSER_INVOKED = 0,
+  HEADER_HTTP_09_RESPONSE = 1,
+  HEADER_ALLOWED_TRUNCATED_HEADERS = 2,
+  HEADER_SKIPPED_WS_PREFIX = 3,
+  HEADER_SKIPPED_NON_WS_PREFIX = 4,
+  NUM_HEADER_EVENTS
+};
+
+void RecordHeaderParserEvent(HttpHeaderParserEvent header_event) {
+  UMA_HISTOGRAM_ENUMERATION("Net.HttpHeaderParserEvent", header_event,
+                            NUM_HEADER_EVENTS);
+}
+
 const uint64 kMaxMergedHeaderAndBodySize = 1400;
 const size_t kRequestBodyBufferSize = 1 << 14;  // 16KB
 
 std::string GetResponseHeaderLines(const HttpResponseHeaders& headers) {
   std::string raw_headers = headers.raw_headers();
   const char* null_separated_headers = raw_headers.c_str();
   const char* header_line = null_separated_headers;
   std::string cr_separated_headers;
   while (header_line[0] != 0) {
     cr_separated_headers += header_line;
@@ skipping 783 matching lines @@
     } else if (request_->url.SchemeIsSecure()) {
       // The connection was closed in the middle of the headers. For HTTPS we
       // don't parse partial headers. Return a different error code so that we
       // know that we shouldn't attempt to retry the request.
       io_state_ = STATE_DONE;
       return ERR_RESPONSE_HEADERS_TRUNCATED;
     }
     // Parse things as well as we can and let the caller decide what to do.
     int end_offset;
     if (response_header_start_offset_ >= 0) {
+      // The response looks to be a truncated set of HTTP headers.
       io_state_ = STATE_READ_BODY_COMPLETE;
       end_offset = read_buf_->offset();
+      RecordHeaderParserEvent(HEADER_ALLOWED_TRUNCATED_HEADERS);
     } else {
-      // Now waiting for the body to be read.
+      // The response is apparently using HTTP/0.9.  Treat the entire response
+      // the body.
       end_offset = 0;
     }
-    int rv = DoParseResponseHeaders(end_offset);
+    int rv = ParseResponseHeaders(end_offset);
     if (rv < 0)
       return rv;
     return result;
   }
 
   read_buf_->set_offset(read_buf_->offset() + result);
   DCHECK_LE(read_buf_->offset(), read_buf_->capacity());
   DCHECK_GE(result,  0);
 
-  int end_of_header_offset = ParseResponseHeaders();
+  int end_of_header_offset = FindAndParseResponseHeaders();
 
   // Note: -1 is special, it indicates we haven't found the end of headers.
   // Anything less than -1 is a net::Error, so we bail out.
   if (end_of_header_offset < -1)
     return end_of_header_offset;
 
   if (end_of_header_offset == -1) {
     io_state_ = STATE_READ_HEADERS;
     // Prevent growing the headers buffer indefinitely.
     if (read_buf_->offset() >= kMaxHeaderBufSize) {
@@ skipping 30 matching lines @@
       return OK;
     }
 
     // Note where the headers stop.
     read_buf_unused_offset_ = end_of_header_offset;
     // Now waiting for the body to be read.
   }
   return result;
 }
 
-int HttpStreamParser::ParseResponseHeaders() {
+int HttpStreamParser::FindAndParseResponseHeaders() {
   int end_offset = -1;
   DCHECK_EQ(0, read_buf_unused_offset_);
 
   // Look for the start of the status line, if it hasn't been found yet.
   if (response_header_start_offset_ < 0) {
     response_header_start_offset_ = HttpUtil::LocateStartOfStatusLine(
         read_buf_->StartOfBuffer(), read_buf_->offset());
   }
 
   if (response_header_start_offset_ >= 0) {
     end_offset = HttpUtil::LocateEndOfHeaders(read_buf_->StartOfBuffer(),
                                               read_buf_->offset(),
                                               response_header_start_offset_);
   } else if (read_buf_->offset() >= 8) {
     // Enough data to decide that this is an HTTP/0.9 response.
     // 8 bytes = (4 bytes of junk) + "http".length()
     end_offset = 0;
   }
 
   if (end_offset == -1)
     return -1;
 
-  int rv = DoParseResponseHeaders(end_offset);
+  int rv = ParseResponseHeaders(end_offset);
   if (rv < 0)
     return rv;
   return end_offset;
 }
 
-int HttpStreamParser::DoParseResponseHeaders(int end_offset) {
+int HttpStreamParser::ParseResponseHeaders(int end_offset) {
   scoped_refptr<HttpResponseHeaders> headers;
   DCHECK_EQ(0, read_buf_unused_offset_);
 
+  RecordHeaderParserEvent(HEADER_PARSER_INVOKED);
+
+  if (response_header_start_offset_ > 0) {
+    bool has_non_whitespace_in_prefix = false;
+    for (int i = 0; i < response_header_start_offset_; ++i) {
+      if (!strchr(" \t\r\n", read_buf_->StartOfBuffer()[i])) {
+        has_non_whitespace_in_prefix = true;
+        break;
+      }
+    }
+    if (has_non_whitespace_in_prefix) {
+      RecordHeaderParserEvent(HEADER_SKIPPED_NON_WS_PREFIX);
+    } else {
+      RecordHeaderParserEvent(HEADER_SKIPPED_WS_PREFIX);
+    }
+  }
+
   if (response_header_start_offset_ >= 0) {
     received_bytes_ += end_offset;
     headers = new HttpResponseHeaders(HttpUtil::AssembleRawHeaders(
         read_buf_->StartOfBuffer(), end_offset));
   } else {
     // Enough data was read -- there is no status line.
     headers = new HttpResponseHeaders(std::string("HTTP/0.9 200 OK"));
+    RecordHeaderParserEvent(HEADER_HTTP_09_RESPONSE);
   }
 
   // Check for multiple Content-Length headers with no Transfer-Encoding header.
   // If they exist, and have distinct values, it's a potential response
   // smuggling attack.
   if (!headers->HasHeader("Transfer-Encoding")) {
     if (HeadersContainMultipleCopiesOfField(*headers.get(), "Content-Length"))
       return ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_LENGTH;
   }
 
@@ skipping 145 matching lines @@
       request_body->IsInMemory() &&
       request_body->size() > 0) {
     uint64 merged_size = request_headers.size() + request_body->size();
     if (merged_size <= kMaxMergedHeaderAndBodySize)
       return true;
   }
   return false;
 }
 
 }  // namespace net