OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/base64.h" | 5 #include "base/base64.h" |
6 #include "base/basictypes.h" | 6 #include "base/basictypes.h" |
7 #include "base/strings/string_number_conversions.h" | 7 #include "base/strings/string_number_conversions.h" |
8 #include "base/strings/string_tokenizer.h" | 8 #include "base/strings/string_tokenizer.h" |
9 #include "base/strings/string_util.h" | 9 #include "base/strings/string_util.h" |
10 #include "net/http/http_security_headers.h" | 10 #include "net/http/http_security_headers.h" |
(...skipping 255 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
266 case START: | 266 case START: |
267 case AFTER_MAX_AGE_LABEL: | 267 case AFTER_MAX_AGE_LABEL: |
268 case AFTER_MAX_AGE_EQUALS: | 268 case AFTER_MAX_AGE_EQUALS: |
269 return false; | 269 return false; |
270 default: | 270 default: |
271 NOTREACHED(); | 271 NOTREACHED(); |
272 return false; | 272 return false; |
273 } | 273 } |
274 } | 274 } |
275 | 275 |
276 // "Public-Key-Pins" ":" | 276 // "Public-Key-Pins[-Report-Only]" ":" |
277 // "max-age" "=" delta-seconds ";" | 277 // "max-age" "=" delta-seconds ";" |
278 // "pin-" algo "=" base64 [ ";" ... ] | 278 // "pin-" algo "=" base64 [ ";" ... ] |
279 // [ ";" "includeSubdomains" ] | |
280 // [ ";" "report-uri" "=" uri-reference ] | |
279 bool ParseHPKPHeader(const std::string& value, | 281 bool ParseHPKPHeader(const std::string& value, |
280 const HashValueVector& chain_hashes, | 282 const HashValueVector& chain_hashes, |
281 base::TimeDelta* max_age, | 283 base::TimeDelta* max_age, |
282 bool* include_subdomains, | 284 bool* include_subdomains, |
283 HashValueVector* hashes) { | 285 HashValueVector* hashes, |
286 std::string* report_uri) { | |
284 bool parsed_max_age = false; | 287 bool parsed_max_age = false; |
285 bool include_subdomains_candidate = false; | 288 bool include_subdomains_candidate = false; |
286 uint32 max_age_candidate = 0; | 289 uint32 max_age_candidate = 0; |
287 HashValueVector pins; | 290 HashValueVector pins; |
288 | 291 |
289 std::string source = value; | 292 std::string source = value; |
290 | 293 |
291 while (!source.empty()) { | 294 while (!source.empty()) { |
292 StringPair semicolon = Split(source, ';'); | 295 StringPair semicolon = Split(source, ';'); |
293 semicolon.first = Strip(semicolon.first); | 296 semicolon.first = Strip(semicolon.first); |
(...skipping 10 matching lines...) Expand all Loading... | |
304 } | 307 } |
305 parsed_max_age = true; | 308 parsed_max_age = true; |
306 } else if (base::LowerCaseEqualsASCII(equals.first, "pin-sha1")) { | 309 } else if (base::LowerCaseEqualsASCII(equals.first, "pin-sha1")) { |
307 if (!ParseAndAppendPin(equals.second, HASH_VALUE_SHA1, &pins)) | 310 if (!ParseAndAppendPin(equals.second, HASH_VALUE_SHA1, &pins)) |
308 return false; | 311 return false; |
309 } else if (base::LowerCaseEqualsASCII(equals.first, "pin-sha256")) { | 312 } else if (base::LowerCaseEqualsASCII(equals.first, "pin-sha256")) { |
310 if (!ParseAndAppendPin(equals.second, HASH_VALUE_SHA256, &pins)) | 313 if (!ParseAndAppendPin(equals.second, HASH_VALUE_SHA256, &pins)) |
311 return false; | 314 return false; |
312 } else if (base::LowerCaseEqualsASCII(equals.first, "includesubdomains")) { | 315 } else if (base::LowerCaseEqualsASCII(equals.first, "includesubdomains")) { |
313 include_subdomains_candidate = true; | 316 include_subdomains_candidate = true; |
317 } else if (base::LowerCaseEqualsASCII(equals.first, "report-uri")) { | |
318 // report-uris are always quoted. | |
319 if (!HttpUtil::IsQuote(equals.second[0])) | |
Ryan Sleevi
2015/06/26 19:41:52
SECURITY BUG: equals.second.empty() may be true, i
estark
2015/06/26 22:42:11
Done.
| |
320 return false; | |
321 | |
322 // TODO(estark): Handle relative URLs here. | |
323 *report_uri = HttpUtil::Unquote(equals.second); | |
324 if (report_uri->empty()) | |
325 return false; | |
314 } else { | 326 } else { |
315 // Silently ignore unknown directives for forward compatibility. | 327 // Silently ignore unknown directives for forward compatibility. |
316 } | 328 } |
317 | 329 |
318 source = semicolon.second; | 330 source = semicolon.second; |
319 } | 331 } |
320 | 332 |
321 if (!parsed_max_age) | 333 if (!parsed_max_age) |
322 return false; | 334 return false; |
323 | 335 |
324 if (!IsPinListValid(pins, chain_hashes)) | 336 if (!IsPinListValid(pins, chain_hashes)) |
325 return false; | 337 return false; |
326 | 338 |
327 *max_age = base::TimeDelta::FromSeconds(max_age_candidate); | 339 *max_age = base::TimeDelta::FromSeconds(max_age_candidate); |
328 *include_subdomains = include_subdomains_candidate; | 340 *include_subdomains = include_subdomains_candidate; |
329 hashes->swap(pins); | 341 hashes->swap(pins); |
330 | 342 |
331 return true; | 343 return true; |
332 } | 344 } |
333 | 345 |
334 } // namespace net | 346 } // namespace net |
OLD | NEW |