Common Name Mismatch Handler For WWW Subdomain Mismatch case

chrome/browser/ssl/common_name_mismatch_handler.cc

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ssl/common_name_mismatch_handler.h"
+
+#include "base/callback_helpers.h"
+#include "base/logging.h"
+#include "base/strings/string_number_conversions.h"
+#include "chrome/browser/ssl/ssl_error_classification.h"
+#include "net/base/load_flags.h"
+#include "net/http/http_response_headers.h"
+#include "net/http/http_util.h"
+#include "net/url_request/url_request_status.h"
+
+CommonNameMismatchHandler::CommonNameMismatchHandler(
+    const GURL& request_url,
+    const scoped_refptr<net::URLRequestContextGetter>& request_context)
+    : request_url_(request_url), request_context_(request_context) {}
+
+CommonNameMismatchHandler::~CommonNameMismatchHandler() {}
+
+// static
+CommonNameMismatchHandler::TestingState
+    CommonNameMismatchHandler::testing_state_ = NOT_TESTING;
+
+void CommonNameMismatchHandler::CheckSuggestedUrl(
+    const GURL& url,
+    const CheckUrlCallback& callback) {
+  // Should be used only in tests.
+  if (testing_state_ == IGNORE_REQUESTS_FOR_TESTING)
+    return;
+
+  DCHECK(CalledOnValidThread());
+  DCHECK(!IsCheckingSuggestedUrl());
+  DCHECK(check_url_callback_.is_null());
+
+  check_url_callback_ = callback;
+
+  url_fetcher_ = net::URLFetcher::Create(0 /* testing ID */, url,
+                                         net::URLFetcher::HEAD, this);

[davidben, 2015/08/17 18:59:18]

If you're always passing zero, you can use the ID-less
net::URLFetcher::Create(url, net::URLFetcher::HEAD, this);

[Bhanu Dev, 2015/08/18 05:09:09]

Done.

+  url_fetcher_->SetAutomaticallyRetryOn5xx(false);
+  url_fetcher_->SetRequestContext(request_context_.get());
+
+  // Can't safely use net::LOAD_DISABLE_CERT_REVOCATION_CHECKING here,
+  // since then the connection may be reused without checking the cert.
+  url_fetcher_->SetLoadFlags(net::LOAD_DO_NOT_SAVE_COOKIES |
+                             net::LOAD_DO_NOT_SEND_COOKIES |
+                             net::LOAD_DO_NOT_SEND_AUTH_DATA);
+  url_fetcher_->Start();
+}
+
+// static
+bool CommonNameMismatchHandler::GetSuggestedUrl(
+    const GURL& request_url,
+    const std::vector<std::string>& dns_names,
+    GURL* suggested_url) {
+  std::string host_name = request_url.host();
+  std::string www_mismatch_hostname;
+  if (!SSLErrorClassification::GetWWWSubDomainMatch(host_name, dns_names,
+                                                    &www_mismatch_hostname)) {
+    return false;
+  }
+  // The full URL should be pinged, not just the new hostname. So, get the
+  // |suggested_url| with the |request_url|'s hostname replaced with
+  // new hostname. Keep resource path, query params the same.
+  GURL::Replacements replacements;
+  replacements.SetHostStr(www_mismatch_hostname);
+  *suggested_url = request_url.ReplaceComponents(replacements);
+  return true;
+}
+
+void CommonNameMismatchHandler::Cancel() {
+  url_fetcher_.reset();
+  check_url_callback_.Reset();
+}
+
+void CommonNameMismatchHandler::OnURLFetchComplete(
+    const net::URLFetcher* source) {
+  DCHECK(CalledOnValidThread());
+  DCHECK(IsCheckingSuggestedUrl());
+  DCHECK_EQ(url_fetcher_.get(), source);
+  DCHECK(!check_url_callback_.is_null());
+  DCHECK(!url_fetcher_.get()->GetStatus().is_io_pending());
+
+  SuggestedUrlCheckResult result = SUGGESTED_URL_NOT_AVAILABLE;
+  // |suggested_url| and |landing_url| can be different in case of a redirect.
+  const GURL& suggested_url = url_fetcher_.get()->GetOriginalURL();
+  const GURL& landing_url = url_fetcher_.get()->GetURL();

[davidben, 2015/08/17 18:59:18]

url_fetcher_->GetOriginalURL(), url_fetcher_->GetURL()

[Bhanu Dev, 2015/08/18 05:09:09]

Done.

+
+  // Make sure the |landing_url| is a HTTPS page and returns a proper response
+  // code.
+  if (url_fetcher_.get()->GetResponseCode() == 200 &&
+      landing_url.SchemeIsCryptographic() &&
+      landing_url.host() != request_url_.host()) {
+    result = SUGGESTED_URL_AVAILABLE;
+  }
+  url_fetcher_.reset();
+  base::ResetAndReturn(&check_url_callback_).Run(result, suggested_url);

[davidben, 2015/08/17 18:59:18]

Using suggested_url here is a UAF since you called url_fetcher_.reset(), you
saved it as a const reference, and URLFetcher itself returns a const reference.
It should be:

  GURL suggested_url = url_fetcher->GetOriginalURL();

[Bhanu Dev, 2015/08/18 05:09:09]

Done.

+}
+
+bool CommonNameMismatchHandler::IsCheckingSuggestedUrl() const {
+  return url_fetcher_;

[davidben, 2015/08/17 18:59:18]

You should run a try job to check, but I think MSVC will get unhappy at this and
want something like:
  return !!url_fetcher_;

[Ryan Sleevi, 2015/08/18 04:31:55]

You've raised this before David ;)

No, pointer->bool is well defined, as are scoped_ptr<> and scoped_refptr<>

The only conversion is int/BOOL to bool. Everything else is fine :)

[Bhanu Dev, 2015/08/18 05:09:09]

Done.

+}