Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(123)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/http_stream_parser.cc

Issue 1276943003: Re-disable support for HTTP/0.9 responses < 8 bytes over SSL. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Response to comments Created 5 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/http/http_stream_parser.h" 5 #include "net/http/http_stream_parser.h"
6 6
7 #include "base/bind.h" 7 #include "base/bind.h"
8 #include "base/compiler_specific.h" 8 #include "base/compiler_specific.h"
9 #include "base/logging.h" 9 #include "base/logging.h"
10 #include "base/metrics/histogram_macros.h" 10 #include "base/metrics/histogram_macros.h"
(...skipping 765 matching lines...) Expand 10 before | Expand all | Expand 10 after
776 // HTTP/0.9 responses, but it was most likely an error, so just return 776 // HTTP/0.9 responses, but it was most likely an error, so just return
777 // ERR_EMPTY_RESPONSE instead. If the connection was reused, just pass 777 // ERR_EMPTY_RESPONSE instead. If the connection was reused, just pass
778 // on the original connection close error, as rather than being an 778 // on the original connection close error, as rather than being an
779 // empty HTTP/0.9 response it's much more likely the server closed the 779 // empty HTTP/0.9 response it's much more likely the server closed the
780 // socket before it received the request. 780 // socket before it received the request.
781 if (!connection_->is_reused()) 781 if (!connection_->is_reused())
782 return ERR_EMPTY_RESPONSE; 782 return ERR_EMPTY_RESPONSE;
783 return result; 783 return result;
784 } 784 }
785 785
786 // Accepting truncated headers over HTTPS is a potential security
787 // vulnerability, so just return an error in that case.
788 //
789 // If response_header_start_offset_ is -1, this may be a < 8 byte HTTP/0.9
790 // response. However, accepting such a response over HTTPS would allow a
791 // MITM to truncate an HTTP/1.x status line to look like a short HTTP/0.9
792 // response if the peer put a record boundary at the first 8 bytes. To
793 // ensure that all response headers received over HTTPS are pristine, treat
794 // such responses as errors.
795 //
796 // TODO(mmenke): Returning ERR_RESPONSE_HEADERS_TRUNCATED when a response
797 // looks like an HTTP/0.9 response is weird. Should either come up with
798 // another error code, or, better, disable HTTP/0.9 over HTTPS (and give
799 // that a new error code).
800 if (request_->url.SchemeIsCryptographic()) {
801 io_state_ = STATE_DONE;
802 return ERR_RESPONSE_HEADERS_TRUNCATED;
803 }
804
786 // Parse things as well as we can and let the caller decide what to do. 805 // Parse things as well as we can and let the caller decide what to do.
787 int end_offset; 806 int end_offset;
788 if (response_header_start_offset_ >= 0) { 807 if (response_header_start_offset_ >= 0) {
789 // The response looks to be a truncated set of HTTP headers. 808 // The response looks to be a truncated set of HTTP headers.
790
791 // Accepting truncated headers over HTTPS is a potential security
792 // vulnerability, so just return an error in that case.
793 if (request_->url.SchemeIsCryptographic()) {
794 io_state_ = STATE_DONE;
795 return ERR_RESPONSE_HEADERS_TRUNCATED;
796 }
797
798 io_state_ = STATE_READ_BODY_COMPLETE; 809 io_state_ = STATE_READ_BODY_COMPLETE;
799 end_offset = read_buf_->offset(); 810 end_offset = read_buf_->offset();
800 RecordHeaderParserEvent(HEADER_ALLOWED_TRUNCATED_HEADERS); 811 RecordHeaderParserEvent(HEADER_ALLOWED_TRUNCATED_HEADERS);
801 } else { 812 } else {
802 // The response is apparently using HTTP/0.9. Treat the entire response 813 // The response is apparently using HTTP/0.9. Treat the entire response
803 // as the body. 814 // as the body.
804 end_offset = 0; 815 end_offset = 0;
805 } 816 }
806 int rv = ParseResponseHeaders(end_offset); 817 int rv = ParseResponseHeaders(end_offset);
807 if (rv < 0) 818 if (rv < 0)
(...skipping 291 matching lines...) Expand 10 before | Expand all | Expand 10 after
1099 request_body->IsInMemory() && 1110 request_body->IsInMemory() &&
1100 request_body->size() > 0) { 1111 request_body->size() > 0) {
1101 uint64 merged_size = request_headers.size() + request_body->size(); 1112 uint64 merged_size = request_headers.size() + request_body->size();
1102 if (merged_size <= kMaxMergedHeaderAndBodySize) 1113 if (merged_size <= kMaxMergedHeaderAndBodySize)
1103 return true; 1114 return true;
1104 } 1115 }
1105 return false; 1116 return false;
1106 } 1117 }
1107 1118
1108 } // namespace net 1119 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698