Adding commandline option to override bans on certain port numbers through a ...

net/url_request/url_request_http_job.cc

 // Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/url_request_http_job.h"
 
 #include "base/base_switches.h"
 #include "base/command_line.h"
 #include "base/compiler_specific.h"
 #include "base/file_util.h"
@@ skipping 11 matching lines @@
 #include "net/base/ssl_cert_request_info.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_response_info.h"
 #include "net/http/http_transaction.h"
 #include "net/http/http_transaction_factory.h"
 #include "net/http/http_util.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_error_job.h"
 
+// static
+std::set<int> URLRequestHttpJob::explicitly_allowed_ports_;
+
 // TODO(darin): make sure the port blocking code is not lost
 
 // static
 URLRequestJob* URLRequestHttpJob::Factory(URLRequest* request,
                                           const std::string& scheme) {
   DCHECK(scheme == "http" || scheme == "https");
 
-  if (!net::IsPortAllowedByDefault(request->url().IntPort()))
+  int port = request->url().IntPort();
+  if (!net::IsPortAllowedByDefault(port) && !IsPortAllowedByOverride(port))
     return new URLRequestErrorJob(request, net::ERR_UNSAFE_PORT);
 
   if (!request->context() ||
       !request->context()->http_transaction_factory()) {
     NOTREACHED() << "requires a valid context";
     return new URLRequestErrorJob(request, net::ERR_INVALID_ARGUMENT);
   }
 
   // We cache the value of the switch because this code path is hit on every
   // network request.
   static const bool kForceHTTPS =
       CommandLine::ForCurrentProcess()->HasSwitch(switches::kForceHTTPS);
   if (kForceHTTPS && scheme == "http" &&
       request->context()->force_tls_state() &&
       request->context()->force_tls_state()->IsEnabledForHost(
           request->url().host()))
     return new URLRequestErrorJob(request, net::ERR_DISALLOWED_URL_SCHEME);
 
   return new URLRequestHttpJob(request);
 }
 
+// static
+void URLRequestHttpJob::SetExplicitlyAllowedPorts(

[darin (slow to review), 2009/09/01 06:49:23]

it seems like we'd want to allow port overrides for FTP as well, and possibly
for other protocols in the future.  perhaps it would be better to move this
override stuff to net_util so that it can be shared by other protocols.

+    const std::wstring& allowed_ports) {
+  if (allowed_ports.empty())
+    return;
+
+  std::set<int> ports;
+  size_t last = 0;
+  size_t size = allowed_ports.size();
+  // The comma delimiter.
+  const std::wstring::value_type kComma = L',';
+
+  // Overflow is still possible for evil user inputs.
+  for (size_t i = 0; i <= size; ++i) {
+    // The string should be composed of only digits and commas.
+    if (i != size && !IsAsciiDigit(allowed_ports[i]) &&
+        (allowed_ports[i] != kComma))
+      return;
+    if (i == size || allowed_ports[i] == kComma) {
+      size_t length = i - last;
+      if (length > 0)
+        ports.insert(StringToInt(allowed_ports.substr(last, length)));
+      last = i + 1;
+    }
+  }
+  explicitly_allowed_ports_ = ports;
+}
+
 URLRequestHttpJob::URLRequestHttpJob(URLRequest* request)
     : URLRequestJob(request),
       context_(request->context()),
       response_info_(NULL),
       proxy_auth_state_(net::AUTH_STATE_DONT_NEED_AUTH),
       server_auth_state_(net::AUTH_STATE_DONT_NEED_AUTH),
       ALLOW_THIS_IN_INITIALIZER_LIST(
           start_callback_(this, &URLRequestHttpJob::OnStartCompleted)),
       ALLOW_THIS_IN_INITIALIZER_LIST(
           read_callback_(this, &URLRequestHttpJob::OnReadCompleted)),
@@ skipping 267 matching lines @@
                                          &start_callback_);
   if (rv == net::ERR_IO_PENDING)
     return;
 
   // The transaction started synchronously, but we need to notify the
   // URLRequest delegate via the message loop.
   MessageLoop::current()->PostTask(FROM_HERE, NewRunnableMethod(
       this, &URLRequestHttpJob::OnStartCompleted, rv));
 }
 
+// static
+bool URLRequestHttpJob::IsPortAllowedByOverride(int port) {
+  if (explicitly_allowed_ports().empty())
+    return false;
+
+  std::set<int>::const_iterator it =
+      std::find(explicitly_allowed_ports().begin(),
+                explicitly_allowed_ports().end(),
+                port);
+
+  return it != explicitly_allowed_ports().end();
+}
+
 void URLRequestHttpJob::CancelAuth() {
   // Proxy gets set first, then WWW.
   if (proxy_auth_state_ == net::AUTH_STATE_NEED_AUTH) {
     proxy_auth_state_ = net::AUTH_STATE_CANCELED;
   } else {
     DCHECK(server_auth_state_ == net::AUTH_STATE_NEED_AUTH);
     server_auth_state_ = net::AUTH_STATE_CANCELED;
   }
 
   // These will be reset in OnStartCompleted.
@@ skipping 356 matching lines @@
   if (!ctx || !ctx->force_tls_state())
     return;
 
   std::string name = "X-Force-TLS";
   std::string value;
 
   void* iter = NULL;
   while (response_info_->headers->EnumerateHeader(&iter, name, &value))
     ctx->force_tls_state()->DidReceiveHeader(request_info_.url, value);
 }