Disallow redirects in SDCH dictionary fetches.

net/url_request/sdch_dictionary_fetcher.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/sdch_dictionary_fetcher.h"
 
 #include <stdint.h>
 #include <queue>
 #include <set>
 
 #include "base/auto_reset.h"
 #include "base/bind.h"
 #include "base/compiler_specific.h"
 #include "base/macros.h"
 #include "base/thread_task_runner_handle.h"
 #include "net/base/io_buffer.h"
 #include "net/base/load_flags.h"
 #include "net/base/sdch_net_log_params.h"
 #include "net/http/http_response_headers.h"
 #include "net/log/net_log.h"
+#include "net/url_request/redirect_info.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_status.h"
 #include "net/url_request/url_request_throttler_manager.h"
 
 namespace net {
 
 namespace {
 
 const int kBufferSize = 4096;
 
@@ skipping 105 matching lines @@
 
 void SdchDictionaryFetcher::Cancel() {
   DCHECK(CalledOnValidThread());
 
   ResetRequest();
   next_state_ = STATE_NONE;
 
   fetch_queue_->Clear();
 }
 
+void SdchDictionaryFetcher::OnReceivedRedirect(
+    URLRequest* request,
+    const RedirectInfo& redirect_info,
+    bool* defer_redirect) {
+  DCHECK_EQ(next_state_, STATE_SEND_REQUEST_PENDING);
+
+  next_state_ = STATE_RECEIVED_REDIRECT;
+
+  DoLoop(OK);
+}
+
 void SdchDictionaryFetcher::OnResponseStarted(URLRequest* request) {
   DCHECK(CalledOnValidThread());
   DCHECK_EQ(request, current_request_.get());
-  DCHECK_EQ(next_state_, STATE_SEND_REQUEST_COMPLETE);
+  DCHECK_EQ(next_state_, STATE_SEND_REQUEST_PENDING);
   DCHECK(!in_loop_);
 
   // Confirm that the response isn't a stale read from the cache (as
   // may happen in the reload case).  If the response was not retrieved over
   // HTTP, it is presumed to be fresh.
   HttpResponseHeaders* response_headers = request->response_headers();
   int result = request->status().error();
   if (result == OK && response_headers) {
     ValidationType validation_type = response_headers->RequiresValidation(
         request->response_info().request_time,
@@ skipping 61 matching lines @@
   DCHECK(!in_loop_);
   base::AutoReset<bool> auto_reset_in_loop(&in_loop_, true);
 
   do {
     State state = next_state_;
     next_state_ = STATE_NONE;
     switch (state) {
       case STATE_SEND_REQUEST:
         rv = DoSendRequest(rv);
         break;
-      case STATE_SEND_REQUEST_COMPLETE:
-        rv = DoSendRequestComplete(rv);
+      case STATE_RECEIVED_REDIRECT:
+        rv = DoReceivedRedirect(rv);
+        break;
+      case STATE_SEND_REQUEST_PENDING:
+        rv = DoSendRequestPending(rv);
         break;
       case STATE_READ_BODY:
         rv = DoReadBody(rv);
         break;
       case STATE_READ_BODY_COMPLETE:
         rv = DoReadBodyComplete(rv);
         break;
       case STATE_REQUEST_COMPLETE:
         rv = DoCompleteRequest(rv);
         break;
       case STATE_NONE:
         NOTREACHED();
     }
   } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE);
 
   return rv;
 }
 
 int SdchDictionaryFetcher::DoSendRequest(int rv) {
   DCHECK(CalledOnValidThread());
 
   // |rv| is ignored, as the result from the previous request doesn't
   // affect the next request.
 
   if (fetch_queue_->IsEmpty() || current_request_.get()) {
     next_state_ = STATE_NONE;
     return OK;
   }
 
-  next_state_ = STATE_SEND_REQUEST_COMPLETE;
+  next_state_ = STATE_SEND_REQUEST_PENDING;
 
   FetchInfo info;
   bool success = fetch_queue_->Pop(&info);
   DCHECK(success);
   current_request_ = context_->CreateRequest(info.url, IDLE, this);
   int load_flags = LOAD_DO_NOT_SEND_COOKIES | LOAD_DO_NOT_SAVE_COOKIES;
   if (info.cache_only)
     load_flags |= LOAD_ONLY_FROM_CACHE;
   current_request_->SetLoadFlags(load_flags);
 
   buffer_ = new IOBuffer(kBufferSize);
   current_callback_ = info.callback;
 
   current_request_->Start();
   current_request_->net_log().AddEvent(NetLog::TYPE_SDCH_DICTIONARY_FETCH);
 
   return ERR_IO_PENDING;
 }
 
-int SdchDictionaryFetcher::DoSendRequestComplete(int rv) {
+int SdchDictionaryFetcher::DoReceivedRedirect(int rv) {
+  // Fetching SDCH through a redirect is forbidden; it raises possible
+  // security issues cross-origin, and isn't obviously useful within
+  // an origin.
+  ResetRequest();
+  next_state_ = STATE_SEND_REQUEST;
+  return ERR_UNSAFE_REDIRECT;
+}
+
+int SdchDictionaryFetcher::DoSendRequestPending(int rv) {
   DCHECK(CalledOnValidThread());
 
   // If there's been an error, abort the current request.
   if (rv != OK) {
     current_request_.reset();
     buffer_ = NULL;
     next_state_ = STATE_SEND_REQUEST;
 
     return OK;
   }
@@ skipping 55 matching lines @@
                           current_request_->net_log(),
                           current_request_->was_cached());
   }
 
   ResetRequest();
   next_state_ = STATE_SEND_REQUEST;
   return OK;
 }
 
 }  // namespace net