Perform redirect checks before OnReceivedRedirect in //net.

net/url_request/url_request_job.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/url_request_job.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
@@ skipping 296 matching lines @@
 }
 
 void URLRequestJob::ContinueDespiteLastError() {
   // Implementations should know how to recover from errors they generate.
   // If this code was reached, we are trying to recover from an error that
   // we don't know how to recover from.
   NOTREACHED();
 }
 
 void URLRequestJob::FollowDeferredRedirect() {
+  // OnReceivedRedirect must have been called.
   DCHECK_NE(-1, deferred_redirect_info_.status_code);
 
-  // NOTE: deferred_redirect_info_ may be invalid, and attempting to follow it
-  // will fail inside FollowRedirect.  The DCHECK above asserts that we called
-  // OnReceivedRedirect.
-
-  // It is also possible that FollowRedirect will delete |this|, so not safe to
-  // pass along reference to |deferred_redirect_info_|.
-
+  // It is possible that FollowRedirect will delete |this|, so it is not safe to
+  // pass along a reference to |deferred_redirect_info_|.
   RedirectInfo redirect_info = deferred_redirect_info_;
   deferred_redirect_info_ = RedirectInfo();
   FollowRedirect(redirect_info);
 }
 
 bool URLRequestJob::GetMimeType(std::string* mime_type) const {
   return false;
 }
 
 int URLRequestJob::GetResponseCode() const {
@@ skipping 114 matching lines @@
   request_->OnHeadersComplete();
 
   GURL new_location;
   int http_status_code;
 
   if (IsRedirectResponse(&new_location, &http_status_code)) {
     // Redirect response bodies are not read. Notify the transaction
     // so it does not treat being stopped as an error.
     DoneReadingRedirectResponse();
 
+    // Invalid redirect targets are failed early before
+    // NotifyReceivedRedirect. This means the delegate can assume that, if it
+    // accepts the redirect, future calls to OnResponseStarted correspond to
+    // |redirect_info.new_url|.
+    int redirect_valid = CanFollowRedirect(new_location);
+    if (redirect_valid != OK) {
+      OnDone(URLRequestStatus::FromError(redirect_valid), true);
+      return;
+    }
+
     // When notifying the URLRequest::Delegate, it can destroy the request,
     // which will destroy |this|.  After calling to the URLRequest::Delegate,
     // pointer must be checked to see if |this| still exists, and if not, the
     // code must return immediately.
     base::WeakPtr<URLRequestJob> weak_this(weak_factory_.GetWeakPtr());
 
     RedirectInfo redirect_info =
         ComputeRedirectInfo(new_location, http_status_code);
     bool defer_redirect = false;
     request_->NotifyReceivedRedirect(redirect_info, &defer_redirect);
@@ skipping 243 matching lines @@
   if (result != ERR_IO_PENDING) {
     // If the read completes synchronously, either success or failure, invoke
     // GatherRawReadStats so we can account for the completed read.
     GatherRawReadStats(result);
   } else {
     read_raw_callback_ = callback;
   }
   return result;
 }
 
+int URLRequestJob::CanFollowRedirect(const GURL& new_url) {
+  if (request_->redirect_limit_ <= 0) {
+    DVLOG(1) << "disallowing redirect: exceeds limit";
+    return ERR_TOO_MANY_REDIRECTS;
+  }
+
+  if (!new_url.is_valid())
+    return ERR_INVALID_REDIRECT;
+
+  if (!IsSafeRedirect(new_url)) {
+    DVLOG(1) << "disallowing redirect: unsafe protocol";
+    return ERR_UNSAFE_REDIRECT;
+  }
+
+  return OK;
+}
+
 void URLRequestJob::FollowRedirect(const RedirectInfo& redirect_info) {
-  int rv = request_->Redirect(redirect_info);
-  if (rv != OK)
-    OnDone(URLRequestStatus(URLRequestStatus::FAILED, rv), true);
+  request_->Redirect(redirect_info);
 }
 
 void URLRequestJob::GatherRawReadStats(int bytes_read) {
   DCHECK(raw_read_buffer_ || bytes_read == 0);
   DCHECK_NE(ERR_IO_PENDING, bytes_read);
 
   if (bytes_read > 0) {
     // If there is a filter, bytes will be logged after the filter is applied.
     if (source_stream_->type() != SourceStream::TYPE_NONE &&
         request()->net_log().IsCapturing()) {
@@ skipping 115 matching lines @@
   int64_t total_sent_bytes = GetTotalSentBytes();
   DCHECK_GE(total_sent_bytes, last_notified_total_sent_bytes_);
   if (total_sent_bytes > last_notified_total_sent_bytes_) {
     network_delegate_->NotifyNetworkBytesSent(
         request_, total_sent_bytes - last_notified_total_sent_bytes_);
   }
   last_notified_total_sent_bytes_ = total_sent_bytes;
 }
 
 }  // namespace net