Chromium Code Reviews Chromium Code Reviews
Issue 387353003:
Modify data_reduction_proxy_header to support tamper detection logic. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@work| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/data_reduction_proxy/common/data_reduction_proxy_headers.h" | 5 #include "components/data_reduction_proxy/common/data_reduction_proxy_headers.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/strings/string_number_conversions.h" | 9 #include "base/strings/string_number_conversions.h" |
| 10 #include "base/strings/string_piece.h" | 10 #include "base/strings/string_piece.h" |
| 11 #include "base/strings/string_util.h" | 11 #include "base/strings/string_util.h" |
| 12 #include "base/time/time.h" | 12 #include "base/time/time.h" |
| 13 #include "net/http/http_response_headers.h" | 13 #include "net/http/http_response_headers.h" |
| 14 #include "net/http/http_status_code.h" | 14 #include "net/http/http_status_code.h" |
| 15 #include "net/proxy/proxy_service.h" | 15 #include "net/proxy/proxy_service.h" |
| 16 | 16 |
| 17 using base::StringPiece; | 17 using base::StringPiece; |
| 18 using base::TimeDelta; | 18 using base::TimeDelta; |
| 19 using net::ProxyService; | 19 using net::ProxyService; |
| 20 | 20 |
| 21 namespace { | |
| 22 const char kChromeProxyHeader[] = "chrome-proxy"; | |
| 23 } // namespace | |
| 24 | |
| 21 namespace data_reduction_proxy { | 25 namespace data_reduction_proxy { |
| 22 | 26 |
| 27 const char kChromeProxyActionFingerprintChromeProxy[] = "fcp"; | |
| 28 const char kChromeProxyActionFingerprintVia[] = "fvia"; | |
| 29 const char kChromeProxyActionFingerprintOtherHeaders[] = "foh"; | |
| 30 const char kChromeProxyActionFingerprintContentLength[] = "fcl"; | |
| 31 | |
| 32 bool GetDataReductionProxyActionValue( | |
| 33 const net::HttpResponseHeaders* headers, | |
| 34 const std::string& action_prefix, | |
| 35 std::string* action_value) { | |
| 36 DCHECK(!action_prefix.empty()); | |
| 37 DCHECK(action_prefix[action_prefix.size() - 1] != '='); | |
|
bolian
2014/07/28 22:59:18
I don't think you need this DCHECK. Unnecessary re
xingx1
2014/07/29 00:47:40
Done.
bolian
2014/07/29 01:36:20
I don't see this and other comments are addressed.
| |
| 38 void* iter = NULL; | |
| 39 std::string value; | |
| 40 std::string prefix = action_prefix + "="; | |
| 41 | |
| 42 while (headers->EnumerateHeader(&iter, kChromeProxyHeader, &value)) { | |
| 43 // ">=" to allow empty action value. | |
| 44 if (value.size() >= prefix.size()) { | |
| 45 if (LowerCaseEqualsASCII(value.begin(), | |
| 46 value.begin() + prefix.size(), | |
| 47 prefix.c_str())) { | |
| 48 if (action_value) | |
| 49 *action_value = value.substr(prefix.size()); | |
| 50 return true; | |
| 51 } | |
| 52 } | |
| 53 } | |
| 54 return false; | |
| 55 } | |
| 56 | |
| 23 bool GetDataReductionProxyBypassDuration( | 57 bool GetDataReductionProxyBypassDuration( |
| 24 const net::HttpResponseHeaders* headers, | 58 const net::HttpResponseHeaders* headers, |
| 25 const std::string& action_prefix, | 59 const std::string& action_prefix, |
| 26 base::TimeDelta* duration) { | 60 base::TimeDelta* duration) { |
| 61 DCHECK(!action_prefix.empty()); | |
| 62 DCHECK(action_prefix[action_prefix.size() - 1] != '='); | |
| 27 void* iter = NULL; | 63 void* iter = NULL; |
| 28 std::string value; | 64 std::string value; |
| 29 std::string name = "chrome-proxy"; | 65 std::string prefix = action_prefix + "="; |
| 30 | 66 |
| 31 while (headers->EnumerateHeader(&iter, name, &value)) { | 67 while (headers->EnumerateHeader(&iter, kChromeProxyHeader, &value)) { |
| 32 if (value.size() > action_prefix.size()) { | 68 if (value.size() > prefix.size()) { |
| 33 if (LowerCaseEqualsASCII(value.begin(), | 69 if (LowerCaseEqualsASCII(value.begin(), |
| 34 value.begin() + action_prefix.size(), | 70 value.begin() + prefix.size(), |
| 35 action_prefix.c_str())) { | 71 prefix.c_str())) { |
| 36 int64 seconds; | 72 int64 seconds; |
| 37 if (!base::StringToInt64( | 73 if (!base::StringToInt64( |
| 38 StringPiece(value.begin() + action_prefix.size(), value.end()), | 74 StringPiece(value.begin() + prefix.size(), value.end()), |
| 39 &seconds) || seconds < 0) { | 75 &seconds) || seconds < 0) { |
| 40 continue; // In case there is a well formed instruction. | 76 continue; // In case there is a well formed instruction. |
| 41 } | 77 } |
| 42 *duration = TimeDelta::FromSeconds(seconds); | 78 *duration = TimeDelta::FromSeconds(seconds); |
| 43 return true; | 79 return true; |
| 44 } | 80 } |
| 45 } | 81 } |
| 46 } | 82 } |
| 47 return false; | 83 return false; |
| 48 } | 84 } |
| 49 | 85 |
| 50 bool GetDataReductionProxyInfo(const net::HttpResponseHeaders* headers, | 86 bool GetDataReductionProxyInfo(const net::HttpResponseHeaders* headers, |
| 51 DataReductionProxyInfo* proxy_info) { | 87 DataReductionProxyInfo* proxy_info) { |
| 52 DCHECK(proxy_info); | 88 DCHECK(proxy_info); |
| 53 proxy_info->bypass_all = false; | 89 proxy_info->bypass_all = false; |
| 54 proxy_info->bypass_duration = TimeDelta(); | 90 proxy_info->bypass_duration = TimeDelta(); |
| 55 // Support header of the form Chrome-Proxy: bypass|block=<duration>, where | 91 // Support header of the form Chrome-Proxy: bypass|block=<duration>, where |
| 56 // <duration> is the number of seconds to wait before retrying | 92 // <duration> is the number of seconds to wait before retrying |
| 57 // the proxy. If the duration is 0, then the default proxy retry delay | 93 // the proxy. If the duration is 0, then the default proxy retry delay |
| 58 // (specified in |ProxyList::UpdateRetryInfoOnFallback|) will be used. | 94 // (specified in |ProxyList::UpdateRetryInfoOnFallback|) will be used. |
| 59 // 'bypass' instructs Chrome to bypass the currently connected data reduction | 95 // 'bypass' instructs Chrome to bypass the currently connected data reduction |
| 60 // proxy, whereas 'block' instructs Chrome to bypass all available data | 96 // proxy, whereas 'block' instructs Chrome to bypass all available data |
| 61 // reduction proxies. | 97 // reduction proxies. |
| 62 | 98 |
| 63 // 'block' takes precedence over 'bypass', so look for it first. | 99 // 'block' takes precedence over 'bypass', so look for it first. |
| 64 // TODO(bengr): Reduce checks for 'block' and 'bypass' to a single loop. | 100 // TODO(bengr): Reduce checks for 'block' and 'bypass' to a single loop. |
| 65 if (GetDataReductionProxyBypassDuration( | 101 if (GetDataReductionProxyBypassDuration( |
| 66 headers, "block=", &proxy_info->bypass_duration)) { | 102 headers, "block", &proxy_info->bypass_duration)) { |
| 67 proxy_info->bypass_all = true; | 103 proxy_info->bypass_all = true; |
| 68 return true; | 104 return true; |
| 69 } | 105 } |
| 70 | 106 |
| 71 // Next, look for 'bypass'. | 107 // Next, look for 'bypass'. |
| 72 if (GetDataReductionProxyBypassDuration( | 108 if (GetDataReductionProxyBypassDuration( |
| 73 headers, "bypass=", &proxy_info->bypass_duration)) { | 109 headers, "bypass", &proxy_info->bypass_duration)) { |
| 74 return true; | 110 return true; |
| 75 } | 111 } |
| 76 return false; | 112 return false; |
| 77 } | 113 } |
| 78 | 114 |
| 79 bool HasDataReductionProxyViaHeader(const net::HttpResponseHeaders* headers) { | 115 bool HasDataReductionProxyViaHeader(const net::HttpResponseHeaders* headers, |
| 116 bool* has_intermediary) { | |
| 80 const size_t kVersionSize = 4; | 117 const size_t kVersionSize = 4; |
| 81 const char kDataReductionProxyViaValue[] = "Chrome-Compression-Proxy"; | 118 const char kDataReductionProxyViaValue[] = "Chrome-Compression-Proxy"; |
| 82 size_t value_len = strlen(kDataReductionProxyViaValue); | 119 size_t value_len = strlen(kDataReductionProxyViaValue); |
| 83 void* iter = NULL; | 120 void* iter = NULL; |
| 84 std::string value; | 121 std::string value; |
| 85 | 122 |
| 86 // Case-sensitive comparison of |value|. Assumes the received protocol and the | 123 // Case-sensitive comparison of |value|. Assumes the received protocol and the |
| 87 // space following it are always |kVersionSize| characters. E.g., | 124 // space following it are always |kVersionSize| characters. E.g., |
| 88 // 'Via: 1.1 Chrome-Compression-Proxy' | 125 // 'Via: 1.1 Chrome-Compression-Proxy' |
| 89 while (headers->EnumerateHeader(&iter, "via", &value)) { | 126 while (headers->EnumerateHeader(&iter, "via", &value)) { |
| 90 if (value.size() >= kVersionSize + value_len && | 127 if (value.size() >= kVersionSize + value_len && |
| 91 !value.compare(kVersionSize, value_len, kDataReductionProxyViaValue)) | 128 !value.compare(kVersionSize, value_len, kDataReductionProxyViaValue)) { |
| 129 if (has_intermediary) | |
| 130 *has_intermediary = !(headers->EnumerateHeader(&iter, "via", &value)); | |
|
bolian
2014/07/28 22:59:18
Are you sure it is ok to call EnumerateHeader insi
xingx1
2014/07/29 00:47:40
Yes, it should be fine, |iter| will be updated.
| |
| 92 return true; | 131 return true; |
| 132 } | |
| 93 } | 133 } |
| 94 | 134 |
| 95 // TODO(bengr): Remove deprecated header value. | 135 // TODO(bengr): Remove deprecated header value. |
| 96 const char kDeprecatedDataReductionProxyViaValue[] = | 136 const char kDeprecatedDataReductionProxyViaValue[] = |
| 97 "1.1 Chrome Compression Proxy"; | 137 "1.1 Chrome Compression Proxy"; |
| 98 iter = NULL; | 138 iter = NULL; |
| 99 while (headers->EnumerateHeader(&iter, "via", &value)) | 139 while (headers->EnumerateHeader(&iter, "via", &value)) |
| 100 if (value == kDeprecatedDataReductionProxyViaValue) | 140 if (value == kDeprecatedDataReductionProxyViaValue) { |
| 141 if (has_intermediary) | |
| 142 *has_intermediary = !(headers->EnumerateHeader(&iter, "via", &value)); | |
| 101 return true; | 143 return true; |
| 144 } | |
| 102 | 145 |
| 103 return false; | 146 return false; |
| 104 } | 147 } |
| 105 | 148 |
| 106 const int kShortBypassMaxSeconds = 59; | 149 const int kShortBypassMaxSeconds = 59; |
| 107 const int kMediumBypassMaxSeconds = 300; | 150 const int kMediumBypassMaxSeconds = 300; |
| 108 net::ProxyService::DataReductionProxyBypassType | 151 net::ProxyService::DataReductionProxyBypassType |
| 109 GetDataReductionProxyBypassType( | 152 GetDataReductionProxyBypassType( |
| 110 const net::HttpResponseHeaders* headers, | 153 const net::HttpResponseHeaders* headers, |
| 111 DataReductionProxyInfo* data_reduction_proxy_info) { | 154 DataReductionProxyInfo* data_reduction_proxy_info) { |
| (...skipping 17 matching lines...) Expand all Loading... | |
| 129 if (headers->response_code() == net::HTTP_BAD_GATEWAY) | 172 if (headers->response_code() == net::HTTP_BAD_GATEWAY) |
| 130 return ProxyService::STATUS_502_HTTP_BAD_GATEWAY; | 173 return ProxyService::STATUS_502_HTTP_BAD_GATEWAY; |
| 131 if (headers->response_code() == net::HTTP_SERVICE_UNAVAILABLE) | 174 if (headers->response_code() == net::HTTP_SERVICE_UNAVAILABLE) |
| 132 return ProxyService::STATUS_503_HTTP_SERVICE_UNAVAILABLE; | 175 return ProxyService::STATUS_503_HTTP_SERVICE_UNAVAILABLE; |
| 133 // TODO(kundaji): Bypass if Proxy-Authenticate header value cannot be | 176 // TODO(kundaji): Bypass if Proxy-Authenticate header value cannot be |
| 134 // interpreted by data reduction proxy. | 177 // interpreted by data reduction proxy. |
| 135 if (headers->response_code() == net::HTTP_PROXY_AUTHENTICATION_REQUIRED && | 178 if (headers->response_code() == net::HTTP_PROXY_AUTHENTICATION_REQUIRED && |
| 136 !headers->HasHeader("Proxy-Authenticate")) { | 179 !headers->HasHeader("Proxy-Authenticate")) { |
| 137 return ProxyService::MALFORMED_407; | 180 return ProxyService::MALFORMED_407; |
| 138 } | 181 } |
| 139 if (!HasDataReductionProxyViaHeader(headers) && | 182 if (!HasDataReductionProxyViaHeader(headers, NULL) && |
| 140 (headers->response_code() != net::HTTP_NOT_MODIFIED)) { | 183 (headers->response_code() != net::HTTP_NOT_MODIFIED)) { |
| 141 // A Via header might not be present in a 304. Since the goal of a 304 | 184 // A Via header might not be present in a 304. Since the goal of a 304 |
| 142 // response is to minimize information transfer, a sender in general | 185 // response is to minimize information transfer, a sender in general |
| 143 // should not generate representation metadata other than Cache-Control, | 186 // should not generate representation metadata other than Cache-Control, |
| 144 // Content-Location, Date, ETag, Expires, and Vary. | 187 // Content-Location, Date, ETag, Expires, and Vary. |
| 145 | 188 |
| 146 // The proxy Via header might also not be present in a 4xx response. | 189 // The proxy Via header might also not be present in a 4xx response. |
| 147 // Separate this case from other responses that are missing the header. | 190 // Separate this case from other responses that are missing the header. |
| 148 if (headers->response_code() >= net::HTTP_BAD_REQUEST && | 191 if (headers->response_code() >= net::HTTP_BAD_REQUEST && |
| 149 headers->response_code() < net::HTTP_INTERNAL_SERVER_ERROR) { | 192 headers->response_code() < net::HTTP_INTERNAL_SERVER_ERROR) { |
| 150 return ProxyService::MISSING_VIA_HEADER_4XX; | 193 return ProxyService::MISSING_VIA_HEADER_4XX; |
| 151 } | 194 } |
| 152 return ProxyService::MISSING_VIA_HEADER_OTHER; | 195 return ProxyService::MISSING_VIA_HEADER_OTHER; |
| 153 } | 196 } |
| 154 // There is no bypass event. | 197 // There is no bypass event. |
| 155 return ProxyService::BYPASS_EVENT_TYPE_MAX; | 198 return ProxyService::BYPASS_EVENT_TYPE_MAX; |
| 156 } | 199 } |
| 157 | 200 |
| 158 } // namespace data_reduction_proxy | 201 } // namespace data_reduction_proxy |
| OLD | NEW |
