| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/http_proxy_client_socket.h" | 5 #include "net/http/http_proxy_client_socket.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
| 9 #include "base/strings/string_util.h" | 9 #include "base/strings/string_util.h" |
| 10 #include "base/strings/stringprintf.h" | 10 #include "base/strings/stringprintf.h" |
| (...skipping 465 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 476 // attacker can force us into this state by masquerading as the proxy. | 476 // attacker can force us into this state by masquerading as the proxy. |
| 477 // The only safe thing to do here is to fail the connection because our | 477 // The only safe thing to do here is to fail the connection because our |
| 478 // client is expecting an SSL protected response. | 478 // client is expecting an SSL protected response. |
| 479 // See http://crbug.com/7338. | 479 // See http://crbug.com/7338. |
| 480 | 480 |
| 481 case 302: // Found / Moved Temporarily | 481 case 302: // Found / Moved Temporarily |
| 482 // Attempt to follow redirects from HTTPS proxies, but only if we can | 482 // Attempt to follow redirects from HTTPS proxies, but only if we can |
| 483 // sanitize the response. This still allows a rogue HTTPS proxy to | 483 // sanitize the response. This still allows a rogue HTTPS proxy to |
| 484 // redirect an HTTPS site load to a similar-looking site, but no longer | 484 // redirect an HTTPS site load to a similar-looking site, but no longer |
| 485 // allows it to impersonate the site the user requested. | 485 // allows it to impersonate the site the user requested. |
| 486 if (is_https_proxy_ && SanitizeProxyRedirect(&response_, request_.url)) { | 486 if (!is_https_proxy_ || !SanitizeProxyRedirect(&response_)) { |
| 487 LogBlockedTunnelResponse(); |
| 488 return ERR_TUNNEL_CONNECTION_FAILED; |
| 489 } |
| 490 |
| 491 { |
| 487 bool is_connection_reused = http_stream_parser_->IsConnectionReused(); | 492 bool is_connection_reused = http_stream_parser_->IsConnectionReused(); |
| 488 redirect_has_load_timing_info_ = | 493 redirect_has_load_timing_info_ = |
| 489 transport_->GetLoadTimingInfo( | 494 transport_->GetLoadTimingInfo( |
| 490 is_connection_reused, &redirect_load_timing_info_); | 495 is_connection_reused, &redirect_load_timing_info_); |
| 491 transport_.reset(); | |
| 492 http_stream_parser_.reset(); | |
| 493 return ERR_HTTPS_PROXY_TUNNEL_RESPONSE; | |
| 494 } | 496 } |
| 495 | 497 transport_.reset(); |
| 496 // We're not using an HTTPS proxy, or we couldn't sanitize the redirect. | 498 http_stream_parser_.reset(); |
| 497 LogBlockedTunnelResponse(); | 499 return ERR_HTTPS_PROXY_TUNNEL_RESPONSE; |
| 498 return ERR_TUNNEL_CONNECTION_FAILED; | |
| 499 | 500 |
| 500 case 407: // Proxy Authentication Required | 501 case 407: // Proxy Authentication Required |
| 501 // We need this status code to allow proxy authentication. Our | 502 // We need this status code to allow proxy authentication. Our |
| 502 // authentication code is smart enough to avoid being tricked by an | 503 // authentication code is smart enough to avoid being tricked by an |
| 503 // active network attacker. | 504 // active network attacker. |
| 504 // The next state is intentionally not set as it should be STATE_NONE; | 505 // The next state is intentionally not set as it should be STATE_NONE; |
| 506 if (!SanitizeProxyAuth(&response_)) { |
| 507 LogBlockedTunnelResponse(); |
| 508 return ERR_TUNNEL_CONNECTION_FAILED; |
| 509 } |
| 505 return HandleProxyAuthChallenge(auth_.get(), &response_, net_log_); | 510 return HandleProxyAuthChallenge(auth_.get(), &response_, net_log_); |
| 506 | 511 |
| 507 default: | 512 default: |
| 508 // Ignore response to avoid letting the proxy impersonate the target | 513 // Ignore response to avoid letting the proxy impersonate the target |
| 509 // server. (See http://crbug.com/137891.) | 514 // server. (See http://crbug.com/137891.) |
| 510 // We lose something by doing this. We have seen proxy 403, 404, and | 515 // We lose something by doing this. We have seen proxy 403, 404, and |
| 511 // 501 response bodies that contain a useful error message. For | 516 // 501 response bodies that contain a useful error message. For |
| 512 // example, Squid uses a 404 response to report the DNS error: "The | 517 // example, Squid uses a 404 response to report the DNS error: "The |
| 513 // domain name does not exist." | 518 // domain name does not exist." |
| 514 LogBlockedTunnelResponse(); | 519 LogBlockedTunnelResponse(); |
| (...skipping 29 matching lines...) Expand all Loading... |
| 544 | 549 |
| 545 int HttpProxyClientSocket::DoTCPRestartComplete(int result) { | 550 int HttpProxyClientSocket::DoTCPRestartComplete(int result) { |
| 546 if (result != OK) | 551 if (result != OK) |
| 547 return result; | 552 return result; |
| 548 | 553 |
| 549 next_state_ = STATE_GENERATE_AUTH_TOKEN; | 554 next_state_ = STATE_GENERATE_AUTH_TOKEN; |
| 550 return result; | 555 return result; |
| 551 } | 556 } |
| 552 | 557 |
| 553 } // namespace net | 558 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 769043003:
Sanitize headers in Proxy Authentication Required responses (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master