net/http/http_proxy_client_socket.cc - Issue 769043003: Sanitize headers in Proxy Authentication Required responses

Side by Side Diff: net/http/http_proxy_client_socket.cc

Issue 769043003: Sanitize headers in Proxy Authentication Required responses (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Fix net_unittests Created 6 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/http/http_proxy_client_socket.h"	5 #include "net/http/http_proxy_client_socket.h"

6	6

7 #include "base/bind.h"	7 #include "base/bind.h"

8 #include "base/bind_helpers.h"	8 #include "base/bind_helpers.h"

9 #include "base/strings/string_util.h"	9 #include "base/strings/string_util.h"

10 #include "base/strings/stringprintf.h"	10 #include "base/strings/stringprintf.h"

(...skipping 465 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
476 // attacker can force us into this state by masquerading as the proxy.	476 // attacker can force us into this state by masquerading as the proxy.

477 // The only safe thing to do here is to fail the connection because our	477 // The only safe thing to do here is to fail the connection because our

478 // client is expecting an SSL protected response.	478 // client is expecting an SSL protected response.

479 // See http://crbug.com/7338.	479 // See http://crbug.com/7338.

480	480

481 case 302: // Found / Moved Temporarily	481 case 302: // Found / Moved Temporarily

482 // Attempt to follow redirects from HTTPS proxies, but only if we can	482 // Attempt to follow redirects from HTTPS proxies, but only if we can

483 // sanitize the response. This still allows a rogue HTTPS proxy to	483 // sanitize the response. This still allows a rogue HTTPS proxy to

484 // redirect an HTTPS site load to a similar-looking site, but no longer	484 // redirect an HTTPS site load to a similar-looking site, but no longer

485 // allows it to impersonate the site the user requested.	485 // allows it to impersonate the site the user requested.

486 if (is_https_proxy_ && SanitizeProxyRedirect(&response_, request_.url)) {	486 if (!is_https_proxy_ \|\| !SanitizeProxyRedirect(&response_)) {

	487 // We're not using an HTTPS proxy, or we couldn't sanitize the redirect.
	Ryan Sleevi 2014/12/08 22:04:39 nit: "Pronouns in Comments considered harmful" - h nit: "Pronouns in Comments considered harmful" - https://groups.google.com/a/chromium.org/d/topic/chromium-dev/NH-S6KCkr2M/dis... That said, this comment describes the code, which violates http://google-styleguide.googlecode.com/svn/trunk/cppguide.html#Implementatio... (That is, the if conditional says exactly what your plain english comment is saying). So delete this comment. Deprecated (see juliatuttle) 2014/12/09 15:31:15 Done. Show quoted text On 2014/12/08 22:04:39, Ryan Sleevi wrote: > nit: "Pronouns in Comments considered harmful" - > https://groups.google.com/a/chromium.org/d/topic/chromium-dev/NH-S6KCkr2M/dis... > > That said, this comment describes the code, which violates > http://google-styleguide.googlecode.com/svn/trunk/cppguide.html#Implementatio... > > (That is, the if conditional says exactly what your plain english comment is > saying). So delete this comment. Done.
	488 LogBlockedTunnelResponse();

	489 return ERR_TUNNEL_CONNECTION_FAILED;

	490 }

	491

	492 {

487 bool is_connection_reused = http_stream_parser_->IsConnectionReused();	493 bool is_connection_reused = http_stream_parser_->IsConnectionReused();

488 redirect_has_load_timing_info_ =	494 redirect_has_load_timing_info_ =

489 transport_->GetLoadTimingInfo(	495 transport_->GetLoadTimingInfo(

490 is_connection_reused, &redirect_load_timing_info_);	496 is_connection_reused, &redirect_load_timing_info_);

491 transport_.reset();

492 http_stream_parser_.reset();

493 return ERR_HTTPS_PROXY_TUNNEL_RESPONSE;

494 }	497 }

495	498 transport_.reset();

496 // We're not using an HTTPS proxy, or we couldn't sanitize the redirect.	499 http_stream_parser_.reset();

497 LogBlockedTunnelResponse();	500 return ERR_HTTPS_PROXY_TUNNEL_RESPONSE;
	Ryan Hamilton 2014/12/08 22:51:59 I think you've tried to make use of an early-retur I think you've tried to make use of an early-return of the error here. Yay! I love early-return. But I think you need to nuke the {}s at 492/497 and refrormat? Deprecated (see juliatuttle) 2014/12/09 15:31:15 What's wrong with the {}s? They're to prevent "jum Show quoted text On 2014/12/08 22:51:59, Ryan Hamilton wrote: > I think you've tried to make use of an early-return of the error here. Yay! I > love early-return. But I think you need to nuke the {}s at 492/497 and > refrormat? What's wrong with the {}s? They're to prevent "jumping past assignment" errors from the switch. Ryan Hamilton 2014/12/10 22:09:21 They look ugly :> Show quoted text On 2014/12/09 15:31:15, ttuttle wrote: > On 2014/12/08 22:51:59, Ryan Hamilton wrote: > > I think you've tried to make use of an early-return of the error here. Yay! I > > love early-return. But I think you need to nuke the {}s at 492/497 and > > refrormat? > > What's wrong with the {}s? They look ugly :> Show quoted text > They're to prevent "jumping past assignment" errors > from the switch. Ugh. I see. In that case, I would suggest one of two approaches: 1) simply inline the call to http_stream_parser_->IsConnectionReused() 2) put the {}s around the entire case 407: block, which I think is more common than simply putting braces around two lines in the middle of a block. Ryan Hamilton 2014/12/19 21:26:58 ping. Show quoted text On 2014/12/10 22:09:21, Ryan Hamilton wrote: > On 2014/12/09 15:31:15, ttuttle wrote: > > On 2014/12/08 22:51:59, Ryan Hamilton wrote: > > > I think you've tried to make use of an early-return of the error here. Yay! > I > > > love early-return. But I think you need to nuke the {}s at 492/497 and > > > refrormat? > > > > What's wrong with the {}s? > > They look ugly :> > > > They're to prevent "jumping past assignment" errors > > from the switch. > > Ugh. I see. In that case, I would suggest one of two approaches: > 1) simply inline the call to http_stream_parser_->IsConnectionReused() > 2) put the {}s around the entire case 407: block, which I think is more common > than simply putting braces around two lines in the middle of a block. ping. Deprecated (see juliatuttle) 2014/12/19 21:50:46 Done. Show quoted text On 2014/12/19 21:26:58, Ryan Hamilton wrote: > On 2014/12/10 22:09:21, Ryan Hamilton wrote: > > On 2014/12/09 15:31:15, ttuttle wrote: > > > On 2014/12/08 22:51:59, Ryan Hamilton wrote: > > > > I think you've tried to make use of an early-return of the error here. > Yay! > > I > > > > love early-return. But I think you need to nuke the {}s at 492/497 and > > > > refrormat? > > > > > > What's wrong with the {}s? > > > > They look ugly :> > > > > > They're to prevent "jumping past assignment" errors > > > from the switch. > > > > Ugh. I see. In that case, I would suggest one of two approaches: > > 1) simply inline the call to http_stream_parser_->IsConnectionReused() > > 2) put the {}s around the entire case 407: block, which I think is more common > > than simply putting braces around two lines in the middle of a block. > > ping. Done.
498 return ERR_TUNNEL_CONNECTION_FAILED;

499	501

500 case 407: // Proxy Authentication Required	502 case 407: // Proxy Authentication Required

501 // We need this status code to allow proxy authentication. Our	503 // We need this status code to allow proxy authentication. Our

502 // authentication code is smart enough to avoid being tricked by an	504 // authentication code is smart enough to avoid being tricked by an

503 // active network attacker.	505 // active network attacker.

504 // The next state is intentionally not set as it should be STATE_NONE;	506 // The next state is intentionally not set as it should be STATE_NONE;

	507 if (!SanitizeProxyAuth(&response_)) {

	508 LogBlockedTunnelResponse();

	509 return ERR_TUNNEL_CONNECTION_FAILED;

	510 }

505 return HandleProxyAuthChallenge(auth_.get(), &response_, net_log_);	511 return HandleProxyAuthChallenge(auth_.get(), &response_, net_log_);

506	512

507 default:	513 default:

508 // Ignore response to avoid letting the proxy impersonate the target	514 // Ignore response to avoid letting the proxy impersonate the target

509 // server. (See http://crbug.com/137891.)	515 // server. (See http://crbug.com/137891.)

510 // We lose something by doing this. We have seen proxy 403, 404, and	516 // We lose something by doing this. We have seen proxy 403, 404, and

511 // 501 response bodies that contain a useful error message. For	517 // 501 response bodies that contain a useful error message. For

512 // example, Squid uses a 404 response to report the DNS error: "The	518 // example, Squid uses a 404 response to report the DNS error: "The

513 // domain name does not exist."	519 // domain name does not exist."

514 LogBlockedTunnelResponse();	520 LogBlockedTunnelResponse();

(...skipping 29 matching lines...) Expand all Loading...
544	550

545 int HttpProxyClientSocket::DoTCPRestartComplete(int result) {	551 int HttpProxyClientSocket::DoTCPRestartComplete(int result) {

546 if (result != OK)	552 if (result != OK)

547 return result;	553 return result;

548	554

549 next_state_ = STATE_GENERATE_AUTH_TOKEN;	555 next_state_ = STATE_GENERATE_AUTH_TOKEN;

550 return result;	556 return result;

551 }	557 }

552	558

553 } // namespace net	559 } // namespace net

OLD	NEW

« net/http/http_network_transaction_unittest.cc ('K') | « net/http/http_network_transaction_unittest.cc ('k') | net/http/proxy_client_socket.h » ('j') | net/http/proxy_client_socket.cc » ('J')