Block reading unauthenticated bytes from the proxy when the user cancels a 407 proxy auth request while we're trying to establish an SSL tunnel.

BUG=8473
R=wtc

Review URL: http://codereview.chromium.org/42065

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@11484 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 14 insertions, 1 deletions

diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index 93b5a5d..95c0aef 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -207,6 +207,17 @@ int HttpNetworkTransaction::Read(IOBuffer* buf, int buf_len,
   if (!connection_.is_initialized())
     return 0;  // connection_ has been reset.  Treat like EOF.
 
+  if (establishing_tunnel_) {
+    // We're trying to read the body of the response but we're still trying to
+    // establish an SSL tunnel through the proxy.  We can't read these bytes
+    // when establishing a tunnel because they might be controlled by an active
+    // network attacker.  We don't worry about this for HTTP because an active
+    // network attacker can already control HTTP sessions.
+    // We reach this case when the user cancels a 407 proxy auth prompt.
+    // See http://crbug.com/8473
+    return ERR_TUNNEL_CONNECTION_FAILED;
+  }
+
   read_buf_ = buf;
   read_buf_len_ = buf_len;
 
@@ -1002,7 +1013,9 @@ int HttpNetworkTransaction::DidReadResponseHeaders() {
         // domain name does not exist."
         LOG(WARNING) <<
             "Blocked proxy response to CONNECT request with status " <<
-            headers->response_code() << ".";
+            headers->response_code() << " for " <<
+            request_->url.host() << ":" <<
+            request_->url.EffectiveIntPort() << ".";
         return ERR_TUNNEL_CONNECTION_FAILED;
     }
   }