When using NSS for certificate verification, add a check when fetching CRLs/OCSP responses to prevent redirects to non-HTTP URLs. This matches the initial check when first called from NSS to create the URLRequest.

In particular, fetching a CRL/OCSP response over HTTPS is troublesome, as the certificate sent by the responder may also need revocation checking, potentially causing revocation checking loops.

The existing check only considered the initial URL scheme supplied by NSS. However, if the server issues a redirect, the new URL scheme scheme was not filtered.

BUG=64521
TEST=none

Review URL: http://codereview.chromium.org/5372002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@68329 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 13 insertions, 0 deletions

diff --git a/net/ocsp/nss_ocsp.cc b/net/ocsp/nss_ocsp.cc
index adea79a..02edd05 100644
--- a/net/ocsp/nss_ocsp.cc
+++ b/net/ocsp/nss_ocsp.cc
@@ -248,6 +248,19 @@ class OCSPRequestSession
     return data_;
   }
 
+  virtual void OnReceivedRedirect(net::URLRequest* request,
+                                  const GURL& new_url,
+                                  bool* defer_redirect) {
+    DCHECK_EQ(request, request_);
+    DCHECK_EQ(MessageLoopForIO::current(), io_loop_);
+
+    if (!new_url.SchemeIs("http")) {
+      // Prevent redirects to non-HTTP schemes, including HTTPS. This matches
+      // the initial check in OCSPServerSession::CreateRequest().
+      CancelURLRequest();
+    }
+  }
+
   virtual void OnResponseStarted(net::URLRequest* request) {
     DCHECK_EQ(request, request_);
     DCHECK_EQ(MessageLoopForIO::current(), io_loop_);