diff options
| author | benjhayden@chromium.org <benjhayden@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-09-16 22:15:47 +0000 |
|---|---|---|
| committer | benjhayden@chromium.org <benjhayden@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-09-16 22:15:47 +0000 |
| commit | 8e3ae68c947f9d8f83162b02bc1fcd3e99011fdf (patch) | |
| tree | 37ab778c03f2abf9bd656988de70ef5b6035ae54 /net | |
| parent | 120655dce0bc56e15d64bc0d075f05e703dcf2cd (diff) | |
| download | chromium_src-8e3ae68c947f9d8f83162b02bc1fcd3e99011fdf.zip chromium_src-8e3ae68c947f9d8f83162b02bc1fcd3e99011fdf.tar.gz chromium_src-8e3ae68c947f9d8f83162b02bc1fcd3e99011fdf.tar.bz2 | |
chrome.experimental.downloads.download() implementation
Ownership:
(Done) Asanka: content/browser/download/*
(Done) Brett: webkit/plugins/ppapi/ppb_url_request_info_impl.cc
(Done) Chris: net/*
(Done) John: content/browser/renderer_host/*
(Done) Mihai: extensions/*
Review URL: http://codereview.chromium.org/7647028
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@101583 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/http/http_util.cc | 40 | ||||
| -rw-r--r-- | net/http/http_util.h | 4 | ||||
| -rw-r--r-- | net/http/http_util_unittest.cc | 79 | ||||
| -rw-r--r-- | net/url_request/url_request.cc | 6 |
4 files changed, 128 insertions, 1 deletions
diff --git a/net/http/http_util.cc b/net/http/http_util.cc index 7e67a2a..1642d4f 100644 --- a/net/http/http_util.cc +++ b/net/http/http_util.cc @@ -302,6 +302,46 @@ bool HttpUtil::HasHeader(const std::string& headers, const char* name) { return true; } +namespace { +// A header string containing any of the following fields will cause +// an error. The list comes from the XMLHttpRequest standard. +// http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method +const char* const kForbiddenHeaderFields[] = { + "accept-charset", + "accept-encoding", + "connection", + "content-length", + "cookie", + "cookie2", + "content-transfer-encoding", + "date", + "expect", + "host", + "keep-alive", + "origin", + "referer", + "te", + "trailer", + "transfer-encoding", + "upgrade", + "user-agent", + "via", +}; +} // anonymous namespace + +// static +bool HttpUtil::IsSafeHeader(const std::string& name) { + std::string lower_name(StringToLowerASCII(name)); + if (StartsWithASCII(lower_name, "proxy-", true) || + StartsWithASCII(lower_name, "sec-", true)) + return false; + for (size_t i = 0; i < arraysize(kForbiddenHeaderFields); ++i) { + if (lower_name == kForbiddenHeaderFields[i]) + return false; + } + return true; +} + // static std::string HttpUtil::StripHeaders(const std::string& headers, const char* const headers_to_remove[], diff --git a/net/http/http_util.h b/net/http/http_util.h index c9ead08..0ac2a7e 100644 --- a/net/http/http_util.h +++ b/net/http/http_util.h @@ -70,6 +70,10 @@ class NET_EXPORT HttpUtil { // TODO(darin): kill this static bool HasHeader(const std::string& headers, const char* name); + // Returns true if it is safe to allow users and scripts to specify the header + // named |name|. + static bool IsSafeHeader(const std::string& name); + // Strips all header lines from |headers| whose name matches // |headers_to_remove|. |headers_to_remove| is a list of null-terminated // lower-case header names, with array length |headers_to_remove_len|. diff --git a/net/http/http_util_unittest.cc b/net/http/http_util_unittest.cc index c3cc33c..7da4fc9 100644 --- a/net/http/http_util_unittest.cc +++ b/net/http/http_util_unittest.cc @@ -5,6 +5,7 @@ #include <algorithm> #include "base/basictypes.h" +#include "base/string_util.h" #include "net/http/http_util.h" #include "testing/gtest/include/gtest/gtest.h" @@ -14,6 +15,84 @@ namespace { class HttpUtilTest : public testing::Test {}; } +TEST(HttpUtilTest, IsSafeHeader) { + static const char* unsafe_headers[] = { + "sec-", + "sEc-", + "sec-foo", + "sEc-FoO", + "proxy-", + "pRoXy-", + "proxy-foo", + "pRoXy-FoO", + "accept-charset", + "accept-encoding", + "connection", + "content-length", + "cookie", + "cookie2", + "content-transfer-encoding", + "date", + "expect", + "host", + "keep-alive", + "origin", + "referer", + "te", + "trailer", + "transfer-encoding", + "upgrade", + "user-agent", + "via", + }; + for (size_t i = 0; i < arraysize(unsafe_headers); ++i) { + EXPECT_FALSE(HttpUtil::IsSafeHeader(unsafe_headers[i])) + << unsafe_headers[i]; + EXPECT_FALSE(HttpUtil::IsSafeHeader(StringToUpperASCII(std::string( + unsafe_headers[i])))) << unsafe_headers[i]; + } + static const char* safe_headers[] = { + "foo", + "x-", + "x-foo", + "content-disposition", + "update", + "accept-charseta", + "accept_charset", + "accept-encodinga", + "accept_encoding", + "connectiona", + "content-lengtha", + "content_length", + "cookiea", + "cookie2a", + "cookie3", + "content-transfer-encodinga", + "content_transfer_encoding", + "datea", + "expecta", + "hosta", + "keep-alivea", + "keep_alive", + "origina", + "referera", + "referrer", + "tea", + "trailera", + "transfer-encodinga", + "transfer_encoding", + "upgradea", + "user-agenta", + "user_agent", + "viaa", + }; + for (size_t i = 0; i < arraysize(safe_headers); ++i) { + EXPECT_TRUE(HttpUtil::IsSafeHeader(safe_headers[i])) << safe_headers[i]; + EXPECT_TRUE(HttpUtil::IsSafeHeader(StringToUpperASCII(std::string( + safe_headers[i])))) << safe_headers[i]; + } +} + TEST(HttpUtilTest, HasHeader) { static const struct { const char* headers; diff --git a/net/url_request/url_request.cc b/net/url_request/url_request.cc index f45d590..02667b5 100644 --- a/net/url_request/url_request.cc +++ b/net/url_request/url_request.cc @@ -243,7 +243,11 @@ void URLRequest::SetExtraRequestHeaderByName(const string& name, const string& value, bool overwrite) { DCHECK(!is_pending_); - NOTREACHED() << "implement me!"; + if (overwrite) { + extra_request_headers_.SetHeader(name, value); + } else { + extra_request_headers_.SetHeaderIfMissing(name, value); + } } void URLRequest::SetExtraRequestHeaders( |