diff options
| author | bbudge@google.com <bbudge@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-12-17 23:38:54 +0000 |
|---|---|---|
| committer | bbudge@google.com <bbudge@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-12-17 23:38:54 +0000 |
| commit | f7093e0d8d850f5ec1bf08ad431e0b99747e89e7 (patch) | |
| tree | 3fce6cce80224da440f18e24e77750ec4f62e679 /webkit | |
| parent | ed41b49ddca2fed4e5f79abd237c93748d7b93b6 (diff) | |
| download | chromium_src-f7093e0d8d850f5ec1bf08ad431e0b99747e89e7.zip chromium_src-f7093e0d8d850f5ec1bf08ad431e0b99747e89e7.tar.gz chromium_src-f7093e0d8d850f5ec1bf08ad431e0b99747e89e7.tar.bz2 | |
Restrict HTTP headers by checking in URLRequestInfo::SetProperty.
BUG=47354
TEST=none
Review URL: http://codereview.chromium.org/5138010
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@69590 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit')
| -rw-r--r-- | webkit/plugins/ppapi/ppb_url_request_info_impl.cc | 62 |
1 files changed, 47 insertions, 15 deletions
diff --git a/webkit/plugins/ppapi/ppb_url_request_info_impl.cc b/webkit/plugins/ppapi/ppb_url_request_info_impl.cc index 1886af5..cb1e545 100644 --- a/webkit/plugins/ppapi/ppb_url_request_info_impl.cc +++ b/webkit/plugins/ppapi/ppb_url_request_info_impl.cc @@ -34,18 +34,51 @@ namespace ppapi { namespace { -// If any of these request headers are specified, they will not be sent. -// TODO(darin): Add more based on security considerations? -const char* const kIgnoredRequestHeaders[] = { - "content-length" +// A header string containing any of the following fields will cause +// an error. The list comes from the XMLHttpRequest standard. +// http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method +const char* const kForbiddenHeaderFields[] = { + "accept-charset", + "accept-encoding", + "connection", + "content-length", + "cookie", + "cookie2", + "content-transfer-encoding", + "date", + "expect", + "host", + "keep-alive", + "origin", + "referer", + "te", + "trailer", + "transfer-encoding", + "upgrade", + "user-agent", + "via", }; -PP_Bool IsIgnoredRequestHeader(const std::string& name) { - for (size_t i = 0; i < arraysize(kIgnoredRequestHeaders); ++i) { - if (LowerCaseEqualsASCII(name, kIgnoredRequestHeaders[i])) - return PP_TRUE; +bool IsValidHeaderField(const std::string& name) { + for (size_t i = 0; i < arraysize(kForbiddenHeaderFields); ++i) { + if (LowerCaseEqualsASCII(name, kForbiddenHeaderFields[i])) + return false; } - return PP_FALSE; + if (StartsWithASCII(name, "proxy-", false)) + return false; + if (StartsWithASCII(name, "sec-", false)) + return false; + + return true; +} + +bool AreValidHeaders(const std::string& headers) { + net::HttpUtil::HeadersIterator it(headers.begin(), headers.end(), "\n"); + while (it.GetNext()) { + if (!IsValidHeaderField(it.name())) + return false; + } + return true; } PP_Resource Create(PP_Module module_id) { @@ -190,7 +223,6 @@ bool PPB_URLRequestInfo_Impl::SetBooleanProperty(PP_URLRequestProperty property, record_upload_progress_ = value; return true; default: - //NOTIMPLEMENTED(); // TODO(darin): Implement me! return false; } } @@ -206,6 +238,8 @@ bool PPB_URLRequestInfo_Impl::SetStringProperty(PP_URLRequestProperty property, method_ = value; return true; case PP_URLREQUESTPROPERTY_HEADERS: + if (!AreValidHeaders(value)) + return false; headers_ = value; return true; default: @@ -251,11 +285,9 @@ WebURLRequest PPB_URLRequestInfo_Impl::ToWebURLRequest(WebFrame* frame) const { if (!headers_.empty()) { net::HttpUtil::HeadersIterator it(headers_.begin(), headers_.end(), "\n"); while (it.GetNext()) { - if (!IsIgnoredRequestHeader(it.name())) { - web_request.addHTTPHeaderField( - WebString::fromUTF8(it.name()), - WebString::fromUTF8(it.values())); - } + web_request.addHTTPHeaderField( + WebString::fromUTF8(it.name()), + WebString::fromUTF8(it.values())); } } |