From 5af45e0206cbff9815ae661162361f29ac8df727 Mon Sep 17 00:00:00 2001 From: "abarth@chromium.org" Date: Wed, 11 Mar 2009 21:06:23 +0000 Subject: Block reading unauthenticated bytes from the proxy when the user cancels a 407 proxy auth request while we're trying to establish an SSL tunnel. BUG=8473 R=wtc Review URL: http://codereview.chromium.org/42065 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@11484 0039d316-1c4b-4281-b951-d872f2087c98 --- net/http/http_network_transaction.cc | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'net/http/http_network_transaction.cc') diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc index 93b5a5d..95c0aef 100644 --- a/net/http/http_network_transaction.cc +++ b/net/http/http_network_transaction.cc @@ -207,6 +207,17 @@ int HttpNetworkTransaction::Read(IOBuffer* buf, int buf_len, if (!connection_.is_initialized()) return 0; // connection_ has been reset. Treat like EOF. + if (establishing_tunnel_) { + // We're trying to read the body of the response but we're still trying to + // establish an SSL tunnel through the proxy. We can't read these bytes + // when establishing a tunnel because they might be controlled by an active + // network attacker. We don't worry about this for HTTP because an active + // network attacker can already control HTTP sessions. + // We reach this case when the user cancels a 407 proxy auth prompt. + // See http://crbug.com/8473 + return ERR_TUNNEL_CONNECTION_FAILED; + } + read_buf_ = buf; read_buf_len_ = buf_len; @@ -1002,7 +1013,9 @@ int HttpNetworkTransaction::DidReadResponseHeaders() { // domain name does not exist." LOG(WARNING) << "Blocked proxy response to CONNECT request with status " << - headers->response_code() << "."; + headers->response_code() << " for " << + request_->url.host() << ":" << + request_->url.EffectiveIntPort() << "."; return ERR_TUNNEL_CONNECTION_FAILED; } } -- cgit v1.1