From d474919578c36db47f9ce3b0c6574a82f931701d Mon Sep 17 00:00:00 2001 From: "rsleevi@chromium.org" Date: Mon, 6 Dec 2010 02:23:07 +0000 Subject: When using NSS for certificate verification, add a check when fetching CRLs/OCSP responses to prevent redirects to non-HTTP URLs. This matches the initial check when first called from NSS to create the URLRequest. In particular, fetching a CRL/OCSP response over HTTPS is troublesome, as the certificate sent by the responder may also need revocation checking, potentially causing revocation checking loops. The existing check only considered the initial URL scheme supplied by NSS. However, if the server issues a redirect, the new URL scheme scheme was not filtered. BUG=64521 TEST=none Review URL: http://codereview.chromium.org/5372002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@68329 0039d316-1c4b-4281-b951-d872f2087c98 --- net/ocsp/nss_ocsp.cc | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'net/ocsp') diff --git a/net/ocsp/nss_ocsp.cc b/net/ocsp/nss_ocsp.cc index adea79a..02edd05 100644 --- a/net/ocsp/nss_ocsp.cc +++ b/net/ocsp/nss_ocsp.cc @@ -248,6 +248,19 @@ class OCSPRequestSession return data_; } + virtual void OnReceivedRedirect(net::URLRequest* request, + const GURL& new_url, + bool* defer_redirect) { + DCHECK_EQ(request, request_); + DCHECK_EQ(MessageLoopForIO::current(), io_loop_); + + if (!new_url.SchemeIs("http")) { + // Prevent redirects to non-HTTP schemes, including HTTPS. This matches + // the initial check in OCSPServerSession::CreateRequest(). + CancelURLRequest(); + } + } + virtual void OnResponseStarted(net::URLRequest* request) { DCHECK_EQ(request, request_); DCHECK_EQ(MessageLoopForIO::current(), io_loop_); -- cgit v1.1