Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(998)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/http_auth_controller.cc

Issue 10412025: Re-enable embedded identities in URLs for HTTP authentication. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Merge with trunk Created 8 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | net/http/http_network_transaction_spdy2_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/http/http_auth_controller.h" 5 #include "net/http/http_auth_controller.h"
6 6
7 #include "base/bind.h" 7 #include "base/bind.h"
8 #include "base/bind_helpers.h" 8 #include "base/bind_helpers.h"
9 #include "base/metrics/histogram.h" 9 #include "base/metrics/histogram.h"
10 #include "base/string_util.h" 10 #include "base/string_util.h"
(...skipping 432 matching lines...) Expand 10 before | Expand all | Expand 10 after
443 // since the entry in the cache may be newer than what we used last time. 443 // since the entry in the cache may be newer than what we used last time.
444 http_auth_cache_->Remove(auth_origin_, handler_->realm(), 444 http_auth_cache_->Remove(auth_origin_, handler_->realm(),
445 handler_->auth_scheme(), identity_.credentials); 445 handler_->auth_scheme(), identity_.credentials);
446 } 446 }
447 447
448 bool HttpAuthController::SelectNextAuthIdentityToTry() { 448 bool HttpAuthController::SelectNextAuthIdentityToTry() {
449 DCHECK(CalledOnValidThread()); 449 DCHECK(CalledOnValidThread());
450 DCHECK(handler_.get()); 450 DCHECK(handler_.get());
451 DCHECK(identity_.invalid); 451 DCHECK(identity_.invalid);
452 452
453 // Do not try to use the username:password encoded into the URL. At worst, 453 // Try to use the username:password encoded into the URL first.
454 // this represents a session fixation attack against basic auth, and as it
455 // turns out, IE hasn't supported this for years. If a caller really wants
456 // to use embedded identities, the can add an URLRequest::Delegate that
457 // inspects the URL and supplies the username/password at OnAuthRequired()
458 // time. Past data shows this is used extremely infrequently in web pages,
459 // but continue to collect this data.
460 if (target_ == HttpAuth::AUTH_SERVER && auth_url_.has_username() && 454 if (target_ == HttpAuth::AUTH_SERVER && auth_url_.has_username() &&
461 !embedded_identity_used_) { 455 !embedded_identity_used_) {
456 identity_.source = HttpAuth::IDENT_SRC_URL;
457 identity_.invalid = false;
458 // Extract the username:password from the URL.
459 string16 username;
460 string16 password;
461 GetIdentityFromURL(auth_url_, &username, &password);
462 identity_.credentials.Set(username, password);
462 embedded_identity_used_ = true; 463 embedded_identity_used_ = true;
464 // TODO(eroman): If the password is blank, should we also try combining
465 // with a password from the cache?
463 UMA_HISTOGRAM_BOOLEAN("net.HttpIdentSrcURL", true); 466 UMA_HISTOGRAM_BOOLEAN("net.HttpIdentSrcURL", true);
467 return true;
464 } 468 }
465 469
466 // Check the auth cache for a realm entry. 470 // Check the auth cache for a realm entry.
467 HttpAuthCache::Entry* entry = 471 HttpAuthCache::Entry* entry =
468 http_auth_cache_->Lookup(auth_origin_, handler_->realm(), 472 http_auth_cache_->Lookup(auth_origin_, handler_->realm(),
469 handler_->auth_scheme()); 473 handler_->auth_scheme());
470 474
471 if (entry) { 475 if (entry) {
472 identity_.source = HttpAuth::IDENT_SRC_REALM_LOOKUP; 476 identity_.source = HttpAuth::IDENT_SRC_REALM_LOOKUP;
473 identity_.invalid = false; 477 identity_.invalid = false;
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after
553 DCHECK(CalledOnValidThread()); 557 DCHECK(CalledOnValidThread());
554 return disabled_schemes_.find(scheme) != disabled_schemes_.end(); 558 return disabled_schemes_.find(scheme) != disabled_schemes_.end();
555 } 559 }
556 560
557 void HttpAuthController::DisableAuthScheme(HttpAuth::Scheme scheme) { 561 void HttpAuthController::DisableAuthScheme(HttpAuth::Scheme scheme) {
558 DCHECK(CalledOnValidThread()); 562 DCHECK(CalledOnValidThread());
559 disabled_schemes_.insert(scheme); 563 disabled_schemes_.insert(scheme);
560 } 564 }
561 565
562 } // namespace net 566 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | net/http/http_network_transaction_spdy2_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698