When parsing cookie expiration times, saturate out of range dates

net/cookies/cookie_util.cc

Index: net/cookies/cookie_util.cc
diff --git a/net/cookies/cookie_util.cc b/net/cookies/cookie_util.cc
index 210b8d479af7bcafc3274746b321a0fc6915d26c..a1b274b39b0781e0740ce4f9e69ff132da141bff 100644
--- a/net/cookies/cookie_util.cc
+++ b/net/cookies/cookie_util.cc
@@ -18,6 +18,77 @@
 namespace net {
 namespace cookie_util {
 
+namespace {
+
+base::Time MinNonNullTime() {
+  return base::Time::FromInternalValue(1);
+}
+
+// Tries to assemble a base::Time given a base::Time::Exploded representing a
+// UTC calendar date.
+//
+// If the date falls outside of the range supported internally by
+// FromUTCExploded() on the current platform, then the result is:
+//
+// * Time(1) if it's below the range FromUTCExploded() supports.
+// * Time::Max() if it's above the range FromUTCExploded() supports.
+bool SaturatedTimeFromUTCExploded(const base::Time::Exploded& exploded,
+                                  base::Time* out) {
+  // Try to calculate the base::Time in the normal fashion.
+  if (base::Time::FromUTCExploded(exploded, out)) {
+    // Don't return Time(0) on success.
+    if (out->is_null())
+      *out = MinNonNullTime();
+    return true;
+  }
+
+  // base::Time::FromUTCExploded() has platform-specific limits:
+  //
+  // * Windows: Years 1601 - 30827
+  // * 32-bit POSIX: Years 1970 - 2038
+  //
+  // Work around this by returning min/max valid times for times outside those
+  // ranges when imploding the time is doomed to fail.
+  //
+  // Note that the following implementation is NOT perfect. It will accept
+  // some invalid calendar dates in the out-of-range case.
+  if (!exploded.HasValidValues())
+    return false;
+#if defined(OS_POSIX) && !defined(OS_MACOSX)
+  // Allow dates prior to unix epoch (which fail on non-Mac/iOS POSIX).
+  if (exploded.year < 1970) {
+    *out = MinNonNullTime();
+    return true;
+  }
+
+  // On 32-bit non-Mac/iOS POSIX systems, the time_t value that FromExploded()
+  // returns overflows in the middle of year 2038. In that case, return
+  // Time::Max().
+  if (sizeof(time_t) == 4u && exploded.year >= 2038) {
+    *out = base::Time::Max();
+    return true;
+  }
+#endif  // defined(OS_POSIX) && !defined(OS_MACOSX)
+
+#if defined(OS_WIN)
+  // Allow dates prior to Windows epoch.
+  if (exploded.year < 1601) {
+    *out = MinNonNullTime();
+    return true;
+  }
+
+  // Allow dates after the Windows epoch.
+  if (exploded.year >= 30827) {
+    *out = base::Time::Max();
+    return true;
+  }
+#endif  //  defined(OS_WIN)
+
+  return false;
+}
+
+}  // namespace
+
 bool DomainIsHostOnly(const std::string& domain_string) {
   return (domain_string.empty() || domain_string[0] != '.');
 }
@@ -103,7 +174,7 @@ bool GetCookieDomainWithString(const GURL& url,
 //  - The time must be of the format hh:mm:ss.
 // An average cookie expiration will look something like this:
 //   Sat, 15-Apr-17 21:01:22 GMT
-base::Time ParseCookieTime(const std::string& time_string) {
+base::Time ParseCookieExpirationTime(const std::string& time_string) {
   static const char* const kMonths[] = {
     "jan", "feb", "mar", "apr", "may", "jun",
     "jul", "aug", "sep", "oct", "nov", "dec" };
@@ -200,13 +271,11 @@ base::Time ParseCookieTime(const std::string& time_string) {
   if (exploded.year >= 0 && exploded.year <= 68)
     exploded.year += 2000;
 
-  // If our values are within their correct ranges, we got our time.
-  if (exploded.day_of_month >= 1 && exploded.day_of_month <= 31 &&
-      exploded.month >= 1 && exploded.month <= 12 &&
-      exploded.year >= 1601 && exploded.year <= 30827 &&
-      exploded.hour <= 23 && exploded.minute <= 59 && exploded.second <= 59) {
-    return base::Time::FromUTCExploded(exploded);
-  }
+  // Note that clipping the date if it is outside of a platform-specific range
+  // is permitted by: https://tools.ietf.org/html/rfc6265#section-5.2.1
+  base::Time result;
+  if (SaturatedTimeFromUTCExploded(exploded, &result))
+    return result;
 
   // One of our values was out of expected range.  For well-formed input,
   // the following check would be reasonable: