• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include <limits>
6 #include <string_view>
7 
8 #include "base/base64.h"
9 #include "base/check_op.h"
10 #include "base/notreached.h"
11 #include "base/strings/string_tokenizer.h"
12 #include "base/strings/string_util.h"
13 #include "net/base/parse_number.h"
14 #include "net/http/http_security_headers.h"
15 #include "net/http/http_util.h"
16 #include "url/gurl.h"
17 
18 namespace net {
19 
20 namespace {
21 
22 enum MaxAgeParsing { REQUIRE_MAX_AGE, DO_NOT_REQUIRE_MAX_AGE };
23 
24 // MaxAgeToLimitedInt converts a string representation of a "whole number" of
25 // seconds into a uint32_t. The string may contain an arbitrarily large number,
26 // which will be clipped to a supplied limit and which is guaranteed to fit
27 // within a 32-bit unsigned integer. False is returned on any parse error.
MaxAgeToLimitedInt(std::string_view s,uint32_t limit,uint32_t * result)28 bool MaxAgeToLimitedInt(std::string_view s, uint32_t limit, uint32_t* result) {
29   ParseIntError error;
30   if (!ParseUint32(s, ParseIntFormat::NON_NEGATIVE, result, &error)) {
31     if (error == ParseIntError::FAILED_OVERFLOW) {
32       *result = limit;
33     } else {
34       return false;
35     }
36   }
37 
38   if (*result > limit)
39     *result = limit;
40 
41   return true;
42 }
43 
44 }  // namespace
45 
46 // Parse the Strict-Transport-Security header, as currently defined in
47 // http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14:
48 //
49 // Strict-Transport-Security = "Strict-Transport-Security" ":"
50 //                             [ directive ]  *( ";" [ directive ] )
51 //
52 // directive                 = directive-name [ "=" directive-value ]
53 // directive-name            = token
54 // directive-value           = token | quoted-string
55 //
56 // 1.  The order of appearance of directives is not significant.
57 //
58 // 2.  All directives MUST appear only once in an STS header field.
59 //     Directives are either optional or required, as stipulated in
60 //     their definitions.
61 //
62 // 3.  Directive names are case-insensitive.
63 //
64 // 4.  UAs MUST ignore any STS header fields containing directives, or
65 //     other header field value data, that does not conform to the
66 //     syntax defined in this specification.
67 //
68 // 5.  If an STS header field contains directive(s) not recognized by
69 //     the UA, the UA MUST ignore the unrecognized directives and if the
70 //     STS header field otherwise satisfies the above requirements (1
71 //     through 4), the UA MUST process the recognized directives.
ParseHSTSHeader(std::string_view value,base::TimeDelta * max_age,bool * include_subdomains)72 bool ParseHSTSHeader(std::string_view value,
73                      base::TimeDelta* max_age,
74                      bool* include_subdomains) {
75   uint32_t max_age_value = 0;
76   bool max_age_seen = false;
77   bool include_subdomains_value = false;
78 
79   HttpUtil::NameValuePairsIterator hsts_iterator(
80       value, ';', HttpUtil::NameValuePairsIterator::Values::NOT_REQUIRED,
81       HttpUtil::NameValuePairsIterator::Quotes::STRICT_QUOTES);
82   while (hsts_iterator.GetNext()) {
83     // Process `max-age`:
84     if (base::EqualsCaseInsensitiveASCII(hsts_iterator.name(), "max-age")) {
85       // Reject the header if `max-age` is specified more than once.
86       if (max_age_seen) {
87         return false;
88       }
89       max_age_seen = true;
90 
91       // Reject the header if `max-age`'s value is invalid. Otherwise, store it
92       // in `max_age_value`.
93       if (!MaxAgeToLimitedInt(hsts_iterator.value(), kMaxHSTSAgeSecs,
94                               &max_age_value)) {
95         return false;
96       }
97 
98       // Process `includeSubDomains`:
99     } else if (base::EqualsCaseInsensitiveASCII(hsts_iterator.name(),
100                                                 "includeSubDomains")) {
101       // Reject the header if `includeSubDomains` is specified more than once.
102       if (include_subdomains_value) {
103         return false;
104       }
105       // Reject the header if `includeSubDomains` has a value specified:
106       if (!hsts_iterator.value().empty() || hsts_iterator.value_is_quoted()) {
107         return false;
108       }
109 
110       include_subdomains_value = true;
111 
112       // Process unknown directives.
113     } else {
114       // Reject the header if a directive's name or unquoted value doesn't match
115       // the `token` grammar.
116       if (!HttpUtil::IsToken(hsts_iterator.name()) ||
117           hsts_iterator.name().empty()) {
118         return false;
119       }
120       if (!hsts_iterator.value().empty() && !hsts_iterator.value_is_quoted() &&
121           !HttpUtil::IsToken(hsts_iterator.value())) {
122         return false;
123       }
124     }
125   }
126 
127   if (!hsts_iterator.valid()) {
128     return false;
129   }
130 
131   // Reject the header if no `max-age` was set.
132   if (!max_age_seen) {
133     return false;
134   }
135 
136   *max_age = base::Seconds(max_age_value);
137   *include_subdomains = include_subdomains_value;
138   return true;
139 }
140 
141 }  // namespace net
142