1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <limits>
6 #include <string_view>
7
8 #include "base/base64.h"
9 #include "base/check_op.h"
10 #include "base/notreached.h"
11 #include "base/strings/string_tokenizer.h"
12 #include "base/strings/string_util.h"
13 #include "net/base/parse_number.h"
14 #include "net/http/http_security_headers.h"
15 #include "net/http/http_util.h"
16 #include "url/gurl.h"
17
18 namespace net {
19
20 namespace {
21
22 enum MaxAgeParsing { REQUIRE_MAX_AGE, DO_NOT_REQUIRE_MAX_AGE };
23
24 // MaxAgeToLimitedInt converts a string representation of a "whole number" of
25 // seconds into a uint32_t. The string may contain an arbitrarily large number,
26 // which will be clipped to a supplied limit and which is guaranteed to fit
27 // within a 32-bit unsigned integer. False is returned on any parse error.
MaxAgeToLimitedInt(std::string_view s,uint32_t limit,uint32_t * result)28 bool MaxAgeToLimitedInt(std::string_view s, uint32_t limit, uint32_t* result) {
29 ParseIntError error;
30 if (!ParseUint32(s, ParseIntFormat::NON_NEGATIVE, result, &error)) {
31 if (error == ParseIntError::FAILED_OVERFLOW) {
32 *result = limit;
33 } else {
34 return false;
35 }
36 }
37
38 if (*result > limit)
39 *result = limit;
40
41 return true;
42 }
43
44 } // namespace
45
46 // Parse the Strict-Transport-Security header, as currently defined in
47 // http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14:
48 //
49 // Strict-Transport-Security = "Strict-Transport-Security" ":"
50 // [ directive ] *( ";" [ directive ] )
51 //
52 // directive = directive-name [ "=" directive-value ]
53 // directive-name = token
54 // directive-value = token | quoted-string
55 //
56 // 1. The order of appearance of directives is not significant.
57 //
58 // 2. All directives MUST appear only once in an STS header field.
59 // Directives are either optional or required, as stipulated in
60 // their definitions.
61 //
62 // 3. Directive names are case-insensitive.
63 //
64 // 4. UAs MUST ignore any STS header fields containing directives, or
65 // other header field value data, that does not conform to the
66 // syntax defined in this specification.
67 //
68 // 5. If an STS header field contains directive(s) not recognized by
69 // the UA, the UA MUST ignore the unrecognized directives and if the
70 // STS header field otherwise satisfies the above requirements (1
71 // through 4), the UA MUST process the recognized directives.
ParseHSTSHeader(const std::string & value,base::TimeDelta * max_age,bool * include_subdomains)72 bool ParseHSTSHeader(const std::string& value,
73 base::TimeDelta* max_age,
74 bool* include_subdomains) {
75 uint32_t max_age_candidate = 0;
76 bool include_subdomains_candidate = false;
77
78 // We must see max-age exactly once.
79 int max_age_observed = 0;
80 // We must see includeSubdomains exactly 0 or 1 times.
81 int include_subdomains_observed = 0;
82
83 enum ParserState {
84 START,
85 AFTER_MAX_AGE_LABEL,
86 AFTER_MAX_AGE_EQUALS,
87 AFTER_MAX_AGE,
88 AFTER_INCLUDE_SUBDOMAINS,
89 AFTER_UNKNOWN_LABEL,
90 DIRECTIVE_END
91 } state = START;
92
93 base::StringTokenizer tokenizer(value, " \t=;");
94 tokenizer.set_options(base::StringTokenizer::RETURN_DELIMS);
95 tokenizer.set_quote_chars("\"");
96 std::string unquoted;
97 while (tokenizer.GetNext()) {
98 std::string_view token = tokenizer.token_piece();
99 DCHECK(!tokenizer.token_is_delim() || token.length() == 1);
100 switch (state) {
101 case START:
102 case DIRECTIVE_END:
103 if (base::IsAsciiWhitespace(token[0]))
104 continue;
105 if (base::EqualsCaseInsensitiveASCII(token, "max-age")) {
106 state = AFTER_MAX_AGE_LABEL;
107 max_age_observed++;
108 } else if (base::EqualsCaseInsensitiveASCII(token,
109 "includesubdomains")) {
110 state = AFTER_INCLUDE_SUBDOMAINS;
111 include_subdomains_observed++;
112 include_subdomains_candidate = true;
113 } else {
114 state = AFTER_UNKNOWN_LABEL;
115 }
116 break;
117
118 case AFTER_MAX_AGE_LABEL:
119 if (base::IsAsciiWhitespace(token[0]))
120 continue;
121 if (token[0] != '=')
122 return false;
123 DCHECK_EQ(token.length(), 1U);
124 state = AFTER_MAX_AGE_EQUALS;
125 break;
126
127 case AFTER_MAX_AGE_EQUALS:
128 if (base::IsAsciiWhitespace(token[0]))
129 continue;
130 unquoted = HttpUtil::Unquote(token);
131 if (!MaxAgeToLimitedInt(unquoted, kMaxHSTSAgeSecs, &max_age_candidate))
132 return false;
133 state = AFTER_MAX_AGE;
134 break;
135
136 case AFTER_MAX_AGE:
137 case AFTER_INCLUDE_SUBDOMAINS:
138 if (base::IsAsciiWhitespace(token[0]))
139 continue;
140 else if (token[0] == ';')
141 state = DIRECTIVE_END;
142 else
143 return false;
144 break;
145
146 case AFTER_UNKNOWN_LABEL:
147 // Consume and ignore the post-label contents (if any).
148 if (token[0] != ';')
149 continue;
150 state = DIRECTIVE_END;
151 break;
152 }
153 }
154
155 // We've consumed all the input. Let's see what state we ended up in.
156 if (max_age_observed != 1 ||
157 (include_subdomains_observed != 0 && include_subdomains_observed != 1)) {
158 return false;
159 }
160
161 switch (state) {
162 case DIRECTIVE_END:
163 case AFTER_MAX_AGE:
164 case AFTER_INCLUDE_SUBDOMAINS:
165 case AFTER_UNKNOWN_LABEL:
166 *max_age = base::Seconds(max_age_candidate);
167 *include_subdomains = include_subdomains_candidate;
168 return true;
169 case START:
170 case AFTER_MAX_AGE_LABEL:
171 case AFTER_MAX_AGE_EQUALS:
172 return false;
173 default:
174 NOTREACHED();
175 return false;
176 }
177 }
178
179 } // namespace net
180