From e0b55e8b1cdfea3dcb22b949632e4f5bcc200a76 Mon Sep 17 00:00:00 2001 From: Timur Pocheptsov Date: Mon, 23 Jan 2017 16:56:29 +0100 Subject: Make our redirect policies STS-aware This patch changes the way we ensure NoLessSafeRedirectsPolicy and also the way we create actual redirect requests: https->http redirect is now reported as InsecureRedirectError (under NoLessSafeRedirectsPolicy) only if STS is disabled or we were redirected to a host whithout Strict Transport Security policy. Otherwise, we replace 'http' scheme with 'https' and explicitly set port 80 with port 443 as defined by HTTP Strict Transport Security policy. This scheme/port replacement will affect both NoLessSafeRedirectsPolicy and UserVerifiedRedirectsPolicy (SameOriginRedirectsPolicy does not allow any scheme change and we continue to report such redirects as InsecureRedirectError). Change-Id: Ib370b830e5fb6a0fec503d6fa3a0dec771c4b741 Reviewed-by: Edward Welbourne Reviewed-by: Timur Pocheptsov --- src/network/access/qnetworkreplyhttpimpl.cpp | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) (limited to 'src/network/access/qnetworkreplyhttpimpl.cpp') diff --git a/src/network/access/qnetworkreplyhttpimpl.cpp b/src/network/access/qnetworkreplyhttpimpl.cpp index 7d863ef53c..ece08acc6b 100644 --- a/src/network/access/qnetworkreplyhttpimpl.cpp +++ b/src/network/access/qnetworkreplyhttpimpl.cpp @@ -1135,16 +1135,40 @@ void QNetworkReplyHttpImplPrivate::onRedirected(const QUrl &redirectUrl, int htt if (isFinished) return; + const QString schemeBefore(url.scheme()); if (httpRequest.isFollowRedirects()) // update the reply's url as it could've changed url = redirectUrl; - redirectRequest = createRedirectRequest(originalRequest, redirectUrl, maxRedirectsRemaining); + if (managerPrivate->stsEnabled && managerPrivate->stsCache.isKnownHost(url)) { + // RFC6797, 8.3: + // The UA MUST replace the URI scheme with "https" [RFC2818], + // and if the URI contains an explicit port component of "80", + // then the UA MUST convert the port component to be "443", or + // if the URI contains an explicit port component that is not + // equal to "80", the port component value MUST be preserved; + // otherwise, if the URI does not contain an explicit port + // component, the UA MUST NOT add one. + url.setScheme(QLatin1String("https")); + if (url.port() == 80) + url.setPort(443); + } + + const bool isLessSafe = schemeBefore == QLatin1String("https") + && url.scheme() == QLatin1String("http"); + if (httpRequest.redirectsPolicy() == QNetworkRequest::NoLessSafeRedirectsPolicy + && isLessSafe) { + error(QNetworkReply::InsecureRedirectError, + QCoreApplication::translate("QHttp", "Insecure redirect")); + return; + } + + redirectRequest = createRedirectRequest(originalRequest, url, maxRedirectsRemaining); operation = getRedirectOperation(operation, httpStatus); if (httpRequest.redirectsPolicy() != QNetworkRequest::UserVerifiedRedirectsPolicy) followRedirect(); - emit q->redirected(redirectUrl); + emit q->redirected(url); } void QNetworkReplyHttpImplPrivate::followRedirect() -- cgit v1.2.3