Recreate response head objects on multiple redirect

The previous response head gets moved when redirecting, which lead to
dereferencing a null pointer on the next redirect.

Pick-to: 6.4 5.15
Fixes: QTBUG-109357
Change-Id: Iaad1c46b8d4ca9720f1749980a9e06337ca0f3d8
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 18 insertions, 8 deletions

diff --git a/src/core/net/proxying_url_loader_factory_qt.cpp b/src/core/net/proxying_url_loader_factory_qt.cpp
index 49c76b84d..2edf915c8 100644
--- a/src/core/net/proxying_url_loader_factory_qt.cpp
+++ b/src/core/net/proxying_url_loader_factory_qt.cpp
@@ -30,6 +30,18 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+namespace {
+    network::mojom::URLResponseHeadPtr createResponse(const network::ResourceRequest &request) {
+        const bool disable_web_security = base::CommandLine::ForCurrentProcess()->HasSwitch(switches::kDisableWebSecurity);
+        network::mojom::URLResponseHeadPtr response = network::mojom::URLResponseHead::New();
+        response->response_type = network::cors::CalculateResponseType(
+            request.mode, disable_web_security || (
+            request.request_initiator && request.request_initiator->IsSameOriginWith(url::Origin::Create(request.url))));
+
+        return response;
+    }
+}
+
 namespace QtWebEngineCore {
 
 ASSERT_ENUMS_MATCH(QWebEngineUrlRequestInfo::ResourceTypeMainFrame, blink::mojom::ResourceType::kMainFrame)
@@ -188,11 +200,7 @@ InterceptedRequest::InterceptedRequest(ProfileAdapter *profile_adapter,
     , weak_factory_(this)
 {
     const bool disable_web_security = base::CommandLine::ForCurrentProcess()->HasSwitch(switches::kDisableWebSecurity);
-    current_response_ = network::mojom::URLResponseHead::New();
-    current_response_->response_type = network::cors::CalculateResponseType(
-        request_.mode,
-        disable_web_security || (
-            request_.request_initiator && request_.request_initiator->IsSameOriginWith(url::Origin::Create(request_.url))));
+    current_response_ = createResponse(request_);
     // If there is a client error, clean up the request.
     target_client_.set_disconnect_handler(
             base::BindOnce(&InterceptedRequest::OnURLLoaderClientError, base::Unretained(this)));
@@ -367,9 +375,6 @@ void InterceptedRequest::ContinueAfterIntercept()
                         first_party_url_policy, request_.referrer_policy, request_.referrer.spec(),
                         net::HTTP_TEMPORARY_REDIRECT, toGurl(info.url), absl::nullopt,
                         false /*insecure_scheme_was_upgraded*/);
-
-                // FIXME: Should probably create a new header.
-                current_response_->encoded_data_length = 0;
                 request_.method = redirectInfo.new_method;
                 request_.url = redirectInfo.new_url;
                 request_.site_for_cookies = redirectInfo.new_site_for_cookies;
@@ -377,6 +382,11 @@ void InterceptedRequest::ContinueAfterIntercept()
                 request_.referrer_policy = redirectInfo.new_referrer_policy;
                 if (request_.method == net::HttpRequestHeaders::kGetMethod)
                     request_.request_body = nullptr;
+                // In case of multiple sequential rediredts, current_response_ has previously been moved to target_client_
+                // so we create a new one using the redirect url.
+                if (!current_response_)
+                    current_response_ = createResponse(request_);
+                current_response_->encoded_data_length = 0;
                 target_client_->OnReceiveRedirect(redirectInfo, std::move(current_response_));
                 return;
             }