[Xfce4-commits] <midori:master> Cache HSTS directives and handle sub domains

Christian Dywan noreply at xfce.org
Sun Sep 2 23:22:02 CEST 2012 

Updating branch refs/heads/master
         to c1d387f95869e017c32d3a2c558f29edc783c239 (commit)
       from fee43b8be62ae2ddbe9352f3c7dddf60c06f66d2 (commit)

commit c1d387f95869e017c32d3a2c558f29edc783c239
Author: Christian Dywan <christian at twotoasts.de>
Date:   Sun Sep 2 21:09:18 2012 +0200

    Cache HSTS directives and handle sub domains

 katze/midori-hsts.vala |   68 ++++++++++++++++++++++++++++++++++++++++-------
 1 files changed, 58 insertions(+), 10 deletions(-)

diff --git a/katze/midori-hsts.vala b/katze/midori-hsts.vala
index 32e8216..989e95e 100644
--- a/katze/midori-hsts.vala
+++ b/katze/midori-hsts.vala
@@ -35,17 +35,37 @@ namespace Midori {
             }
         }
 
-        public string? filename { get; set; default = null; }
+        File file;
         HashTable<string, Directive> whitelist;
         bool debug = false;
 
-        public HSTS (owned string new_filename) {
-            filename = new_filename;
+        public HSTS (owned string filename) {
             whitelist = new HashTable<string, Directive> (str_hash, str_equal);
+            read_cache (File.new_for_path (Paths.get_config_filename (null, "hsts")));
+            file = File.new_for_path (filename);
+            read_cache (file);
             if (strcmp (Environment.get_variable ("MIDORI_DEBUG"), "hsts") == 0)
                 debug = true;
         }
 
+        async void read_cache (File file) {
+            try {
+                var stream = new DataInputStream (yield file.read_async ());
+                do {
+                    string? line = yield stream.read_line_async ();
+                    if (line == null)
+                        break;
+                    string[] parts = line.split (" ", 2);
+                    if (parts[0] == null || parts[1] == null)
+                        break;
+                    var directive = new Directive.from_header (parts[1]);
+                    if (directive.is_valid ())
+                        append_to_whitelist (parts[0], directive);
+                } while (true);
+            }
+            catch (Error error) { }
+        }
+
         /* No sub-features */
         public bool add_feature (Type type) { return false; }
         public bool remove_feature (Type type) { return false; }
@@ -59,18 +79,44 @@ namespace Midori {
         public void request_queued (Soup.Session session, Soup.Message message) { }
         public void request_unqueued (Soup.Session session, Soup.Message msg) { }
 
+        bool should_secure_host (string host) {
+            Directive? directive = whitelist.lookup (host);
+            if (directive == null)
+                directive = whitelist.lookup ("*." + host);
+            return directive != null && directive.is_valid ();
+        }
+
         void queued (Soup.Session session, Soup.Message message) {
-            Directive? directive = whitelist.lookup (message.uri.host);
-            if (directive != null && directive.is_valid ()) {
+            if (should_secure_host (message.uri.host)) {
                 message.uri.set_scheme ("https");
                 session.requeue_message (message);
                 if (debug)
-                    stdout.printf ("HTPS: Enforce %s\n", message.uri.to_string (false));
+                    stdout.printf ("HSTS: Enforce %s\n", message.uri.host);
             }
             else if (message.uri.scheme == "http")
                 message.finished.connect (strict_transport_security_handled);
         }
 
+        void append_to_whitelist (string host, Directive directive) {
+            whitelist.insert (host, directive);
+            if (directive.sub_domains)
+                whitelist.insert ("*." + host, directive);
+        }
+
+        async void append_to_cache (string host, string header) {
+            if (Midori.Paths.is_readonly ())
+                return;
+
+            try {
+                var stream = file.append_to/* FIXME _async*/ (FileCreateFlags.NONE);
+                yield stream.write_async ((host + " " + header + "\n").data);
+                yield stream.flush_async ();
+            }
+            catch (Error error) {
+                critical ("Failed to update %s: %s", file.get_path (), error.message);
+            }
+        }
+
         void strict_transport_security_handled (Soup.Message message) {
             if (message == null || message.uri == null)
                 return;
@@ -80,11 +126,13 @@ namespace Midori {
                 return;
 
             var directive = new Directive.from_header (hsts);
-            if (directive.is_valid ())
-                whitelist.insert (message.uri.host, directive);
+            if (directive.is_valid ()) {
+                append_to_whitelist (message.uri.host, directive);
+                append_to_cache (message.uri.host, hsts);
+            }
             if (debug)
-                stdout.printf ("HTPS: '%s' sets '%s' valid? %s\n",
-                    message.uri.to_string (false), hsts, directive.is_valid ().to_string ());
+                stdout.printf ("HSTS: '%s' sets '%s' valid? %s\n",
+                    message.uri.host, hsts, directive.is_valid ().to_string ());
         }
 
     }

More information about the Xfce4-commits mailing list