// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/http/http_log_util.h"
#include "base/strings/string_util.h"
#include "base/strings/stringprintf.h"
#include "net/http/http_auth_challenge_tokenizer.h"
namespace net {
namespace {
bool ShouldRedactChallenge(HttpAuthChallengeTokenizer* challenge) {
// Ignore lines with commas, as they may contain lists of schemes, and
// the information we want to hide is Base64 encoded, so has no commas.
if (challenge->challenge_text().find(',') != std::string::npos)
return false;
std::string scheme = StringToLowerASCII(challenge->scheme());
// Invalid input.
if (scheme.empty())
return false;
// Ignore Basic and Digest authentication challenges, as they contain
// public information.
if (scheme == "basic" || scheme == "digest")
return false;
return true;
}
} // namespace
std::string ElideHeaderValueForNetLog(NetLog::LogLevel log_level,
const std::string& header,
const std::string& value) {
#if defined(SPDY_PROXY_AUTH_ORIGIN)
if (!base::strcasecmp(header.c_str(), "proxy-authorization") ||
!base::strcasecmp(header.c_str(), "proxy-authenticate")) {
return "[elided]";
}
#endif
if (log_level < NetLog::LOG_STRIP_PRIVATE_DATA)
return value;
// Note: this logic should be kept in sync with stripCookiesAndLoginInfo in
// chrome/browser/resources/net_internals/log_view_painter.js.
std::string::const_iterator redact_begin = value.begin();
std::string::const_iterator redact_end = value.begin();
if (!base::strcasecmp(header.c_str(), "set-cookie") ||
!base::strcasecmp(header.c_str(), "set-cookie2") ||
!base::strcasecmp(header.c_str(), "cookie") ||
!base::strcasecmp(header.c_str(), "authorization") ||
!base::strcasecmp(header.c_str(), "proxy-authorization")) {
redact_begin = value.begin();
redact_end = value.end();
} else if (!base::strcasecmp(header.c_str(), "www-authenticate") ||
!base::strcasecmp(header.c_str(), "proxy-authenticate")) {
// Look for authentication information from data received from the server in
// multi-round Negotiate authentication.
HttpAuthChallengeTokenizer challenge(value.begin(), value.end());
if (ShouldRedactChallenge(&challenge)) {
redact_begin = challenge.params_begin();
redact_end = challenge.params_end();
}
}
if (redact_begin == redact_end)
return value;
return std::string(value.begin(), redact_begin) +
base::StringPrintf("[%ld bytes were stripped]",
static_cast<long>(redact_end - redact_begin)) +
std::string(redact_end, value.end());
}
} // namespace net