From 42549270e102c1ad891c10a7ffd52f7fdb019a0f Mon Sep 17 00:00:00 2001 From: yan Date: Sun, 10 Feb 2019 21:49:40 -0800 Subject: [PATCH] Reject referral promo header names unless whitelisted Fix https://github.com/brave/brave-browser/issues/3301 Currently the only whitelisted header is 'X-Brave-Partner'. --- browser/net/brave_referrals_network_delegate_helper.cc | 5 ++++- .../brave_referrals_network_delegate_helper_unittest.cc | 7 ++++++- common/network_constants.cc | 1 + common/network_constants.h | 1 + 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/browser/net/brave_referrals_network_delegate_helper.cc b/browser/net/brave_referrals_network_delegate_helper.cc index ce8437501a8d..3dae7436ff2a 100644 --- a/browser/net/brave_referrals_network_delegate_helper.cc +++ b/browser/net/brave_referrals_network_delegate_helper.cc @@ -6,6 +6,7 @@ #include "base/values.h" #include "brave/components/brave_referrals/browser/brave_referrals_service.h" +#include "brave/common/network_constants.h" #include "chrome/browser/browser_process.h" #include "content/public/browser/browser_thread.h" #include "extensions/common/url_pattern.h" @@ -27,7 +28,9 @@ int OnBeforeStartTransaction_ReferralsWork( *ctx->referral_headers_list, &request_headers_dict, request->url())) return net::OK; for (const auto& it : request_headers_dict->DictItems()) { - headers->SetHeader(it.first, it.second.GetString()); + if (it.first == kBravePartnerHeader) { + headers->SetHeader(it.first, it.second.GetString()); + } } return net::OK; } diff --git a/browser/net/brave_referrals_network_delegate_helper_unittest.cc b/browser/net/brave_referrals_network_delegate_helper_unittest.cc index 66e4c8f657b1..27873d07eac4 100644 --- a/browser/net/brave_referrals_network_delegate_helper_unittest.cc +++ b/browser/net/brave_referrals_network_delegate_helper_unittest.cc @@ -21,7 +21,8 @@ const char kTestReferralHeaders[] = R"( "barrons.com" ], "headers": { - "X-Brave-Partner":"dowjones" + "X-Brave-Partner":"dowjones", + "X-Invalid": "test" }, "cookieNames": [ ], @@ -89,6 +90,10 @@ TEST_F(BraveReferralsNetworkDelegateHelperTest, ReplaceHeadersForMatchingDomain) headers.GetHeader("X-Brave-Partner", &partner_header); EXPECT_EQ(partner_header, "dowjones"); + std::string invalid_partner_header; + EXPECT_EQ(headers.GetHeader("X-Invalid", &invalid_partner_header), false); + EXPECT_EQ(invalid_partner_header, ""); + EXPECT_EQ(ret, net::OK); } diff --git a/common/network_constants.cc b/common/network_constants.cc index 6d97ad7ee2e1..1bad2379a852 100644 --- a/common/network_constants.cc +++ b/common/network_constants.cc @@ -26,6 +26,7 @@ const char kCookieHeader[] = "Cookie"; // Intentional misspelling on referrer to match HTTP spec const char kRefererHeader[] = "Referer"; const char kUserAgentHeader[] = "User-Agent"; +const char kBravePartnerHeader[] = "X-Brave-Partner"; const char kBittorrentMimeType[] = "application/x-bittorrent"; const char kOctetStreamMimeType[] = "application/octet-stream"; diff --git a/common/network_constants.h b/common/network_constants.h index b3205f9fb43a..b10559c48499 100644 --- a/common/network_constants.h +++ b/common/network_constants.h @@ -24,6 +24,7 @@ extern const char kTwitterRedirectURL[]; extern const char kCookieHeader[]; extern const char kRefererHeader[]; extern const char kUserAgentHeader[]; +extern const char kBravePartnerHeader[]; extern const char kBittorrentMimeType[]; extern const char kOctetStreamMimeType[];