Expire HSTS entries that have exceeded their max-age

servo/servo#6105
This commit is contained in:
Sam Gibson 2015-06-23 11:57:28 -07:00
parent 8d39fb6dcf
commit 15c90a58b2
5 changed files with 68 additions and 4 deletions

View file

@ -194,7 +194,7 @@ pub struct HSTSEntry {
pub host: String,
pub include_subdomains: bool,
pub max_age: Option<u64>,
timestamp: Option<u64>
pub timestamp: Option<u64>
}
impl HSTSEntry {
@ -211,12 +211,22 @@ impl HSTSEntry {
}
}
pub fn is_expired(&self) -> bool {
match (self.max_age, self.timestamp) {
(Some(max_age), Some(timestamp)) => {
(time::get_time().sec as u64) - timestamp > max_age
},
_ => false
}
}
fn matches_domain(&self, host: &str) -> bool {
self.host == host
!self.is_expired() && self.host == host
}
fn matches_subdomain(&self, host: &str) -> bool {
host.ends_with(&format!(".{}", self.host))
!self.is_expired() && host.ends_with(&format!(".{}", self.host))
}
}
@ -254,7 +264,7 @@ impl HSTSList {
})
}
pub fn has_subdomain(&self, host: String) -> bool {
fn has_subdomain(&self, host: String) -> bool {
self.entries.iter().any(|e| {
e.matches_subdomain(&host)
})

View file

@ -876,6 +876,7 @@ dependencies = [
"net 0.0.1",
"net_traits 0.0.1",
"url 0.2.36 (registry+https://github.com/rust-lang/crates.io-index)",
"time 0.1.26 (registry+https://github.com/rust-lang/crates.io-index)",
"util 0.0.1",
]

View file

@ -21,3 +21,4 @@ path = "../../../components/util"
cookie = "0.1"
hyper = "0.6"
url = "0.2"
time = "0.1"

View file

@ -8,6 +8,7 @@ extern crate net;
extern crate net_traits;
extern crate url;
extern crate util;
extern crate time;
#[cfg(test)] mod cookie;
#[cfg(test)] mod data_loader;

View file

@ -11,6 +11,7 @@ use std::borrow::ToOwned;
use std::collections::HashMap;
use std::sync::mpsc::channel;
use url::Url;
use time;
#[test]
@ -19,6 +20,42 @@ fn test_exit() {
resource_task.send(ControlMsg::Exit).unwrap();
}
#[test]
fn test_hsts_entry_is_not_expired_when_it_has_no_timestamp() {
let entry = HSTSEntry {
host: "mozilla.org".to_string(),
include_subdomains: false,
max_age: Some(20),
timestamp: None
};
assert!(!entry.is_expired());
}
#[test]
fn test_hsts_entry_is_not_expired_when_it_has_no_max_age() {
let entry = HSTSEntry {
host: "mozilla.org".to_string(),
include_subdomains: false,
max_age: None,
timestamp: Some(time::get_time().sec as u64)
};
assert!(!entry.is_expired());
}
#[test]
fn test_hsts_entry_is_expired_when_it_has_reached_its_max_age() {
let entry = HSTSEntry {
host: "mozilla.org".to_string(),
include_subdomains: false,
max_age: Some(10),
timestamp: Some(time::get_time().sec as u64 - 20u64)
};
assert!(entry.is_expired());
}
#[test]
fn test_hsts_entry_cant_be_created_with_ipv6_address_as_host() {
let entry = HSTSEntry::new(
@ -178,6 +215,20 @@ fn test_hsts_list_with_subdomain_when_host_is_exact_match_is_always_secure() {
assert!(hsts_list.always_secure("mozilla.org") == true);
}
#[test]
fn test_hsts_list_with_expired_entry_is_not_always_secure() {
let hsts_list = HSTSList {
entries: vec![HSTSEntry {
host: "mozilla.org".to_string(),
include_subdomains: false,
max_age: Some(20),
timestamp: Some(time::get_time().sec as u64 - 100u64)
}]
};
assert!(!hsts_list.always_secure("mozilla.org"));
}
#[test]
fn test_make_hsts_secure_does_not_change_explicit_port() {
let load_data = LoadData::new(Url::parse("http://mozilla.org:8080/").unwrap(), None);