trafficserver git commit: TS-2009 Fail parsing of HTTP hdrs if a nul character is detected. This closes #148.

Tue, 18 Nov 2014 14:00:13 -0800 

Repository: trafficserver
Updated Branches:
  refs/heads/master 2938ad52e -> 4ea10c59f


TS-2009 Fail parsing of HTTP hdrs if a nul character is detected.
This closes #148.


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/4ea10c59
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/4ea10c59
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/4ea10c59

Branch: refs/heads/master
Commit: 4ea10c59f1b01d86a0087c0ed42f54b5afe9c394
Parents: 2938ad5
Author: shinrich <[email protected]>
Authored: Tue Nov 18 10:36:29 2014 -0600
Committer: Alan M. Carroll <[email protected]>
Committed: Tue Nov 18 15:58:48 2014 -0600

----------------------------------------------------------------------
 CHANGES               |  2 ++
 proxy/hdrs/HdrTest.cc | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 proxy/hdrs/HdrTest.h  |  2 ++
 proxy/hdrs/MIME.cc    |  4 ++++
 4 files changed, 54 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4ea10c59/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 69a4aac..f3b32cc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache Traffic Server 5.2.0
 
+  *) [TS-2009] Fail HTTP header parsing for null characters.
+
   *) [TS-3153] Ability to disable/modify NPN advertisement list based on SNI
 
   *) [TS-3196] Prevent crash due to de-allocated read VIO continuation.

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4ea10c59/proxy/hdrs/HdrTest.cc
----------------------------------------------------------------------
diff --git a/proxy/hdrs/HdrTest.cc b/proxy/hdrs/HdrTest.cc
index 2aad736..1e48912 100644
--- a/proxy/hdrs/HdrTest.cc
+++ b/proxy/hdrs/HdrTest.cc
@@ -971,6 +971,12 @@ HdrTest::test_http_hdr_print_and_copy()
       test_http_hdr_print_and_copy_aux(i + 1, tests[i].req, tests[i].req_tgt, 
tests[i].rsp, tests[i].rsp_tgt);
     if (status == 0)
       ++failures;
+
+    // Test for expected failures
+    // parse with a '\0' in the header.  Should fail
+    status =  test_http_hdr_null_char(i + 1, tests[i].req, tests[i].req_tgt);
+    if (status == 0)
+      ++failures;
   }
 
   return (failures_to_status("test_http_hdr_print_and_copy", failures));
@@ -1139,6 +1145,46 @@ done:
   }
 }
 
+int
+HdrTest::test_http_hdr_null_char(int testnum,
+                                 const char *request, const char * 
/*request_tgt*/)
+{
+  int err;
+  HTTPHdr hdr;
+  HTTPParser parser;
+  const char *start;
+  char cpy_buf[2048];
+  const char *cpy_buf_ptr = cpy_buf;
+
+
+  /*** (1) parse the request string into hdr ***/
+
+  hdr.create(HTTP_TYPE_REQUEST);
+
+  start = request;
+  if (strlen(start) > sizeof(cpy_buf)) {
+    printf("FAILED: (test #%d) Internal buffer too small for null char 
test\n", testnum);
+    return (0);
+  }
+  strcpy(cpy_buf, start);
+
+  // Put a null character somewhere in the header
+  int length = strlen(start);
+  cpy_buf[length/2] = '\0';
+
+  http_parser_init(&parser);
+
+  while (1) {
+    err = hdr.parse_req(&parser, &cpy_buf_ptr, cpy_buf_ptr + length, true);
+    if (err != PARSE_CONT)
+      break;
+  }
+  if (err != PARSE_ERROR) {
+    printf("FAILED: (test #%d) no parse error parsing request with null 
char\n", testnum);
+    return (0);
+  }
+  return 1;
+}
 
 /*-------------------------------------------------------------------------
   -------------------------------------------------------------------------*/

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4ea10c59/proxy/hdrs/HdrTest.h
----------------------------------------------------------------------
diff --git a/proxy/hdrs/HdrTest.h b/proxy/hdrs/HdrTest.h
index 3d17f4e..1cf19d8 100644
--- a/proxy/hdrs/HdrTest.h
+++ b/proxy/hdrs/HdrTest.h
@@ -73,6 +73,8 @@ private:
 
   int test_http_hdr_print_and_copy_aux(int testnum, const char *req, const 
char *req_tgt, const char *rsp,
                                        const char *rsp_tgt);
+  int test_http_hdr_null_char(int testnum,
+                              const char *req, const char *req_tgt );
   int test_http_hdr_copy_over_aux(int testnum, const char *request, const char 
*response);
   int test_http_aux(const char *request, const char *response);
   int test_arena_aux(Arena * arena, int len);

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4ea10c59/proxy/hdrs/MIME.cc
----------------------------------------------------------------------
diff --git a/proxy/hdrs/MIME.cc b/proxy/hdrs/MIME.cc
index 6441841..7c8b5cb 100644
--- a/proxy/hdrs/MIME.cc
+++ b/proxy/hdrs/MIME.cc
@@ -2446,6 +2446,10 @@ mime_scanner_get(MIMEScanner *S,
       *output_shares_raw_input = true;
     }
   }
+  // Make sure there are no '\0' in the input scanned so far
+  if (zret != PARSE_ERROR &&
+      memchr(*raw_input_s, '\0', raw_input_c - *raw_input_s) != NULL)
+    zret = PARSE_ERROR; 
 
   *raw_input_s = raw_input_c; // mark input consumed.
   return zret;

Reply via email to