Repository: trafficserver Updated Branches: refs/heads/master 4ea10c59f -> b0d8e2a52
TS-3202: Fail the parse if an invalid character is found in the method. This closes #149. Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/b0d8e2a5 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/b0d8e2a5 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/b0d8e2a5 Branch: refs/heads/master Commit: b0d8e2a528b80099d3524922832f1b6917145f89 Parents: 4ea10c5 Author: shinrich <[email protected]> Authored: Tue Nov 18 11:03:22 2014 -0600 Committer: Alan M. Carroll <[email protected]> Committed: Tue Nov 18 16:22:58 2014 -0600 ---------------------------------------------------------------------- CHANGES | 2 ++ proxy/hdrs/HTTP.cc | 6 ++++++ proxy/hdrs/HdrTest.cc | 53 ++++++++++++++++++++++++++++++++++++++++++++-- proxy/hdrs/HdrTest.h | 2 ++ 4 files changed, 61 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b0d8e2a5/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index f3b32cc..d996913 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 5.2.0 + *) [TS-3202] Enforce token character constraints on method field in HTTP header. + *) [TS-2009] Fail HTTP header parsing for null characters. *) [TS-3153] Ability to disable/modify NPN advertisement list based on SNI http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b0d8e2a5/proxy/hdrs/HTTP.cc ---------------------------------------------------------------------- diff --git a/proxy/hdrs/HTTP.cc b/proxy/hdrs/HTTP.cc index 2bdc58e..ce28ba7 100644 --- a/proxy/hdrs/HTTP.cc +++ b/proxy/hdrs/HTTP.cc @@ -976,6 +976,9 @@ http_parser_parse_req(HTTPParser *parser, HdrHeap *heap, HTTPHdrImpl *hh, const GETNEXT(done); goto parse_method1; } + if (!ParseRules::is_token(*cur)) { + goto done; + } method_start = cur; GETNEXT(done); parse_method2: @@ -983,6 +986,9 @@ http_parser_parse_req(HTTPParser *parser, HdrHeap *heap, HTTPHdrImpl *hh, const method_end = cur; goto parse_version1; } + if (!ParseRules::is_token(*cur)) { + goto done; + } GETNEXT(done); goto parse_method2; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b0d8e2a5/proxy/hdrs/HdrTest.cc ---------------------------------------------------------------------- diff --git a/proxy/hdrs/HdrTest.cc b/proxy/hdrs/HdrTest.cc index 1e48912..b254a86 100644 --- a/proxy/hdrs/HdrTest.cc +++ b/proxy/hdrs/HdrTest.cc @@ -977,6 +977,11 @@ HdrTest::test_http_hdr_print_and_copy() status = test_http_hdr_null_char(i + 1, tests[i].req, tests[i].req_tgt); if (status == 0) ++failures; + + // Parse with a CTL character in the method name. Should fail + status = test_http_hdr_ctl_char(i + 1, tests[i].req, tests[i].req_tgt); + if (status == 0) + ++failures; } return (failures_to_status("test_http_hdr_print_and_copy", failures)); @@ -1145,6 +1150,8 @@ done: } } +/*------------------------------------------------------------------------- + -------------------------------------------------------------------------*/ int HdrTest::test_http_hdr_null_char(int testnum, const char *request, const char * /*request_tgt*/) @@ -1156,12 +1163,12 @@ HdrTest::test_http_hdr_null_char(int testnum, char cpy_buf[2048]; const char *cpy_buf_ptr = cpy_buf; - /*** (1) parse the request string into hdr ***/ hdr.create(HTTP_TYPE_REQUEST); start = request; + if (strlen(start) > sizeof(cpy_buf)) { printf("FAILED: (test #%d) Internal buffer too small for null char test\n", testnum); return (0); @@ -1171,7 +1178,6 @@ HdrTest::test_http_hdr_null_char(int testnum, // Put a null character somewhere in the header int length = strlen(start); cpy_buf[length/2] = '\0'; - http_parser_init(&parser); while (1) { @@ -1188,6 +1194,49 @@ HdrTest::test_http_hdr_null_char(int testnum, /*------------------------------------------------------------------------- -------------------------------------------------------------------------*/ +int +HdrTest::test_http_hdr_ctl_char(int testnum, + const char *request, const char * /*request_tgt */) +{ + int err; + HTTPHdr hdr; + HTTPParser parser; + const char *start; + char cpy_buf[2048]; + const char *cpy_buf_ptr = cpy_buf; + + /*** (1) parse the request string into hdr ***/ + + hdr.create(HTTP_TYPE_REQUEST); + + start = request; + + if (strlen(start) > sizeof(cpy_buf)) { + printf("FAILED: (test #%d) Internal buffer too small for ctl char test\n", testnum); + return (0); + } + strcpy(cpy_buf, start); + + // Replace a character in the method + cpy_buf[1] = 16; + + http_parser_init(&parser); + + while (1) { + err = hdr.parse_req(&parser, &cpy_buf_ptr, cpy_buf_ptr + strlen(start), true); + if (err != PARSE_CONT) + break; + } + + if (err != PARSE_ERROR) { + printf("FAILED: (test #%d) no parse error parsing method with ctl char\n", testnum); + return (0); + } + return 1; +} + +/*------------------------------------------------------------------------- + -------------------------------------------------------------------------*/ int HdrTest::test_http_hdr_print_and_copy_aux(int testnum, http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b0d8e2a5/proxy/hdrs/HdrTest.h ---------------------------------------------------------------------- diff --git a/proxy/hdrs/HdrTest.h b/proxy/hdrs/HdrTest.h index 1cf19d8..17fc16e 100644 --- a/proxy/hdrs/HdrTest.h +++ b/proxy/hdrs/HdrTest.h @@ -75,6 +75,8 @@ private: const char *rsp_tgt); int test_http_hdr_null_char(int testnum, const char *req, const char *req_tgt ); + int test_http_hdr_ctl_char(int testnum, + const char *req, const char *req_tgt); int test_http_hdr_copy_over_aux(int testnum, const char *request, const char *response); int test_http_aux(const char *request, const char *response); int test_arena_aux(Arena * arena, int len);
