Gergely Farkas created THRIFT-5730:
--------------------------------------
Summary: header parsing issue in C++ implementation of THttpServer
Key: THRIFT-5730
URL: https://issues.apache.org/jira/browse/THRIFT-5730
Project: Thrift
Issue Type: Bug
Components: C++ - Library
Reporter: Gergely Farkas
The _THRIFT_strncasecmp(header, <header name constant>, sz) == 0_ condition
used in _THttpServer::parseHeader()_ function returns true even if the name of
the header being processed is a prefix of the header constant that is defined
in the condition.
For example, when processing the http header line "{_}con: 123{_}", we enter
the code fragment where the _Content-length_ header content is processed,
because the condition _THRIFT_strncasecmp("con: 123", "Content-length", 3) ==
0_ is true, since the first 3 characters of the two strings are the same.
The same is true for {_}strncmp(header, "{_}{_}X-Forwarded-For{_}{_}", sz) ==
0{_} condition, where the header line "X: 127.0.0.1" may hide the Origin if the
client sends that after the _X-Forwarded-For_ header (and the proxy does not
change the header order).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
