Susan Hinrichs created TS-3202:
----------------------------------
Summary: HTTP Parsing should not allow CTL characters in the method
Key: TS-3202
URL: https://issues.apache.org/jira/browse/TS-3202
Project: Traffic Server
Issue Type: Bug
Reporter: Susan Hinrichs
http_parser_parse_req() will mark a series of bytes as a correctly parsed HTTP
request if it meets the following constraints.
<bytes excluding white space>+ <white space>+ <bytes excluding white space>+\n
The first set of bytes is the method. The current code will match a bunch of
control characters as a valid method (found via a case in production).
Assuming the second set of bytes does not contain a valid domain name, the
processing will eventually fail and return to the client a message about not
being able to resolve the DNS address, which is confusing.
Looking at the W3 specs, it looks like HTTP 1.1 has the most lax rules for what
characters can form a method token. From my reading, a method can be any token
(http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1), and any
character but white space and control characters are allowed to be in a token
(http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2).
To improve the accuracy of our processing (and the accuracy of our error
messages), I'd like to change the parsing of the method token in
http_parser_parse_req() to restrict control characters from the method token as
well as the white space characters.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
