[jira] [Commented] (TS-3202) HTTP Parsing should not allow CTL characters in the method

Tue, 18 Nov 2014 09:13:11 -0800 

    [ 
https://issues.apache.org/jira/browse/TS-3202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14216441#comment-14216441
 ] 

ASF GitHub Bot commented on TS-3202:
------------------------------------

GitHub user shinrich opened a pull request:

    https://github.com/apache/trafficserver/pull/149

    TS-3202: Fail the parse if a CTL character is found in the method.

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/shinrich/trafficserver ts-3203

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/trafficserver/pull/149.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #149
    
----
commit f4022685e9df37e215db4df9bcc2196af97933b2
Author: shinrich <[email protected]>
Date:   2014-11-18T17:03:22Z

    TS-3202: Fail the parse if a CTL character is found in the method.

----


> HTTP Parsing should not allow CTL characters in the method
> ----------------------------------------------------------
>
>                 Key: TS-3202
>                 URL: https://issues.apache.org/jira/browse/TS-3202
>             Project: Traffic Server
>          Issue Type: Bug
>            Reporter: Susan Hinrichs
>            Assignee: Susan Hinrichs
>
> http_parser_parse_req() will mark a series of bytes as a correctly parsed 
> HTTP request if it meets the following constraints.
> <bytes excluding white space>+  <white space>+ <bytes excluding white 
> space>+\n
> The first set of bytes is the method.  The current code will match a bunch of 
> control characters as a valid method (found via a case in production).  
> Assuming the second set of bytes does not contain a valid domain name, the 
> processing will eventually fail and return to the client a message about not 
> being able to resolve the DNS address, which is confusing.
> Looking at the W3 specs, it looks like HTTP 1.1 has the most lax rules for 
> what characters can form a method token.  From my reading, a method can be 
> any token (http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1), 
> and any character but white space and control characters are allowed to be in 
> a token (http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2).
> To improve the accuracy of our processing (and the accuracy of our error 
> messages), I'd like to change the parsing of the method token in 
> http_parser_parse_req() to restrict control characters from the method token 
> as well as the white space characters. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to